Engaging with FedRAMP - PART 2, The Kickoff Meeting
FedRAMP often receives requests for information and guidance regarding the Agency Authorization process. In response, the FedRAMP Program Management Office (PMO) is releasing a three-part blog series that explores the formal touchpoints with stakeholders as they pursue a FedRAMP Authorization. Throughout this series, we will explore the What, Who, Why, and When of the following touchpoints:
This second edition in the series takes a look at Kickoff Meetings. Kickoffs (KOs) formally launch the agency authorization process for Cloud Service Providers (CSPs) with their agency partners, and serve as the most commonly met criteria by CSPs that are listed as ‘In Process’ on the FedRAMP Marketplace.
What is a Kickoff Meeting?
KOs are 90-minute calls where the CSP presents the details of their cloud offering and plan for Authorization to their initial authorizing agency partner’s review team.
Who is involved?
KOs are attended by the PMO, members of the agency review team, and CSP (Third Party Assessment Organization, or 3PAOs, are optional).
Why are Kickoff Meetings important?
KOs provide agency review teams a chance to ask questions and learn about a system’s architecture and security capabilities prior to the Cloud Service Offerings (CSOs) security assessment. The essential question that should be answered by the end of this meeting is: “What am I, the agency, issuing an ATO for?”
When should a meeting be scheduled?
FedRAMP will coordinate a Kickoff Meeting once the following deliverables are submitted to and reviewed by the PMO:
- In Process Request (IPR): This signals agency willingness to partner with the CSP on an authorization, and is only considered valid once signed off on by an Authorizing Official (AO). Note: CSPs pursuing the agency path cannot be listed as ‘In Process’ without having an agency partner.*
- Work Breakdown Structure (WBS): A project plan completed in partnership with the agency that depicts the CSP’s ability to meet required deadlines.
- Kickoff Briefing: This covers the system’s authorization boundary , assessment plan, and estimated authorization timeline. A Kickoff Meeting will not be scheduled until the briefing has been reviewed and approved by the PMO.
- Additionally, FedRAMP requires the 3PAO assessment to be scheduled to begin within the next 6 months.
NOTE: As outlined in our FedRAMP Marketplace Designations Guidance document, it is possible for a CSP to receive an ‘In Process’ designation by meeting other criteria. In this case, it is still highly recommended to schedule a Kickoff meeting.
After the meeting, what can I expect?
If the agency is comfortable with the information presented by the CSP, the CSP is typically eligible to be listed ‘In Process’ on the Marketplace and the cloud offering would have 12 months to achieve full FedRAMP Authorization. If a CSP does not achieve a FedRAMP Authorization within that 12 months, the CSP will be removed from the Marketplace until an authorization is achieved.
We look forward to continuing our engagement with industry and we hope you found this information helpful! Please reach out to firstname.lastname@example.org with any questions or for assistance with starting your FedRAMP Authorization journey or visit the Agency Authorization page for more resources on the FedRAMP Authorization process.
Stay tuned for our next blog that is focused on the Security Assessment Report (SAR) Debrief, or visit the previous blog on Intake Calls.
The PMO recognizes that not every CSP’s authorization journey will follow steps as outlined here, and specific steps of the process can vary depending on many factors. In addition, it is important to note that these are not the ONLY touchpoints you may have with the PMO, and that you are encouraged to request meetings at any point where we may be of some assistance in your authorization journey.