Xacta streamlines the FedRAMP journey, but the first step may be a hurdle.

Steve Horvath
Stephen Horvath
April 21, 2021 • 3 min read

The Federal Risk and Authorization Management Program (FedRAMP) is the process by which cloud service providers (CSP) obtain an authorization to sell as-a-service solutions to agencies and organizations of the U.S. federal government.  This process, predicated on the federal government’s traditional Authorization to Operate (ATO) process, is much more difficult than many initially think. 

While the ATO process is based on the NIST Risk Management Framework (RMF), it is implemented differently by each agency. FedRAMP was intended to change that for the cloud environment by standardizing the process for as-a-service solutions, whether infrastructure (IaaS), software (SaaS), or platform (PaaS). 

The first hurdle – establishing market demand

Despite the diligent efforts of the FedRAMP program management office (PMO), misconceptions remain.  One of the more ill-conceived notions is that FedRAMP is a checkbox security process that results in a license to sell throughout the federal government.  Many don’t realize the considerable cost and time it takes to get a FedRAMP ATO or provisional ATO (P-ATO).

Many struggle even to get into the program. Any organization contemplating the FedRAMP authorization process will do well to first conduct the appropriate due diligence on customer demand.  While Xacta has helped organizations streamline the FedRAMP process, often the greatest hold-up is a lack of agency sponsorship, which is necessary for ATO, or prioritization by the Joint Advisory Board (JAB), which is necessary for a P-ATO, primarily due to a lack of customer demand.

Xacta for FedRAMP

Once market demand is proven and agency sponsorship established, Xacta for FedRAMP will help you move through the process as quickly as possible. It will help you understand the process and assist in collecting the necessary information to build the body of evidence to support a FedRAMP P-ATO or ATO.  Xacta provides a simple way to ingest information, automate as much data collection and testing as possible, and automatically generate documentation needed for the authorization.  Of the fifteen documents that a CSP needs to build for their FedRAMP submission, the Xacta platform can automatically generate thirteen. The remaining two, the User Guide and the Separation of Duties Matrix, are authored by the product team.

Xacta supports a robust inheritance model, which enables organizations to consume and provide fully shared, partially shared, or hybrid controls.  Inheritance can be a force multiplier in streamlining the FedRAMP process when leveraging a control provider’s shared controls along with their recommended controls implementation (RCI).  This means that solutions can quickly and easily take advantage of shared and fully inherited controls from providers that leverage Xacta.  Using this method, many Xacta users have reduced the length of the ATO process from eighteen months to a few weeks.  And Xacta’s continuous monitoring features provide a major advantage in maintaining a FedRAMP authorization.

Getting a FedRAMP ATO or P-ATO is a major achievement, but keeping it is critical to success. An organization needs to continually evidence performance of the necessary updates or patches, scanning for vulnerabilities, and reviewing of logs for potential threats.  Xacta helps automate these activities to maintain a FedRAMP authorization. 

Steve Horvath
Stephen Horvath
Vice President, Strategy and Cloud
Stephen Horvath is the vice president of strategy and cloud at Telos Corporation.
Read full bio

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.