In this position the first step would be to find a 3PAO to complete a readiness assessment and subsequent audit …
If you are a cloud service provider and interested in obtaining work from the Government, they will only accept contracts from those companies who have successfully completed their FedRAMP certification.
Per the FedRAMP.gov the goals of FedRAMP are to:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards and accredited independent third party assessment organizations
- Ensure consistent application of existing security practices Increase confidence in security assessments
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
Yes, FedRAMP is a security framework developed by the Federal Government along with industry professionals to align requirements for cloud service providers with that of the NIST framework. SOC 1 / SOC 2 are reports performed and issued under the SSAE 16 and AT 101 guidance, respectively, and developed by the AICPA and applicable to all third party service providers, rather than just cloud based.
A FedRAMP audit can be a costly project for an organization with the risks and the benefits weighed carefully. Engagement fees are based upon the readiness of the organization along with the scope of the audit and services provided.
A company should be prepared to pay a bare minimum of $15,000 for a comprehensive audit, but, could range upwards of $150,000 or more as audit time and complexity increases along with company size.
No, the audit can be performed by any accredited 3rd party accredited Third Party Assessment Organization (3PAO) of your choosing. The Federal Government defined the framework and the requirements, but, has privatized the accreditation process to qualified audit firms, where the only interaction with the Government may be providing them the report.