Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

What is the Timeline for the FedRAMP Process?

Home
Industry Insights
What is the Timeline for the FedRAMP Process?

Blog Article Published: 02/15/2023

Originally published by Schellman.

Written by Andy Rogers, Schellman.

Ever watched Jeopardy? Even if you haven’t, you’re likely familiar with the iconic theme music that plays every time contestants deliberate over their answers—it’s such an iconic tune that it’s become synonymous with waiting for a conclusion that takes quite a while.

Endeavoring for compliance with the Federal Risk Assessment Management Program (FedRAMP) is one such drawn-out conclusion—it takes time to complete this process, but how much? How long will the Jeopardy theme play?

Before you commit to achieving FedRAMP Authority to Operate (ATO), it’d be helpful to know what you’re getting yourself into. In this article we will outline the anticipated timeline for what we’ve separated into 4 major phases of FedRAMP—these include the development and preparation of your system, agency sponsorship, execution of an assessment, and the review(s) that yield Authority to Operate (ATO), as well as the continuous monitoring responsibility for your authorized system.

As things move along during your FedRAMP journey, it may—at times—feel like one long pregnant pause with the Jeopardy theme playing. But having read this, you’ll have an understanding of how to get from cradle to grave in the FedRAMP process so you’ll know for sure what step is coming next while you wait.

What is FedRAMP?

Just to lay the groundwork, here’s what you need to know about FedRAMP:

  • It’s geared toward Cloud Service Providers (CSPs) that want to do business with the U.S. federal government.
  • The standard is designed to safeguard cloud systems with security commensurate to the sensitive data that may be stored, processed, managed, and transmitted within the system.
  • Each system that is assessed has an applicable Federal Information Processing Standard (FIPS) 199 risk designation of High, Moderate, or Low depending on the data being processed. These risk levels have considerable variance in the number of security controls:


There are two ways to get FedRAMP ATO—through either agency sponsorship or the Joint Authorization Board (JAB). Since the agency route is more common, we’ll proceed through the phases of the process assuming you’ll be going that way too.

The 4 Phases of FedRAMP

Phase 1: System Development and Preparation

Once you’ve determined your risk designation, you can proceed through the 3 phases of FedRAMP, and that starts with developing your Cloud Service Offering (CSO). The time this takes can range depending on the complexity of the system, but know that using a defense-in-depth methodology when building the system is extremely important if you don’t want to extend your timeline considerably.

Because FedRAMP assessments are some of the most difficult, take longer, and tend to be more expensive than average, developing your CSO with the NIST 800-53 controls in mind can prevent considerable rework, or worse, necessary rearchitecting of your environment to ensure you meet the “spirit” of the FedRAMP controls. But if your system is already developed, you may want to perform/have someone perform a gap assessment to better understand if you are truly meeting FedRAMP requirements before moving forward.

In some cases, hiring an experienced advisor can shorten this timeline—these consultants have interacted with the FedRAMP Project Management Office (PMO) and understand the federally mandated “showstoppers” (a.k.a. things that will derail your ATO).

Phase 2: Agency Sponsorship

In any case, once your offering is ready to go live, you’ll need to secure an agency sponsor. Without one—or, as we mentioned earlier, authorization from the JAB—the furthest you’ll be able to get is FedRAMP Ready status, which is not an ATO. (If you’re FedRAMP Ready, you’ve proven you have a system meeting the federal mandates and ready at either the Moderate or High baseline but will still need an agency sponsor to move forward to In Process and eventually Authorized).

Because success with an agency looks different for everyone, we can’t accurately provide a timetable for how long this will take.

Phase 3: Security Assessment – 7-9 Weeks (Approximately)

But once you do secure an Agency sponsor, you can now proceed through a full initial FedRAMP Security Assessment, and we can provide a rough timeline for that.

