When a cloud services provider wants to work with the federal government, they have to pass a rigorous audit to make sure they’re capable of properly securing the controlled information they would handle in the process. Achieving that Authority to Operate is done through the Federal Risk and Authorization Management Program and is the biggest barrier to federal contracts, and the bar is high. As many as 60% of CSPs attempting to pass their ATO audit will fail.

If you want your CSP to be on the right side of that statistic, you need to learn from those who have come before. That’s why we put together this guide: the five biggest reasons why organizations fail to achieve their FedRAMP ATO, and how you can avoid the same fate.

Reason #0: Getting In Over Your Head

Alright, we lied; this is actually six reasons. That’s because the “60% of FedRAMP attempts fail” statistic isn’t just about failing to achieve the ATO after an audit. It encompasses the CSPs that start their efforts, only to abandon them partway through when they realize just how much they need to do.

FedRAMP’s moderate baseline, which is where 80% of CSPs will fall when they determine their impact level, incorporates over 300 security controls derived from the NIST special publication 800-53. Those controls can range from ensuring specific settings in firewalls are configured properly to a comprehensive set of employee training guidelines; in other words, it’s a lot of work.

Frequently, we see CSPs that decide they want to go after federal contracts, but underestimate just how much work is involved. Systems need to be secured, data needs to be segmented, a scope needs to be defined, employees need to be trained, policies need to be documented and followed, violations need to be detected, punishments need to be enforced, and every last bit of it needs to be recorded.

It’s no wonder that the best-case scenario is a six-month crash course in deep information security, and a more realistic estimate can be 12-24 months of work to get all of your ducks in a row to pass an audit.

Moreover, FedRAMP changes, which means on timelines of over a year, you need to be aware that the rules might be moving out from under you.

So, before you start hiring consultants, buying guidebooks, or paying for security programs, consider the road ahead of you, and make sure it’s one you really want to go down. Otherwise, you risk wasting a lot of time and effort.

Alright, with that out of the way, let’s get to the real five reasons why you might fail to achieve your FedRAMP ATO.

Reason #1: Failure to Secure Adequate Executive Buy-In

FedRAMP is broad and complex, but it’s also somewhat isolated from private sector operations. This can lead to executives performing competitive research and deciding that their next move should be “to win government contracts” and just say, “make it happen.”

FedRAMP authorization is not an out-of-the-box solution you can easily implement. Nor is it entirely a technical solution that can be developed and implemented. While those are both options and can help, they’re only part of what it takes to secure an ATO.

Executives who think of it in terms of SOC2 reporting or one-time audits will be blindsided by the scope and expense of FedRAMP implementation.

A good way to think of it is more in terms of a product launch. You’re a CSP offering your services to clients, but you can’t simply offer those services to the government the same way. You are, effectively, developing a separate, parallel version of your service. While it might look and feel the same on the surface, the behind-the-scenes details all need to be very different.

Top-level executive backing needs to be in place, because successful implementation of FedRAMP security controls means changing everything from personnel training to financial record-keeping to baseline security to intrafirm communications rules. Anywhere federal information touches needs to change to be secure, along the guidelines set forth in FedRAMP.

All too often, an order comes down from an executive to make it happen, but there’s no further support. The responsibility is left to lower-level managers who might not have the resources or authority to change what needs to be changed.

Reason #2: Missing Third-Party Compliance Rules

A common misconception about FedRAMP is that it’s about securing your systems.

In fact, FedRAMP is about protecting CUI: controlled unclassified information. FedRAMP broadly doesn’t care if your systems are secure across the board, only that the parts of them that touch CUI are secured.

This has some far-reaching implications.

One of the big details is in scoping your FedRAMP perimeter. The reason it’s ideal to look at FedRAMP as if it’s a product launch is that the non-government parts of your systems don’t need to be secured to FedRAMP standards, as long as there’s proper segmentation between them.

Another detail, and one that is often easy to overlook, is third-party systems. Modern CSPs are rarely developed out of whole cloth; they’re built using third-party integrations and services. Your CRM, your sales hub, your project management app, your collaborative data storage, all might come from other companies.

FedRAMP specifies that, when you’re using third-party integrations and those systems have any access to systems that CUI touches, those integrations need to be secured at the same impact level for FedRAMP or higher.

Work on CUI using Google Workspace? You need Google Workspace for Government, specifically. Build your data warehouse on Microsoft Azure? You’ll need to be using Azure for Government for the sections that house CUI. Run your infrastructure through HubSpot? HubSpot isn’t FedRAMP-authorized, so you’ll need to switch to something that is.

In extreme cases, this can basically require re-engineering your entire service on new architecture.

Since this requirement can easily slip the awareness of the teams implementing FedRAMP, it’s easy to be blindsided by an audit finding that you’re using apps that aren’t, themselves, secure. Since anyone compromising those apps could then use them to access CUI on your systems, it’s a liability you need to fix to receive an ATO.

