Get FedRAMP without a sponsor! 

Ensure Compliance with a FedRAMP-Authorized Solution For CMMC SSP Solution

We’re Fedramp High Ready!

Blog
/
Article

What Does it Take to Create a New FedRAMP Revision?

As the digital landscape evolves, robust security protocols are crucial for protecting data and system integrity. The U.S. FedRAMP program plays a key role. Periodic FedRAMP revisions ensure ongoing relevance, adapting to emerging security needs.

Kenny Scott
|
53
min read

In This Article

FedRAMP 20x Process

Tune in to hear Kenny Scott and Christian Hansen of Moss Adams talk all things Rev 5: 

The Dynamics of Decision-Making

Guidance and regulation, especially in the realm of cybersecurity, can often come across as complex. Behind each rule or suggestion lies a plethora of discussions, disagreements, and the pursuit of consensus.

It's a collaborative effort where experts, although well-intentioned, sometimes offer varying insights. This variation isn't necessarily due to inconsistency but because of the intricacies of the issues they're handling. In essence, the guidance provided today might evolve or shift depending on the latest data, technological trends, or security threats.

The Quest for Consensus

Achieving agreement is no easy task. Consider the process for updates or changes to FedRAMP guidelines. Government agencies like the Department of Defense, General Services Administration, and Homeland Security all have stakes in the game. Within these entities, various levels of decision-makers, from the CISOs to the CIOs, bring their perspectives, leading to a myriad of viewpoints.

At times, external events or pressing concerns (like national security threats) can redirect focus, causing a delay in consensus for other issues. Balancing these multifaceted interests and concerns is a testament to the complexity of the process.

Looking Ahead: The Implications of Change

As revisions to regulatory guidance, such as FedRAMP, take shape, organizations must remain proactive and agile. For instance, potential changes in directives, like the hypothetical 'red team' scenarios, can bring about significant operational shifts. It's crucial to evaluate organizational readiness – whether there are internal capabilities for new mandates or if external expertise is needed.

Conclusion

Creating a new FedRAMP revision is a monumental task, blending collaboration, consensus-seeking, and a keen understanding of the evolving digital landscape. While organizations await clear directives, they must also remain adaptive, ensuring they're well-positioned to act decisively once new guidance is rolled out. The dance between regulatory bodies and the entities they guide is intricate, emphasizing the need for patience, understanding, and proactive preparation.

Kenny Scott
Kenny is an accomplished leader with a two decade tenure in Information Security and IT Audit. He's widely acknowledged in the industry and has a profound dedication to it. In addition to his technical expertise, Kenny's portfolio includes substantial experience in business strategy, investment, and programming. On the personal side, Kenny is a devoted husband to Angie Scott and a proud father of five. A music enthusiast, he relishes playing the guitar and enjoys surfing when a beach is within reach.
Feb 2024
Related posts

Paramify blog

Interviews, tips, guides, industry best practices, and news.

Don’t Overspend on Your Gap Assessment: 4 Common Mistakes to Avoid

A gap assessment identifies security gaps between your current state and compliance goals like FedRAMP or CMMC. Paramify’s 45-60 minute process delivers a dashboard to guide implementation, track progress, and automate documentation.
Read post

Top FedRAMP 3PAO Assessors to Use With Paramify

Find the best audit partner for your FedRAMP authorization with this list of the top 8 3PAO assessors, perfectly paired with Paramify to accelerate your compliance journey and save time and costs.
Read post

What are FedRAMP POA&Ms? Plan of Actions and Milestones Explained

POAM (Plan of Actions and Milestones) are vital for risk management and cybersecurity. It's a strategic roadmap for identifying, tracking, and resolving vulnerabilities and non-compliance, ensuring organizations maintain security and compliance.
Read post
View all posts
Once authorized, can I sell to any federal agency?

Yes — authorization can be reused by multiple agencies via the FedRAMP Marketplace, but some agencies may request additional requirements.

How is FedRAMP 20x different from traditional FedRAMP?

20x introduces automation, key security indicators (KSIs), continuous monitoring validation, and streamlined authorization (sometimes without sponsor requirements).

Compare KSIs to Rev 5 controls

What are the most common reasons for delays or failures in FedRAMP authorization?

Incomplete documentation, insufficient evidence, failing initial gap assessments, lack of executive support, and underestimating resource requirements.

