Why Become FedRAMP Ready?
When the FedRAMP PMO introduced FedRAMP Accelerated last year, it also introduced an evolution of the readiness designation for Cloud Service Providers (CSPs): FedRAMP Ready. This designation now indicates that a Third Party Assessment Organization (3PAO) attests to a CSP’s readiness for the authorization process, and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP PMO. The RAR documents the CSP’s capability to meet FedRAMP security requirements.
CSPs benefit from the RAR and becoming FedRAMP Ready in several ways:
P-ATO Requirement: An approved RAR is required for any CSP pursuing a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) and is highly recommended for an Agency Authority to Operate (ATO). While becoming FedRAMP Ready is not a guarantee that a CSP will become authorized, achieving FedRAMP Ready status provides a greater likelihood of success in the authorization process as the government has a clearer understanding of a CSP’s technical capabilities. Additionally, being FedRAMP Ready is a heavily weighted criteria to be selected to work with the JAB toward a P-ATO. CSP’s interested in entering the authorization process should consider that FedRAMP Ready status is valid for one calendar year after designation from the FedRAMP PMO.
FedRAMP Marketplace Listing: CSPs that achieve the FedRAMP Ready designation are listed on FedRAMP’s Marketplace. Agencies use the FedRAMP Marketplace to research cloud services that meet their organizational requirements. If a CSP is interested in pursuing government clients, becoming FedRAMP Ready makes available valuable information about the service offering’s security for potential Agency customers, via the FedRAMP Marketplace.
Self Assessment: For CSPs who are considering whether or not to become FedRAMP authorized, the RAR can serve as a self assessment to determine what gaps in their service offering’s security exist and where those gaps might be. Such information can help CSPs understand the level of effort necessary to secure their system(s) according to FedRAMP requirements, prior to pursuing an ATO with an Agency. The Readiness Assessment Report Template for High and Moderate systems can be found on the Templates page of fedramp.gov.
If you have questions about becoming FedRAMP Ready, the Readiness Assessment Report, partnering with a 3PAO, or the FedRAMP authorization process in general, please contact the FedRAMP PMO at firstname.lastname@example.org.