FedRAMP®

FedRAMP Program opens the door to charging CSPs – Initial Thoughts and Feedback from Coalfire’s Public Sector Advisory Team

Matt chaiko

Matt Chaiko

Lead Principal, Advisory Services, Coalfire

February 4, 2025
Fed RAMP Survey OG2 ext jpg

The FedRAMP Program has “opened the conversation” about potentially charging cloud service providers (CSPs) for undergoing the FedRAMP authorization process. In its blog post, “Exploring New Ways to Scale FedRAMP”, published on December 20, the FedRAMP Team acknowledged its current inability to meet the growing demand for FedRAMP authorizations and identified additional funding as a potential solution. The post outlines the benefits of new funding, such as hiring more reviewers, launching pilot programs, and increasing centralized oversight. To be clear, no decision has been made yet; the FedRAMP Team is in the early stages of exploring how a fee structure could be implemented fairly for CSPs of all sizes.

Initial Reactions

Let’s be honest. As a member of the FedRAMP CSP, Advisory, or 3PAO communities, your gut reaction to this proposal was likely, “Are you kidding me?” While this blog isn’t intended to outright dismiss the idea of charging CSPs, it would be disingenuous not to address the elephant in the room: Why should CSPs be held responsible for the FedRAMP Team failing to scale? Many CSPs, having navigated the initial authorization process, understand that the review system is slow and inefficient. However, expecting CSPs to fund these optimizations—despite the substantial investments already required in achieving and maintaining FedRAMP authorization—raises concerns.

What Is the Federal Government Doing to Help Scale FedRAMP?

The FedRAMP blog states, “For years now, federal agencies, companies, Congress, and a series of administrations have made clear they value what FedRAMP does and want to see the program scale and the marketplace grow well beyond what it is today.”

If this is true, why isn’t the federal government providing adequate funding to ensure the program runs efficiently? Companies (CSPs) are already making significant investments. According to an independent third-party study, the initial cost of FedRAMP authorization for a CSP averages $2 million. This includes expenses such as hiring specialized personnel, obtaining advisory services, security tool license costs, and third-party assessment costs. Growing investments in FedRAMP by CSPs is what pushed the program beyond its capacity in the first place.  That leaves the agencies, Congress, and the current administration - What additional support will they be providing to help the FedRAMP Team scale?

Response to FedRAMP’s Questions

The FedRAMP Team has asked the CSP community for feedback on designing a fair cost model. Here are my responses to two of the questions posed:

“How might FedRAMP design a cost model that is right for smaller businesses?”

The cost model should be based not on business size but on the complexity of the cloud service offering (CSO) and the effort required for the FedRAMP Team to perform package reviews and continuous monitoring. Factors to consider include:

  • Impact level
  • Number of unique applications/products
  • Infrastructure size and complexity
  • Inheritable controls (e.g., CSPs fully hosted on FedRAMP-authorized IaaS inherit most MA, MP, and PE controls, reducing review times)

Whatever the cost model, it must be standardized and transparent to prospective CSPs.

“Are there particular parts of FedRAMP’s authorization and continuous monitoring processes you think should receive the most direct investment?”

  • Increase Transparency of FedRAMP Requirements
    • CSPs often encounter “unwritten rules” during the authorization process, which aren’t documented in official guidance. These surprises frequently appear in Authorization Review Reports, creating unnecessary delays. The new Review Initiation Criteria (RIC) checklist (RFC-0003) addresses some of these issues but needs refinement and broader communication.
  • Expand Guidance and Whitepapers
    • The FedRAMP Team should release guidance more quickly and ensure draft documents are finalized promptly. For example, the “FedRAMP Authorization Boundary Guidance” has been in draft since September 2022 but is actively used by FedRAMP reviewers to assess CSPs. This causes confusion for both CSPs and 3PAOs. The FedRAMP Team should commit to timelines for finalizing updates and rescind drafts that will not be published.
    • In addition, the FedRAMP team should adopt a clearer distinction between "guidance" and "requirements." CSPs need to fully understand the specific criteria they will be assessed against during a FedRAMP review. A recent example of this confusion is the logical separation guidance outlined in the Subnets whitepaper. Many CSPs are uncertain whether the Subnets whitepaper constitutes a mandatory requirement.
  • Enhance Agency Competency
    • Many agency reviewers and AOs still lack an understanding of the FedRAMP authorization process. Even the agencies most experienced with FedRAMP often interpret controls differently than the FedRAMP Team. Working to improve agency competency and standardize control interpretations would lead to higher-quality package submissions, reducing review times for the FedRAMP Team.

Additional Questions for the FedRAMP Team

  • What percentage of CSP fees will be allocated to covering increased overhead? Will managing the cost model require significant additional resources?
  • Will fees be one-time or recurring?
  • How will the FedRAMP Team calculate the level of effort for each CSO review?
  • Will the model consider factors like impact level, inherited controls, number of unique applications, and infrastructure complexity?

Final Thoughts: Is it time to consider a complete overhaul of the FedRAMP Review Process?

The FedRAMP program has provided immense value since its inception and played a major role in enhancing the cybersecurity posture of the federal government. But I question whether additional funding and expansion of the FedRAMP Team is the best path forward. It may be time to reassess the current FedRAMP model entirely. In particular, the FedRAMP Team's package review process.

Does the FedRAMP Team review provide enough value to agencies to justify expanding the program? Or would the more efficient approach be to eliminate the FedRAMP Team review for agency authorizations?

Every agency is responsible for reviewing its CSPs' packages, assessing the associated risks, and issuing ATOs accordingly. As a result, each CSO undergoes an initial and annual assessment by an accredited 3PAO, detailed reviews by its agency customers, and a FedRAMP Team review.

Removing the FedRAMP Team review would align with the CMMC methodology, where the DoD CIO CMMC PMO provides oversight and defines program requirements but does not grant accreditations or conduct package reviews. This shift would allow the FedRAMP Team to focus on refining requirements, collaborating with agencies and CSPs, and enhancing continuous monitoring.

Additionally, this change could support the new FedRAMP Program Authorization model, where the FedRAMP Team directly authorizes CSPs without an agency partner. By limiting its reviews to CSPs pursuing a Program Authorization, FedRAMP could scale the program without requiring additional funding. CSPs might also be more receptive to a fee-based model for Program Authorizations, as it provides them with an opportunity to achieve FedRAMP authorization that would otherwise be unavailable without an agency sponsor.

Call to Action

The FedRAMP Team is seeking feedback from the industry to design a fair pricing model for CSPs of all sizes. This is an opportunity to influence the future of the FedRAMP program. Submit your feedback by February 28 using this Smartsheet form.