How to create the most accurate documentation for audit success

What's the difference between FedRAMP and other frameworks (SOC 2, CMMC, ISO 27001)?

FedRAMP is U.S. government-specific and NIST-based, more prescriptive and granular than commercial standards.

How do inherited controls from my cloud infrastructure provider (e.g., AWS, Azure, GCP) work?

FedRAMP allows CSPs to “inherit” controls from IaaS providers; you must document and verify this inheritance with shared responsibility models.

What kind of technical controls are required under FedRAMP?

Controls follow NIST SP 800-53 Rev 5 (with additional FedRAMP overlays) — covering access control, incident response, risk assessment, configuration management, etc.

→ Get your custom accelerated FedRAMP implementation roadmap

How often do I need to update and submit security documentation?

At minimum: 

  • Monthly POAMs and vulnerability scans
  • Annual security assessments
  • Ad hoc submissions for significant changes.

What is a POA&M?

Plan of Action and Milestones: a document tracking remediation plans for open vulnerabilities, findings, and compliance issues.

→ Learn more about POAMs

What is continuous monitoring (ConMon) and why is it important?

ConMon involves ongoing assessments, vulnerability scanning, reporting POAMs, and keeping security posture current post-authorization.

What documentation is required for FedRAMP?

Major deliverables include a System Security Plan (SSP), Security Assessment Plan (SAP), Security Assessment Report (SAR), Plan of Actions and Milestones (POA&M), Continuous Monitoring (ConMon) documentation, policies/procedures, and more.

Do I need an agency sponsor?

Yes, for now. But, agency sponsorship requirements are evolving — FedRAMP 20x does not require a sponsor.

How do I pick the best 3PAO for my project?

Consider experience with similar environments, references, price, and knowledge of specific cloud implementations.

Find the best assessor for your CSP with these tips

What is a 3PAO?

A Third Party Assessment Organization is an accredited independent assessor that conducts key security testing and assessment for FedRAMP. 

→ Find a recommended 3PAO

How much does FedRAMP Authorization cost?
  • Initial costs range from ~$150k to $3M+ for gap assessments, remediation, 3PAO audits, and documentation/reporting. 
  • Annual costs can range from $50k to $1m to maintain documentation, do continuous monitoring, and resource allocation. 

→ Learn more about what FedRAMP could cost your organization and whether or not it’s worth the effort

How long does it take to achieve FedRAMP Authorization?

Typical processes take 6–24 months. Paramify accelerates the process to take between 1-10 months with a fully prepared package in less than a month. 

Your timeline will vary depending on your impact level, whether you take a manual or automated approach to implementation & documentation, and PMO wait times.

→ Learn about the FedRAMP Authorization process and what it costs.

What’s the difference between FedRAMP Ready, FedRAMP In Process, and FedRAMP Authorized?
  • Ready: Preliminary review for capability and documentation.
  • In Process: CSP is actively working toward authorization, usually with an agency sponsor or as part of the JAB program.
  • Authorized: Successfully completed security assessment and continuous monitoring.
What are the different impact levels for FedRAMP?

Low, Moderate, and High — based on the type and sensitivity of federal data hosted (FIPS 199 categories: confidentiality, integrity, availability).

→ Get the details on impact level to know which impact level is right for you.

Do You Need FedRAMP?

Any cloud service provider (CSP) that wants to sell cloud products or services to U.S. federal agencies must be FedRAMP authorized.

→ Learn more to find out if FedRAMP is a good choice for your cloud-based business.

What is FedRAMP

FedRAMP stands for the Federal Risk and Authorization Management Program; it standardizes the security assessment, authorization, and continuous monitoring for cloud products and services used by U.S. federal agencies.

How long will it take to generate my SSP?

If you’re new to FedRAMP: The time required depends on how long it takes to implement your security controls. With Paramify’s living gap assessment dashboard, you can build your compliance roadmap and generate documents instantly with one click.

If you’re already FedRAMP authorized: It can take as little as 3.5 hours or up to a week.

Can you help me transition from NIST 800-53 Rev 4 to Rev 5?

Yes! No one will help you transition to FedRAMP Rev 5 as affordably and painlessly as Paramify. Learn how you can make a seamless, inexpensive transition to Rev 5.

Can I use my existing SSP?

Yes, we offer this service and have provided it for many clients. Most of our customers, including those for whom we’ve ingested their SSP, have found that starting from scratch and adopting the full power of Risk Solutions was the better option.