1. Engineer costs - A PaaS at the high baseline will likely implement 300+ controls. It's been a while since I looked at an IaaS CSP's FedRAMP package, but they typically implement roughly 100 fully implemented controls. The rest is on the customer to fully implement or engineer completely. Likely 300K-500K worth of engineering costs.
2. Assessment - 3PAO assessor will likely be 100K-200K. Most first time CSP's may require more than 1 assessment as the process is usually (1) Assess (2) Submit to FedRAMP PMO (3) they provide feedback (4) limited time to implement. If you cannot implement in sufficient time, you'll have to reassess. Note, unless you are AWS, Azure, Google, FedRAMP PMO may not prioritize you without sufficient customer support. As a result, your contract with your 3PAO may be expired. You'll need to bring them in again.
3. Documentation experts – There’s an art to generating the FedRAMP package. Engineers typically aren’t good at it, and it often requires one level of abstraction above internal technical documentation. Having technical writing experts that know how to communicate the security implementation without diverging too much is a skill set. You share the bear minimum to get compliance. As there’s business risk from sharing too much (sharing implementation details with a competitor or untrusted source). Also, the more technical details there are, the more audit questions often arise.
4. Control Implementation SME’s – Often time your engineers don’t know how to implement a required security control or don’t know what the compliance people really want. Many CSP’s hire a 3PAO assessor to advice you how to implement. This cannot be the same 3PAO assessor that audits you.
5. Conflict between product/feature value versus control implementation - Sometimes a value or feature of your product directly conflicts with a control requirement. A good example is a CMS PaaS (WP as a service or Drupal as a Service). Those CMS's often support user code or user code to spawn processes. The high baseline requires process whitelisting. Solving this problem while not destroying that feature can be difficult or expensive.
2. Assessment - 3PAO assessor will likely be 100K-200K. Most first time CSP's may require more than 1 assessment as the process is usually (1) Assess (2) Submit to FedRAMP PMO (3) they provide feedback (4) limited time to implement. If you cannot implement in sufficient time, you'll have to reassess. Note, unless you are AWS, Azure, Google, FedRAMP PMO may not prioritize you without sufficient customer support. As a result, your contract with your 3PAO may be expired. You'll need to bring them in again.
3. Documentation experts – There’s an art to generating the FedRAMP package. Engineers typically aren’t good at it, and it often requires one level of abstraction above internal technical documentation. Having technical writing experts that know how to communicate the security implementation without diverging too much is a skill set. You share the bear minimum to get compliance. As there’s business risk from sharing too much (sharing implementation details with a competitor or untrusted source). Also, the more technical details there are, the more audit questions often arise.
4. Control Implementation SME’s – Often time your engineers don’t know how to implement a required security control or don’t know what the compliance people really want. Many CSP’s hire a 3PAO assessor to advice you how to implement. This cannot be the same 3PAO assessor that audits you.
5. Conflict between product/feature value versus control implementation - Sometimes a value or feature of your product directly conflicts with a control requirement. A good example is a CMS PaaS (WP as a service or Drupal as a Service). Those CMS's often support user code or user code to spawn processes. The high baseline requires process whitelisting. Solving this problem while not destroying that feature can be difficult or expensive.