FedRAMP Focus:  Know the Soft Money and Time Costs

The excitement for cloud innovators is the potential for revenue sales to hockey-stick especially within the $1,000,000,000 + Federal Cloud Marketplace.  The unspoken frustration many SMB cloud solution providers face is framing the return on investment (ROI) of FedRAMP for the C-Suite.  Published guidance and eager consultants provide some visibility into costs, yet, there is limited reveal to the hidden “soft” money costs and “time” challenges on the FedRAMP journey.  In this blog we will touch on identifying what’s not published!  Elements include Time and Timing for Operations, Marketing and the C-Suite and how the adjusted balance of resources or momentum can drive both compliance and market success. 

EmeSec has been an avid supporter of FedRAMP program since 2011.  Serving as either a consultant or an inspection testing assessor, our work has supported a variety of clients and as a result we have witnessed patterns the affect the Cloud Service Provider’s likelihood of success with FedRAMP Certification efforts.  Many of the pattern(s) represent decision points for the organization and its supporting personnel.  Some decision points result in barriers on a successful FedRAMP certification journey. 

Like other projects, the elements of success EmeSec has witnessed with FedRAMP customers both ours and those of competitors is the ability to consider and incorporate time/timing, balance, and momentum.


·       Time and Timing. The use and management of time in preparing for and accomplishing FedRAMP success is critical.  Timing should be considered as it relates to the Federal Acquisition Cycle and the type of cloud solution. Time to accomplish FedRAMP and accomplish a FedRAMP certification for revenue growth and customers is also impacted by the solutions’ overall status and market position – early adopter, competitor, or laggard for federal revenue.


·       Balance.   The balance factor for success is the ability to balance the “business” need for FedRAMP certification with the Customer and the compliance requirements.  Overachieving on functional requirements of the cloud solution may result in an “imbalance” in timing.  Balancing internal FedRAMP compliance efforts with external consulting can result in better timing than the often-reduced total costs compared to the “learn as you go” or do-it-yourself (DIY) FedRAMP model. 


·       Momentum. The speed or momentum of FedRAMP success may directly impact the cost of becoming FedRAMP certified.  The adage, “everything can take longer than expected,” applies since there are segments of the certification process dependent upon corporate and government responses.  Momentum is impacted by balance and timing as internal staff may have traditional operations and maintenance work as well as new FedRAMP compliance work to meet deadlines. Planning and external help (consulting) if experienced can assist in optimizing speed with costs and success.  


EmeSec Incorporated is a leader in emerging security and compliance practices for cloud solutions, traditional risk management framework (RMF), and engineering solutions to meet security and compliance.  A recognized leader in Controlled Unclassified information (CUI) compliance, EmeSec delivers high value, low risk innovative solutions for commercial and government organizations. For more information, advice, and recommendations, visit our website at www.emesec.net or email us at info@emesec.net.

EmeSec Incorporated ©2019