Insights from the FedRAMP journey
- By Steve Boberski
When our company, collab9, successfully completed the certification process for the Federal Risk and Authorization Management Program, CEO Kevin Schatzle called it one of the greatest achievements in company history.
It took more than two years of dedication, the right strategic partners and more financial investment than we would like to mention, but we became the first unified communications-as-a-service (UCaaS) provider to secure FedRAMP authorization
In those two-plus years, we hired new staff to focus specifically on the authorization or to fill in for employees we pulled over to the project. We trusted that the time, budget and attention would prove successful. These are the considerations and investments companies need to dedicate when undergoing the FedRAMP process, but it doesn’t stop when the authorization is awarded.
Lessons learned from FedRAMP
Now collab9 finds itself as a FedRAMP “veteran.” Not only have we become certified in the process, but we have a year of work under our belt. Throughout this process, and especially over the past year within the FedRAMP program, we learned a lot. Below are a few best practices that other companies can take from our experience.
Making a stronger company. From an operational perspective, adapting many of the processes required to remain in compliance with FedRAMP can make for a stronger company. This means that FedRAMP should always be a prime factor in your organizational decision-making. Steer clear of any changes that would deviate from the processes or security standards that you had in place when achieving the authorization. These standards will only improve how you operate as an organization and enhance the services you offer to customers/partners, both inside and outside of the government.
Authorization is just the beginning. It is important to perform vulnerability scans each month and report back to the FedRAMP Program Management Office (PMO) with the results. FedRAMP also performs a yearly audit which must be completed in order to maintain security authorization. To keep up with the monthly reporting, ongoing assessments, and annual audits, appointing several internal resources to work with the FedRAMP PMO to ensure you remain compliant is important. The investment in the FedRAMP process needs to continue with the dedication of internal resources driving it forward.
Enabling a more efficient government. FedRAMP standards are detailed and complex, making them difficult to both achieve and maintain. With that said, these standards make organizations eligible to store some of the government’s most sensitive data. These high standards are needed, and do pay dividends. We continue to see great value in the program, especially from the vantage point of our federal agency counterparts, who can operate more efficiently and securely, while expediting their technology initiatives by following the assessment framework. Providing that service, and continually working as a partner with the government, will better position you from a competitive standpoint.
Leveraging the PMO. We’ve found the FedRAMP program management office to be an exceptional resource. They have provided great support and direction throughout the process. There will always be questions that need a firm answer. The FedRAMP PMO has helped serve as a guide – and should be looked upon as such – to deliver the best options to the government customer as well as to help avoid costly and time-consuming mistakes internally. The FedRAMP PMO is a staunch supporter of the organizations who have secured an authorization, and will work cooperatively to make sure the program is delivering as expected.
The big picture
FedRAMP offers a great service to federal agencies, which no longer have to spend time and money performing independent vendor evaluations.
FedRAMP and its security-assessment framework also offer great value to vendors and their channel partners. It’s no secret that cloud-security concerns were pervasive in government and, as a result, cloud adoption among agencies has been delayed at best. FedRAMP helps remove some of that reticence, making it easier for government agencies to migrate to the cloud.
Undertaking the authorization process was not a decision we took on lightly. Thanks to a sponsorship from the Federal Communications Commission we were able to complete the process in less time than expected. In the end we are a better company for completing these steps. That said, each company needs to decide if FedRAMP certification is right for them. It is a strategic decision that can definitely pay dividends, but only if it is pursued correctly and properly maintained/nurtured once an authorization is granted.
Steve Boberski is vice president, business development, with Collab9.