Impact of FedRAMP for Small Businesses
Did you know that over 30% of FedRAMP Cloud Service Providers (CSPs) are small businesses?* When we share this statistic across industry and the federal community, people are quite surprised — and pleased! Since small businesses represent an essential component of FedRAMP, we realized it was essential to engage directly with the small business community to gather feedback to improve the program.
We reached out to more than 40 small businesses engaged with FedRAMP to hear their feedback, learn about their experience with FedRAMP, and gather best practices to share across the small business CSP community. These CSPs spanned all stages of the FedRAMP process: In-Process, Ready, and Authorized.
From these meetings, we learned that most of the best practices for achieving a FedRAMP ATO are the same for both large and small CSP. For example, be prepared and utilize the Readiness Assessment Report, engage early and often with the FedRAMP PMO, and know the ins and outs of your system. However, there were three unique differences that small businesses who have made it through FedRAMP repeatedly told us during our interviews:
Bigger Impact to Resources – But More Agile Teams
Pursuing and maintaining a FedRAMP Authority to Operate (ATO) proportionally requires more resources for a small business, requiring a team with specialized skillsets and costs associated with hiring a Third Party Assessment Organization (3PAO). As a result, staff often wear multiple hats and blend several duties into their role. This requires monitoring resource allocation carefully. Yet, the organizational structure of small businesses may provide some advantages. For example, teams don’t operate in silos and CSPs don’t have to navigate bureaucracy. With more centralized decision making and fewer layers of management, the process can go faster.
Levels Playing Field During Acquisition
Additionally, having a FedRAMP Authorization levels the playing field for acquisitions, as some Federal Agencies choose to require a FedRAMP ATO in their competitive procurement process.
Finally, being FedRAMP Authorized can enhance the company’s internal security processes and rigor across all their products — not just those that are authorized — creating higher and more rigorous security standards for all systems and increasing system maturity.
Thank you to those of you who took the time to share your thoughts and perspectives with us. We’ll use this information to identify resources and ways to better support small businesses in the FedRAMP process going forward. If you have any questions or you’d like to provide us with any additional feedback, please reach out to firstname.lastname@example.org.
*The U.S. Small Business Administration counts companies with less than $35.5 million in sales and approximately 1,500 employees as “small businesses.”