Before you get started, you’ll need an American Association for Laboratory Accreditation (A2LA) accredited 3PAO to perform the assessment—the full FedRAMP Security Assessment Report (SAR) process can be broken into the following stages:

Security Assessment Plan (SAP)

(1 Week)

The 3PAO drafts the SAP and submits to the CSP for their approval. In some instances, the sponsoring agency will also request a review prior to finalizing. Once finalized, the SAP is signed by the 3PAO and the CSP. This step is critical as the SAP defines the assessment activities and includes key items such as the Rules of Engagement.

At this stage, there are expectations that the CSP will have provided certain audit evidence such as the System Security Plan (SSP), system inventory and other items required for populating the details of the SAP template.

Control Owner Interviews

(1-2 Weeks)

Once the SAP is in place, remote or in-person interviews and evidence collection through live screen shares will take place.

Interviews can range anywhere from one to two weeks depending on the complexity of the system and FIPS-199 baseline. The requisite penetration testing will also kick off during this time after coordinating the details and putting into place the proper authorizations.

Evidence Analysis, Controls Testing and Penetration Testing

(6-8 Weeks)

At this point, your 3PAO will begin in-depth testing, analyzing both the evidence you submitted as well as what they collected live, which includes vulnerability scans and compliance scans. The penetration test continues through this stage of the assessment.

SAR and Risk Exposure Table Delivery

(2 Weeks)

Once testing is wrapped up, your 3PAO will provide a draft SAR as well as the Risk Exposure Table documenting the findings from the assessment. You should ensure that any remaining supplemental control implementations (mitigating factors) are brought to your 3PAO’s attention to help reduce or mitigate the documented risks. Once you and your 3PAO are in agreement, the SAR will then be finalized and provided to the sponsoring agency and FedRAMP PMO for their respective reviews.
Phase 4: Agency Review and PMO Review – 6-8+ Weeks

After you’ve completed the assessment and the SAR is finalized, the SAR and supporting details are submitted as the “authorization package” for review to the sponsoring agency and FedRAMP PMO for their respective reviews.

Given the number of CSPs pursuing FedRAMP ATO, it’s common that a sponsoring agency and the FedRAMP PMO have a number of packages in their queue for review. Because of this and depending on the sponsoring agency, the completion of both reviews can take more than six to eight weeks.

After completion of the reviews, there will be a meeting that includes the FedRAMP PMO, your sponsoring agency, 3PAO and you as the CSP to review feedback from the FedRAMP PMO and discuss any questions. This review often results in a revision of the SAR to ensure that all are in agreement with the results and the details contained within.

Once updated, the SAR and any other supporting documentation that has been updated are submitted to the PMO for an additional review. The ideal outcome from the resubmission is to receive an email notification within a few weeks from the FedRAMP PMO letting you know that your CSO has been granted an ATO. The ATO will allow you to provide your CSO to your sponsoring agency, and it will be listed on the FedRAMP Marketplace with its applicable ATO. Given the number of variables that factor into the review process, the duration can vary widely based on the queue mentioned above and the feedback received.

Next Steps for FedRAMP ATO

At this point, you may believe you’re done—the Jeopardy theme will stop playing, the conclusion having been reached. But as long as your CSO is providing services to a federal agency, you will be subject to the annual assessment requirement to assess a subset of the full initial controls—this usually takes 10 – 12 weeks from start to finish, so it’s a little shorter than the full assessment.

In any case, the process of getting FedRAMP ATO is neither easy nor short, as you now understand. Just the assessment and review periods can take more than three months each, and that doesn’t factor in time spent preparing your offering, however long that may take. No matter what, you’ll need to ensure you have enough time and expertise to get your CSO up to standard so that all your efforts end successfully.

To learn more about FedRAMP, read our other content that can help you further simplify your approach and experience:

ComplianceFedRAMP

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Upselling Cybersecurity: Why Baseline Security Features Shouldn’t Be a Commodity

Published: 04/24/2024

Understanding the Nuances: Privacy and Confidentiality

Published: 04/22/2024

How to Set Your Small Privacy Team Up for Success

Published: 04/17/2024

How to Audit Your Outdated Security Processes

Published: 04/16/2024