Cloud Service Providers (CSPs) who incorporate Quality Management into their Authorization Package development projects will realize a return on their investment throughout the FedRAMP Review process. Quality documentation is clear, concise, consistent, and complete. Quality documentation minimizes costly rework and time consuming delays caused by clarifying misunderstandings and waiting for missing documentation. FedRAMP requires quality documentation to provide a clear and complete description of the risk posture of a cloud system and reduce an Agency’s level of effort to reuse an Authorization Package.
FedRAMP Accredited Third Party Assessment Organizations (3PAOs) are required to have a Quality Management Program. 3PAOs are obligated to produce quality Security Assessment Plans (SAPs) regardless of the quality of the System Security Plans (SSPs) they are based on. Therefore, a quality SSP will reduce the delays and rework associated with developing Security Assessment Plans (SAPs).
While it may be difficult to quantify the value of quality documentation, it is not difficult to quantify the lost value of rework. The management and tracking, reallocation of resources, consistency checking affected documents (ripple effect), and reworking errors caused by the rework do not add to the value of the documentation. However, they do add to the cost and time to produce it.
Time and money aren’t the only values to consider. Quality documentation has a long-lasting marketing value. Agencies will be reviewing FedRAMP Compliant Authorization Packages for reuse for years to come. Some of these potential customers will be introduced to the CSP for the first time through their documentation. Quality documentation is always well-received.