Reader Submission: Tips from a FedRAMP Compliant WOSB
NetComm made it! We officially achieved FedRAMP Compliance in January 2016 for our Beacon SaaS with an Agency Authorization through the National Institutes of Health (NIH). We are especially proud because we are the first Women-Owned Small Business (WOSB) to achieve this distinction. There has been a lot of criticism that FedRAMP can’t happen for small companies , we’re proof it can happen. That doesn’t mean it’s easy , becoming FedRAMP authorized is rigorous but it is intended to be.
Throughout the process, we had to ensure Beacon met the strict requirements of federal government agencies using cloud computing and that the system provided the highest level of security , which is critically important to protect government information, particularly in light of all of the major hacks and breaches of recent.
Now that we have reached this milestone, we wanted to share some important tips based on what we found helped us become successful through the FedRAMP process:
Preparation is key.
A readiness audit by your 3PAO can be invaluable in understanding what FedRAMP will look like for you.
You’ll need to Identify the roles & responsibilities of each person within your system, clearly define your system boundary as well as what services are out of system boundary including endpoints.
Don’t modify the core FedRAMP templates , this is crucial!
The templates were designed to be used by everyone. Don’t become a unique snowflake.
If you change the templates, it will cause delays in your security evaluation because your agencies and the FedRAMP PMO will have to find information in new places.
Make sure ALL internal & external authentication to use multi-factor authentication (MFA).
- The FedRAMP requirements are clear on this , if you don’t have it , you won’t get an authorization!
Architect a system boundary around your most popular offerings , not your entire technical stack.
We followed the Amazon approach.
Phase upgrades and additional services into your authorization boundary as your customers need them.
Get help from industry experts to help develop your package.
Identifying any organizational knowledge gaps early will help tremendously , there are FedRAMP experts out there , use them.
We engaged with technical writers with FedRAMP expertise to help us with our documentation.
Select a 3PAO auditor with proven experience.
Experience is a huge asset when it comes to a FedRAMP assessment. It is tedious and requires a high level of detail.
Don’t be afraid to ask 3PAOs how successful they have been in assisting CSPs through the process and any lessons learned they have from previous experiences.
We are extremely proud and excited to bring these tips to the FedRAMP community , we view all CSPs through FedRAMP as partners. It is an honor to be the first Women-Owned Small Business (WOSB) to achieve FedRAMP Compliant status. Deciding to invest in the Administration’s Cloud First Initiative and FedRAMP was an achievable and challenging undertaking, but we believe is means big changes for NetComm and our customers. With FedRAMP, we are positioned to expand our services to help clients across the government manage their data in the government cloud environment and we can’t wait to see how FedRAMP helps us get there!