Business owners – how to get into the federal sector and obtain FedRAMP approval

Obtaining moderate FedRAMP approval is a requirement for any organization attempting to earn a contract with the federal government. For many organizations, regardless of size, getting this approval from FedRAMP can seem like an unattainable task, even a dream, to achieve.

FedRAMP is notorious for requiring strict compliance, and companies know it will be a challenge no matter how well-versed they are in cybersecurity compliance. FedRAMP approval is not just a simple compliance checkbox on the way to winning a government contract; because earning FedRAMP approval is so difficult, having approval shows the company has a vested interest in obtaining a contract. 

The keys to obtaining moderate FedRAMP authorization:

• From day one, all companies should be primarily aligned to NIST 800-53 Revision 5, moderate baseline as the internal security framework.

  • This early commitment will eventually reduce rework of any previous security controls, and it will foster a security-first mindset that scales to meet whatever compliance requirements to do business with the federal government.

• Build an integrated security team.

  • This includes compliance-focused leads who understand the requirements of the FedRAMP controls.

  • Hire application security engineers who can embed guardrails within their security networks that won’t hamper product delivery.

  • Oversee development security ops teams that operate within a security-mode mindset to ensure security is enforced through all network infrastructure.

  • Ensure that any platform engineers are aware of all security controls related to the cloud environment, and how they implement as well as deploy these security controls.

  • Mirror commercial and federal architectures so that they are identical.

    • Ensure all organizations keep a single software release chain with identical configurations and infrastructure security requirements throughout the whole organization.

    • Configure all security controls the same and enforce these same requirements, regardless of the size of the company.

    • Guard against custom hardening of any application outside the main infrastructure environment, meaning that some applications are more secure than others. Treat every security network application the same, no matter what its intended use within the company.

    • The mindset of all management should be one platform, and only one set of controls. This will drastically simplify any future audit and ensure the networks are totally in sync, despite being possibly in another geographic location.

• Scrutinize the business case to the highest degree.

  • Obtaining FedRAMP moderate authorization is not cheap. It’s been estimated that some initial investment can often exceed $1 million, and it can take over 12 years to see any result or sign of positive investment.

  • Before any company makes this type of investment, the organization should do its homework and validate the actual market opportunity, whatever the business design is, and what it tailors to for the customers’ benefit.

  • Confirm executive sponsorship, because FedRAMP will require a top-down alignment.

    • This means all management, regardless of title, must have the same priorities and buy into obtaining moderate-level approval.

    • This will often require personnel to work rigorous hours with very demanding schedules and completion dates to achieve this task.

    • This is not a growth experiment. Be ready from day one. Do your homework and know your business model well enough before even venturing down this path.

• Choose your business partners wisely.

  • Depending on your company’s size, it may be beneficial to choose external vendors well-versed with FedRAMP requirements and form a partnership to share the cost.

• Watch for schemes involving predatory pricing. Be wary of anyone promising the world in a short time with little or no effort.

• Prioritize transparency; should your business decide to partner with anyone else, that partner would be an automatic extension of your business team.

• Build effective internal communication.

  • Ensure your security architecture is well-versed with knowledge in cryptography, change control procedures, collection of evidence, and thorough documentation of ticket issues.

  • Hire strong project management personnel to work with vendors, auditors, and any internal stakeholders, no matter what the time frame of their request.

  • Ensure team training and Q&A are held with each team continually.

Achieving moderate FedRAMP level approval is possible for startup companies as well as existing companies if there is a high priority for maintaining an integrated security culture. Most importantly, everyone on the team should have a deep understanding of what they’re signing up for before they accept the position.

If you’re considering going down this road, start small, move deliberately in your actions, and commit fully without hesitation.