What FedRAMP certifications could mean for private sector dealings

For many companies that build cloud products, obtaining FedRAMP certification is a great way to ramp up public-sector deals—pun intended. But can FedRAMP also help those companies score private-sector business?

Onramp. The Federal Risk and Authorization Management Program, or FedRAMP, is a government program used to authorize cloud products and services for public sector use. It assesses cloud service providers’ security, including more than 500 authorized products as of April.

Companies seeking FedRAMP certification for a product or service must go through a third-party risk assessment, and approval depends on the customer agency’s standards. Any inconsistencies, risks, or documentation gaps found by the agency’s review team must be addressed before a final review.

Sources like Elevate Consult recently reported that FedRAMP certification can cost anywhere from $150,000 to over $2 million, depending on the security controls, complexity, and scope needed for an organization to meet the requirements. That can include assessment and consulting fees, engineering costs, and more.

Private sector trust. In addition to authorizing cloud services for government use, experts suggest FedRAMP has another potential benefit: increasing trust in private-sector deals.

Matt Waxman, CPO of Precisely, a software and data strategy company that has completed the FedRAMP process twice, said FedRAMP adds another level of rigor to companies’ cloud offerings, which can make them more appealing to private sector customers. .

“From our perspective, making that [FedRAMP] investment is a good one, not just for public sector business but for the broader market at large,” Waxman said. “Not all of that can be directly transferable, as you’re typically running within a government cloud environment, which isn’t available to the private sector. All the internal practices and processes that are put in place, those cover any customer of ours going forward.”

Waxman said the company chose to move forward with the certification, in part, because it will mean things to people outside of the public sector.

“In every deal, every contract with a customer, there is always a level of security compliance review that we go through together with the customer,” Waxman said. “Being able to refer to the FedRAMP authorization there is extremely helpful…because it brings external credibility to that third-party authorization and authentication.”

Rob McCormick, CEO of Avatara, a company that provides service solutions to federal government agencies, told IT Brew that if a private sector company aligns with FedRAMP’s authorization standards, that could boost confidence in the company’s security.

“It provides a really good rubicon for: This is what a real, mature security practice looks like,” McCormick said. “There’s over 500 controls in it, it’s very detailed, and there are assessors out there called…certified third-party assessment organizations that can assess for it and grant certification.”

On determining FedRAMP’s value. Ryan Steelberg, CEO of Veritone, a company that provides AI services for government agencies who conduct investigations and interact with public information requests, said that professionals need a clear understanding of the federal procurement process before investing in the certification.

“I do not believe FedRAMP will help you definitively accelerate your go-to-market, I think it’s a certification, it’s compliance,” Steelberg said. “People need to understand: find sponsorships first who wants to buy your products and services, and often those groups will be justification to have you then start adding that to your…budget for FedRAMP.”

For organizations solely considering FedRAMP to accelerate sales, Steelberg advised them to pause before incurring high costs for the certification process.

McCormick, however, suggested that while the authorization process is a “fairly large hurdle,” it’s the “only one I’ve seen that, if you go through it, you’re going to actually know that what you’re doing is working.”

“A lot of people think, ‘I’ve got a security standard, so I know I have my endpoint protection and my intrusion detection, all my boxes are checked,’ but they’re not doing the continuous review of all the different configurations,” McCormick said. “What FedRAMP does is bring a maturity level into that. That has a huge advantage, and in that, you can’t lie to yourself.”