blog

We Achieved FedRAMP … and Lived to Tell the Tale

Kevin SchatzleRecently, collab9 became the first UCaaS provider to secure authorization from FedRAMP’s Joint Authorization Board. After dedicating company time, resources and focus to the assessment for roughly two-and-a-half years, I can say in hindsight that the authorization is the single greatest achievement in our company’s history, and the investment was well worth it.

Still, while the benefits of achieving FedRAMP are clear, I’d be remiss not to mention the challenges. The 30-month evaluation process was an arduous one that required immense effort, focus and persistence from leadership and technical staff. However, we knew what we were signing up for. FedRAMP’s reputation precedes it, and we’ve all heard the cautionary tales:

  • It’s an expensive and time-consuming process.
  • The requirements are complex and a challenge to adhere to.
  • You could invest the time and money and come up short, no better off than when you started.

All of these are true, but for those of you brave enough to persist, I’d pose the question: When you consider the nature of the framework and the highly classified nature of some federal government data, would you expect anything different?

Here are some lessons learned:

The folks at FedRAMP do strive to make things as easy as possible. It’s smart to get guidance and input from FedRAMP’s project management office, and it was key to closely align with the FedRAMP PMO from the start.

What about the cost? While I can’t share our company’s investment, a blog published on the FedRAMP website estimates that the median cost for a mid-range cloud service provider to achieve a FedRAMP authorization is $2.25 million. Undeniably, FedRAMP is an expensive endeavor. If you have the opportunity to be among the first in your category to achieve authorization, that is of value. I know the return will significantly outweigh the cost for us, but that may not be true for everyone.

Outside of the hard expenses, there was a personnel and opportunity cost investment. We hired new resources, focused a team of employees on the project, and trusted that the time, budget and attention would prove more fruitful than if they were dedicated elsewhere.

In terms of time, FedRAMP estimates that authorization takes 11 to 18 months on average; we invested to two and a half years in the project overall.

There are a couple different routes to FedRAMP Authorization.  A few months before we received the authorization, we gained sponsorship from the Federal Communications Commission. For us, that greatly expedited the process. Once the FCC sponsored us, we accomplished authorization in six months — the fastest on record. We also benefitted from the involvement of an independent third-party assessment organization, which helped us prepare for the audit performed by FedRAMP’s 3PAO. FedRAMP’s security requirements are incredibly complex, and can prove difficult to understand at times, so the outside expertise of the 3PAO was a great asset that helped us succeed in the audit.

Looking back at our experience, I have the utmost respect for FedRAMP and its contributions to the advancement of government technology. FedRAMP offers a great service to federal agencies, which no longer have to spend time and money performing independent vendor evaluations.

I believe FedRAMP and its security-assessment framework is also of great value to vendors – like collab9 – and their channel partners. It’s no secret that cloud-security concerns were pervasive in government and, as a result, cloud adoption among agencies has been delayed at best. FedRAMP helps remove some of that reticence, making it easier for government agencies to migrate to the cloud.

Kevin Schatzle has over 28 years’ experience in the IT industry and is currently CEO of collab9.


Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 53214