The government, like most technology providers, wants to move quickly to Software as a service cloud solutions, but heightened security and compliance requirements are a high-risk barrier to entry for potential SaaS providers.
All IT systems deployed for the U.S. government must have an Authorization/Authority to Operate, or ATO — a formal, written declaration that the system implements a standardized set of IT security controls. But getting to ATO is an insurmountable feat for many independent software vendors, or ISVs, which lack the resources, expertise and time to effectively manage these rigorous federal security and compliance standards.
AWS, Rackspace and Telos are aiming to drastically reduce those barriers, however, thanks to two innovative new programs.
Earlier this week at its annual re:Invent conference, AWS announced “ATO on AWS,” its strategy to greatly improve the ATO process for ISVs using AWS by reducing time and costs. In parallel, Rackspace, in partnership with Telos, is launching our FedRAMP Bypass program to simplify and accelerate our customers’ FedRAMP ATO journeys. FedRAMP, the Federal Risk and Authorization Management Program, provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services, culminating in a provisional ATO, or P-ATO, that can be accepted by all government agencies.
With Rackspace FedRAMP Bypass, ISVs can bring cloud solutions to the government quickly, in a clearly defined manner, and without a major investment. The program provides a low-risk path through FedRAMP via an affordable three-step program. Both ATO on AWS and FedRAMP Bypass represent a significant departure from traditional, consultant-led engagements typically required to provide federally compliant solutions.
How we got here
The Federal Information Security Management Act, or FISMA, signed into law in 2002, defined a comprehensive framework to protect government information, operations and assets against natural or man-made threats. The law requires program officials, and the head of each agency, to conduct annual reviews of information security programs, with the intent of keeping risks at or below specified acceptable levels in a cost-effective, timely and efficient manner — including granting ATOs. But very quickly, the agencies began to implement FISMA in their own unique ways, creating challenges for software vendors and systems integrators.
FedRAMP has gone a long way towards standardizing cloud security and compliance requirements and addressing some of these challenges, but even FedRAMP remains too complex, too time-consuming and too costly for many solution providers. Many ISVs end up walking away instead of bringing their innovation to the government.
The express lane to ATO
Traditional paths to ATO can take more than two years and cost upwards of two million dollars in upfront investments — plus millions in ongoing investments. Much of this investment must be made prior to inking a single paying government customer. This high-risk, opaque journey full of unquantifiable costs can make it virtually impossible for ISVs to make the internal business case for doing business with the government.
Our new FedRAMP Bypass provides three clear steps to affordable FedRAMP compliance:
Step 1: An Interactive Workshop with Rackspace and Telos, including 30-day access to Xacta 360, designed to create a plan of actions and uncover major impediments before making serious time and resource commitments. Cost: $5,000.
Step 2: Gap Assessment that quickly identifies the application and corporate remediations an ISV requires to pursue FedRAMP authorization. Cost: $10,000.
Step 3: ISV builds and authorizes its SaaS, leveraging Rackspace FedRAMP Security as a Service, our Joint Authorization Board (JAB) authorized managed security and compliance services. The costs of steps one and two are credited back to the ISV over the course of a year.
Our first Interactive Workshop will launch in the first quarter of 2019. Sign-up today to be notified about early access registration.
Security as a service across leading cloud technologies
Whether your organization is looking for help with FedRAMP or other security and compliance needs, Rackspace can assist. We are a web-scale managed service provider, delivering 24x7x365 hybrid-cloud management, operational support and security services as a packaged, on-demand, audited and pay-as-you-go service. You get the same commercial services that power the Fortune 100, in a compliance-ready state, with the additional security controls and governance necessary for your unique mission.
By turning to Rackspace, you get a team of unbiased experts across a range of leading cloud and infrastructure technologies — built on a compliance-ready framework and backed by ongoing managed operations, continuous monitoring, security services, living compliance documentation and audit assistance.