FedRAMP Frequently Asked Questions (FAQ)

What is FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant agency security assessments.

Why would a Cloud Service provider want to pursue FedRAMP certification?

Cloud Service providers that want to provide their services to the Federal and many State and Local Governments will need to obtain the FedRAMP certification due agency specific rules and regulations.

How much does FedRAMP certification cost?

FedRAMP posts a lot of great information on their web site. Here’s a link for how much does it cost to go through FedRAMP? This article breaks down each segment of the process and provides estimates for each.

Note: Costs due vary based upon several factors illustrated within the article.

What FedRAMP services does Aspiryon offer?

Aspiryon is a certified independent third party assessor (3PAO) within the FedRAMP program. We provide both consulting and assessment services. If we provide consulting services we need to maintain our independent status and cannot provide assessment services.

Consulting

Documentation- We help document your system to the required FedRAMP standard. Our Team has in depth knowledge of the controls and how they are applied within several different types of cloud systems. We provide prioritized lists of Plans of Action and Milestones (POA&M’s)  that allows you to make decisions to move forward.

Weakness Management and Remediation- We provide the necessary assistance in order remediate weaknesses found within the system and documentation.

Monitoring- Once the system is authorized, FedRAMP requires on going monitoring of the system. Based upon the needs of the system we develop a plan to work with you to ensure that the authorization is continued.

Advisory

Readiness Assessments- Readiness assessments provide CSP’s a report to identify weaknesses with the system and its documentation to prepare for the assessment for authorization.

Full 3PAO Assessment- FedRAMP requires that all CSP’s have an assessment of the system conducted by an authorized 3PAO in order to obtain an authority to operate.