Cloud service providers (CSP) will face different factors, but could average $2.25 million in overall costs to get through the Federal Risk and Authorization Management Program, FedRAMP Director Matt Goodrich wrote in a recent blog post.
Working with four similar vendors — three offering Infrastructure-as-a-Service solutions and one Software-as-a-Service — Goodrich broke down the main spending categories each faced while going through the Joint Authorization Board to get certified to provide cloud services to the government.
On average, the CSPs spent $1.1 million on engineering, $400,000 on documentation, $500,000 on third-party assessments, $250,000 on reviews/required updates and $1 million annually for continuous monitoring.
Variance between the four ranged from $500,000 for one and $4 million for another, with the contributing nuances being the use of outside documentation consultants for assessment/reviews, differing audit lengths (and therefore different update costs) and the cost to retrofit commercial systems versus building custom.
"One important thing to note, again, is that these baseline costs are associated with the old FedRAMP process and was before we introduced FedRAMP Accelerated," said Goodrich, adding that FedRAMP Accelerated is intended to make the process faster, more transparent and more cost-efficient.
"With the redesigned, reimagined process now being tested with three CSPs, we will ensure that Accelerated works for everyone," he said. "One way we’re going about this is to compare and contrast the costs of the old process to Accelerated and to ensure we’re getting a greater [return on investment] for both government and industry."
Vendors interested in helping FedRAMP build out the Accelerated model’s baseline costs can email firstname.lastname@example.org. The entire blog entry can be viewed on the FedRAMP website.