Reason #3: Setting the ATO as the Finish Line

Often, CSPs view FedRAMP as a goal to meet and an achievement to accomplish. It’s even reasonable to feel that way, given the steep requirements necessary to gain that authorization.

The problem is, this leaves out one very significant component of FedRAMP: continuous monitoring.

The world of information security is very much not static. New threats are being developed every day, new vectors for intrusion, new phishing attempts, and much more. It’s an active battleground.

That means “security” is a moving target. You could do everything right, but if you settle at your implementation and fail to perform maintenance and upkeep, you can be vulnerable before the end of the year.

FedRAMP accounts for this by having additional rules for continuous monitoring, logging, incident reporting, and remediation. Your job isn’t done when you receive your ATO; in fact, it’s arguably just beginning.

If continuous monitoring is something that happens after receiving your ATO, how does it make sense to put it on a list of reasons why people fail to receive their ATO in the first place? That’s because your FedRAMP 3PAO will audit your monitoring and reporting systems just as much as they do other elements of your security. In fact, as part of penetration testing, they’ll expect to see the incidents they created be reported through your monitoring systems.

If your monitoring, response, and reporting systems are not up to snuff, you can fail your audit and miss your ATO.

Reason #4: Messing Up Your SSP

A key part of FedRAMP is the SSP, or System Security Plan. Your SSP is your guidebook to everything you have thought about, considered, and planned in your FedRAMP implementation.

A good SSP starts with scoping. Scoping is the key to effective FedRAMP implementation. Defining what is within scope and what is not helps you identify what you need to secure, but more importantly, helps you identify what you can leave out. Securing systems and elements you don’t need to leaves you with a higher maintenance burden, a larger threat surface, and more possible room for error.

Your SSP also defines who has to handle which parts of FedRAMP, now and after you get your ATO. It includes your relevant stakeholders and their responsibilities. Having the right people on the job in the right places is just as essential as the technical elements of FedRAMP, if not more so.

Another foundational resource for developing your SSP is your network and data flow diagrams. Again: FedRAMP is about securing information, which means you need a complete and thorough understanding of where that information goes and what systems it interacts with. Formalizing this with diagrams helps ensure that you secure what you need to secure.

These are just some of the common mistakes CSPs make with their SSP, any of which can cost you your ATO. Make sure you get it right.

Reason #5: Not Using Modern Tools to Help

Another common reason that many CSPs fail in their bid to achieve authorization to operate is trying to do everything manually.

Yes, there are hundreds of security controls. Yes, many of those controls cannot be automated because they have a human element or are too customized to the CSP to be readily tracked in a consistent way.

Many of those controls, however, are capable of being automated. There are infosec programs that can go through and configure firewalls and set up encryption automatically. You can implement out-of-the-box FedRAMP-certified security programs that do much of the compliance work in a handful of scripts you run on your systems.

There are also platforms like the Ignyte Assurance Platform that make keeping track of everything much easier. Our platform is customizable to suit your security goals and helps you track the implementation status of each security control and element. You can easily visualize the progress you’re making towards compliance, identify red flags and roadblocks, and focus efforts where they need to be.

Critically, part of what our platform can do is help you aggregate and accumulate all of the documentation you need to prove compliance. Another area where many CSPs fail is in incomplete documentation, but when you automatically store proof when you finish a milestone or implementation, you’re sure to have it when you need it.

To see exactly how the Ignyte Assurance Platform can help you achieve your FedRAMP authority to operate, book a demo today.

Of course, we’re just one of many possible tools that can help. Using automated security auditing software, configuration managers, and even algorithmic monitoring apps can all help streamline your attempt at authorization.

Other Reasons FedRAMP ATO Attempts Fail

While the five (or six) major reasons listed above are all common failure points for CSPs attempting FedRAMP authorization, they aren’t the only considerations to make. There are certainly other pitfalls you can trip over.

Over-reliance on POA&Ms. POA&Ms are a mechanism to fix minor issues on a longer timeline while avoiding delaying the start of operations. But, if you’re putting too much into POA&Ms, or you’re trying to use POA&Ms on critical controls, your auditor isn’t going to buy it.

Underestimating the cost. Unfortunately, the work necessary to achieve FedRAMP ATO is expensive. Many CSPs that successfully achieve ATO still take 2-4 years to reach positive ROI with government contracts. Can your company handle that cost?

Hiring a mismatched 3PAO. Your 3PAO will be the one conducting your audit to see if you can achieve ATO. But not all 3PAOs are equal. Looking for one with experience at your scale and in your industry can be a significant leg up.

Starting without an agency sponsor. Part of FedRAMP is having a government agency or department willing to offer you a contract to get started. Without that sponsor, all of your work is for naught.

As long as you’re prepared to handle all of these possibilities, you can be assured of a successful ATO process. Just never go into it unprepared or underestimating the standard you need to reach.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/fedramp/reasons-organizations-fedramp-ato/