A FedRAMP Authorization to Operate (ATO) is a high industry standard for SaaS security — prohibitively high, in the case of most independent software vendors. A necessity for the federal government since 2011 and increasingly sought by state and local agencies as well, compliance can lead to millions of dollars in contracts for SaaS providers, but it can also take two years and more than $1 million to achieve, according to a 2017 report from third-party assessment organization Coalfire.
In effect, the process prohibits federal government clients from accessing a majority of the cloud innovations out there.
As described in a news release this week, Rackspace’s new program, RISC (Rackspace Inheritable Security Controls), uses automation and cyber-risk management capabilities, built upon Telos Corp.’s risk-compliance automation software Xacta, to make FedRAMP ATOs more achievable. The program is meant to effectively make a company ATO-ready — compliant, in other words.
Rackspace Director of Government Solutions Brad Schulteis described three steps by which RISC guides clients through costs and requirements associated with FedRAMP compliance:
- A day-long workshop about FedRAMP, its requirements and the process, so customers know what they’re getting into and can make informed decisions when proceeding to the next steps. These take place at Rackspace’s government headquarters in Reston, Va., with the goal of producing a compliance project plan to achieve authorization.
- A “gap assessment” led by accredited 3PAOs (Third Party Assessment Organizations) who examine about 25 common problems that prevent FedRAMP authorization.
- A list of what needs to be remediated, how much it will cost and how long it will take.
While Schulteis said the overall cost of this process is still widely variable depending on how much work a client’s SaaS needs, he said the up-front cost of the first two steps is $5,000 and $10,000, respectively. He added that RISC is cheaper for a company than investing in designated staff, software, training, security and consulting to achieve a similar result, and some clients can achieve an ATO in four months’ time.
“If you signed up on your own for a gap assessment that looks at the whole suite of your capability, those are typically going to be about $80,000 to $100,000,” he said. “We’re able to deliver that at $10,000, because the people delivering that gap assessment know what to look at and what not to waste their time on.”
Schulteis said it’s been two years since Rackspace started working with the public sector, and RISC is the result of complaints they’ve had about FedRAMP compliance. Pointing to the relative ease of use and maintenance that makes SaaS tempting to government — as well as the massive gap between what’s available to government versus the private sector — he said RISC could bring thousands of new software vendors into the gov tech market.
“Today there are only 96 [FedRAMP] authorized SaaS solutions, and there are about 12,000 SaaS solutions in the public market. So all of this innovation going on in the cloud space, in the SaaS environment, is really where enterprise wants to be,” he said. “Everyone wants to consume a SaaS solution because it’s turnkey, and I can use it. … By enabling lots more companies that maybe don’t understand this process or get through it on their own, we’re delivering that innovation to the government, and everyone is hopefully winning because of that.”