The True Costs of Self Compliance for SLED Organizations

Most government agencies spend roughly 80 percent of their total IT budget to maintain legacy systems, according to the federal Government Accountability Office.

Yet too many are turning to “custom-developed solutions that are more expensive, not as functional, take longer to implement and lock the government into the trap of never-ending modernization cycles,” according to an article in FCW last year that remains all too relevant today.

What those agencies should be doing, wrote Adobe VP public sector CTO John Landwehr, is “consider the total cost of ownership and commercially proven technology as the first choice when making procurement decisions.”

Landwehr goes on:

“The commercial sector often delivers superior digital experiences that are easier to maintain over time for less money while providing support and maintenance, thereby reducing the demand on the government IT workforce. Leveraging proven commercially available technologies that have been deployed at scale and incorporate years of innovation will create the most operationally efficient government. At the end of the day, the focus must be on acquiring the best solution to meet the long-term needs of government and the people it serves.”

That’s exactly what many state, local and educational organizations are doing: moving to the cloud to reduce total IT cost of ownership, while at the same time developing the kinds of online services citizens and students are clamoring for.

But barriers remain, not least of which is the cost of compliance. Many SLED agencies are being held to the standard of federal agencies in terms of FedRAMP compliance. These agencies must carefully consider the high cost of building compliant infrastructure in-house vs. leveraging a third-party provider.

The cost of compliance

When it comes to compliance based on National Institute of Standards and Technology, or NIST, including the Federal Information Security Modernization Act, or FISMA; FedRAMP, the Federal Risk and Authorization Management Program and Criminal Justice Information Services, or CJIS, there are a number of cost variables to consider. In late 2016, FedRAMP Director Matt Goodrich attempted to break out out the typical costs of FedRAMP certification and sustainment in blog post for Acknowledging that the size, complexity and scope of services of the systems varies greatly, making a true comparison difficult, he still came up with these average costs:

  • Engineering
    • $1.1 million average cost: associated with implementing technical changes to a system to meet federal requirements at the moderate impact level (e.g. FIPS 140-2 encryption, PIV/CAC for authentication, etc.)
  • Documentation
    • $400,000 average cost: associated with documenting the system in policies and procedures, the system security plan, incident response plan, etc.
  • 3PAO assessment
    • $500,000 average cost: associated with the independent assessment by a FedRAMP Accredited 3PAO including the development of a test plan, onsite assessment, creation of the security assessment report and briefings to authorizing officials.
  • FedRAMP JAB review
    • $250,000 average cost: associated with updates required due to meeting the JAB requirements (e.g. areas where a cloud services providef didn’t fully meet the FedRAMP requirements prior to entering the assessment process).
  • Continuous monitoring
    • $1 million average cost: yearly ongoing costs associated with monthly vulnerability scans, POA&M management, significant changes and annual assessments.

This equates to roughly $2.3 million to achieve compliance, and another $1 million annually just to maintain compliance with the FedRAMP standard. For federal organizations, these costs may be well within budgetary constraints, but for most small government and education organizations the cost of self-compliance is simply too high to attempt with in-house resources.

Organizations with high compliance requirements that are serious about moving to the cloud can avoid the lion share of these costs by utilizing a pre-existing FedRAMP authorized platform.

Considerations when moving away from off premise

In addition to the high cost of maintaining legacy systems, local organizations must also take into consideration the cost of liability tied to managing security and compliance in-house. By leveraging an off-premise solution, SLED organizations can effectively transfer the majority of the risk of maintaining that compliance to a third party, thus reducing their overall liability should there be a breach or attack.

There are some perceived “speed bumps” organizations will need to overcome internally before outsourcing security and compliance. For example, leadership will need to address the obvious question of control. With a move to an off-premise solution, leadership must be willing to accept the fact that they won’t have the same level of visibility that existed when the data was hosted on-prem.

However, compliant managed service providers will provide customers with visibility, access, and orchestration of their infrastructure via a web portal interface — often giving organizations more visibility, thanks to industry leading tools and solutions via the chosen managed service provider.

As with any migration, not all pre-existing applications will be cloud friendly. Organizations must take into account critical apps running on the legacy infrastructure and determine acceptable courses of action before migrations activities can commence. Working with an experienced service provider with migration expertise is essential to reducing or even eliminating this risk.

Typically, budget constrained SLED organizations find relief shifting from a capital expenditure modeled approach to operational expenditure model in terms of dollars spent for infrastructure. An off-premise solution can dramatically reduce the number of resources needed to manage a solution. By tapping into the managed service provider’s experience and expertise, organizations can more effectively re-direct those resources to focus on citizen and/or student services.

How to get there from here?

Once an organization has made the decision to move away from an on-premise solution, it must then navigate the potentially tumultuous waters of a migration. The complexity will be greater for some organizations than others, depending on the number of legacy applications and solutions that must be refactored and migrated.

Rackspace is uniquely positioned today to help organizations with rigorous compliance and security needs considering a move to the cloud. With Rackspace you get a team of unbiased experts across a range of leading cloud and infrastructure technologies, built on a compliance-ready framework and backed by ongoing managed operations, continuous monitoring, security services, living compliance documentation and audit assistance.

For more information, download our free, in-depth TCO analysis of on-premises vs. managed hosting services, or visit our website to learn more about how Rackspace IT Solutions for State and Local Organizations can help your organization.

Jeff Valdes supports Rackspace Government Solutions; he is responsible for state and local government strategy and business development. Before joining Rackspace in 2013, he spent five years as a technology consultant to the Department of Defense, directly supporting various agencies and military branches. Before that, he spent nine years on active duty as a Naval officer and attack helicopter pilot. Jeff is a certified business continuity professional with an MA in IT Technology Management from Webster University and a BA in Marketing from Cedarville University.


Please enter your comment!
Please enter your name here