Compliance
Breaking Down Barriers: Redefining the FedRAMP® Journey for Cloud Service Providers
Key takeaways:
- Coalfire has made the entry into the FedRAMP space simple and accessible for all organizations through a free, open-source project.
- To ensure compliance post-authorization, it’s important to educate teams early in the FedRAMP process.
- Building accountability into the process can be achieved through community governance and feedback loops.
Since the passing of the FedRAMP Authorization Act last December, inquiries about navigating FedRAMP's complex landscape have surged. Recognizing this, Coalfire is pioneering a new pathway to streamline the FedRAMP authorization process, making it more accessible for cloud service providers.
Shortly after wrapping up a series of FedRAMP assessment interviews, one of our customers remarked:
“This is just another sprint in a long marathon.”
The perception that FedRAMP is a series of hurdles in a never-ending race is echoed throughout the compliance community. Starting the process is an obstacle in itself between the pressures of cost, skilled resourcing, and finding a responsive agency partner aligned with the company’s go-to-market timeline.
When the FedRAMP Authorization Act was passed last December, many clients and organizations came to us asking how they should navigate this complex space. We were challenged to re-evaluate how to improve the FedRAMP authorization journey with greater care and impact – from the very beginning.
Access: Eliminating barriers to entry
As we evaluated our services, we understood that we needed to help remove the barriers preventing others from accessing this space.
Changing our strategy started with this premise:
Every cloud service provider, regardless of budget, deserves the opportunity to pursue a FedRAMP authorization.
To create this inclusive entry point, we made the decision to launch an open-source project to help cloud service providers (CSPs) kickstart their FedRAMP journey for free.
The package includes foundational components of our code base across the top three Infrastructure-as-a-Service (IaaS) providers, along with templated reference architecture design and System Security Plan (SSP) documentation. CSPs who previously couldn’t afford to enter or expand into government markets now have the opportunity.
At the onset of their journey, any CSP can download these materials and have immediate access, allowing for iterative progress before making a considerable investment.
Making adjustments early and educating the program team
When we went back to the drawing board, our team acknowledged the necessity for not only access to evaluating the pros and cons of starting the FedRAMP journey, but also for increased organizational advocacy and education.
The clients most equipped to handle the FedRAMP process understand their why and provide cross-functional education across sales, product, compliance, engineering, and even HR teams. Educating the teams involved in or affected by a FedRAMP program, not just executive stakeholders, is key to ensuring continued compliance post-authorization.
As part of enhancing our advisory services, we added more focused content in our workshop sessions to help CSPs anticipate and mitigate the challenges and decisions they’ll confront in the process.
The sessions equip organizations with the knowledge to strengthen their business case, evaluate contract potential across impact level (low, moderate, high), and appropriately budget for the entirety of the engagement lifecycle. Organizations proceed to a gap analysis, where a clear roadmap is crafted to address FedRAMP security controls and requirements.
Programs will always be challenged by regulatory changes, shifting market conditions, and unprecedented security events. Informed teams are able to take quick action and respond to mandated requirements, such as emergency directives from the Cybersecurity and Infrastructure Security Agency (CISA) or Rev. 5 updates.
Teams that stay agile ensure the continuity of their offering and instill confidence in their agency partners.
Building accountability across the community
FedRAMP is not a solitary exercise—accountability happens at all levels of the FedRAMP community. The quality of partnerships in this space drives programs forward. FedRAMP was established to provide governance across the board – OMB, GSA, NIST, DoD, DHS, CIO Council, and these governing bodies work together to provide support and oversight. We are making a concerted effort to model this governance as an extension of the CSP’s community:
- Collaborating weekly on Change Control Board meetings and reoccurring cadences to review required monthly reporting.
- Building in working sessions to cover new agency requirements and internal business initiatives.
- Encouraging agency cooperation.
As CSPs achieve multiple authorizations, the multi-agency continuous monitoring model has gained traction, creating accountability for validating the security posture of the CSP across agencies.
Accountability also means we hold ourselves to a greater standard and welcome diverse perspectives and dialogue. Inclusive steps taken by GSA and OMB with the newly formed Federal Secure Cloud Advisory Committee (FSCAC) indicate that the FedRAMP community is moving in this direction.
FSCAC has opened a window for more agency feedback on setbacks to cloud adoption and seeks to expand small business offerings. As we reimagine the future of community in this space, our vision is centered around embodying the principles of open source: collaborative and shared by all.
By releasing these modules, we will continue to improve our offerings by listening and learning from the FedRAMP community through a dynamic feedback loop.
The elements of a successful FedRAMP program start with proper qualifications and a strong business case. Thereafter, the drivers of maintaining success hinges on education and accountability built across the program.
Ultimately, we hope that changing our delivery services expands the conversation and provides new opportunities for organizations to enter the government marketplace.