Editor’s note: this blog post originally ran on Nov. 29, 2018. It has been updated.
The government, like most technology providers, wants to move quickly to Software as a Service cloud solutions, but heightened security and compliance requirements are a high-risk barrier to entry for potential SaaS providers.
All IT systems deployed for the U.S. government must have an Authorization/Authority to Operate, or ATO — a formal, written declaration that the system implements a standardized set of IT security controls. But getting to ATO can be an insurmountable feat for many independent software vendors, or ISVs, which lack the resources, expertise and time to effectively manage these rigorous federal security and compliance standards.
AWS, Rackspace, Telos and SecureIT are aiming to drastically reduce those barriers, however, thanks to innovative new programs, including our recent webinar, “Getting to FedRAMP Ready: What You Need to Know,” which is now embedded below.
Late last year, at its annual re:Invent conference, AWS announced “ATO on AWS,” its strategy to greatly improve the ATO process for ISVs using AWS by reducing time and costs. As ATO on AWS partners, Rackspace, software vendor Telos and 3PAO SecureIT, are joining forces to launch Rackspace Inheritable Security Controls, powered by Xacta, to simplify and accelerate our customers’ FedRAMP ATO journeys. FedRAMP, the Federal Risk and Authorization Management Program, provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services, culminating in a provisional ATO, or P-ATO, that can be accepted by all government agencies.
With Rackspace Inheritable Security Controls, ISVs can bring cloud solutions to the government quickly, in a clearly defined manner, and without a major investment. The program provides a low-risk path through FedRAMP via an affordable three-step program. Both ATO on AWS and Rackspace Inheritable Security Controls represent a significant departure from traditional, consultant-led engagements typically required to provide federally compliant solutions.
How we got here
The Federal Information Security Management Act, or FISMA, signed into law in 2002, defined a comprehensive framework to protect government information, operations and assets against natural or man-made threats. The law requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner — including granting ATOs. But very quickly, the agencies began to implement FISMA in their own unique ways, creating challenges for software vendors and systems integrators.
FedRAMP has gone a long way towards standardizing cloud security and compliance requirements and addressing some of these challenges, but even FedRAMP remains too complex, too time-consuming and too costly for many solution providers. Many ISVs end up walking away instead of bringing their innovation to the government.
To demystify the process and help companies understand how to get authorized, I recently joined Telos compliance expert Milica Green for our webinar, “Getting to FedRAMP Ready: What You Need to Know.” Now available on demand, we describe:
- How to organize your people and processes for success at the start.
- Which roles at your organization should be involved.
- How to manage your investment in your 3PAO service.
- How to leverage inheritance and automation to reduce time and cost and streamline compliance.
The express lane to ATO
Traditional paths to ATO can take more than two years and cost upwards of two million dollars in upfront investments — plus millions in ongoing investments. Much of this investment must be made prior to inking a single paying government customer. This high-risk, opaque journey full of unquantifiable costs can make it virtually impossible for ISVs to make the internal business case for doing business with the government.
Rackspace Inheritable Security Controls, powered by Xacta provides three clear steps to affordable FedRAMP compliance:
Step 1: An Interactive Workshop with Rackspace, Telos and SecureIT, including 30-day access to Xacta 360, designed to create a plan of actions and uncover major impediments before making serious time and resource commitments. Cost: $5,000.
Step 2: 3PAO Gap Assessment that quickly identifies the application and corporate remediations an ISV requires to pursue FedRAMP authorization. Cost: $10,000.
Step 3: ISV builds its FedRAMP Ready SaaS, inheriting hundreds of FedRAMP Joint Authorization Board authorized security controls provided by Rackspace and pre-documented in Xacta 360. The costs of steps one and two are credited back to the ISV over the course of a year.
Our first Interactive Workshop is planned to launch in the first quarter of 2019. Watch this space for more details.
Security as a service across leading cloud technologies
Whether your organization is looking for help with FedRAMP or other security and compliance needs, Rackspace can assist. We are a web-scale managed service provider, delivering 24x7x365 hybrid-cloud management, operational support and security services as a packaged, on-demand, audited and pay-as-you-go service. You get the same commercial services that power the Fortune 100, in a compliance-ready state, with the additional security controls and governance necessary for your unique mission.
By turning to Rackspace, you get a team of unbiased experts across a range of leading cloud and infrastructure technologies — built on a compliance-ready framework and backed by ongoing managed operations, continuous monitoring, security services, living compliance documentation and audit assistance.