Did you know that over 30% of FedRAMP Cloud Service Providers (CSPs) are small businesses? When this statistic is shared across industry and the federal community, people are quite surprised — and pleased! Since small businesses represent an essential component of FedRAMP, organizers of the program realized it was essential to engage directly with the small business community to gather feedback to improve the program.
The convenor of FedRAMP, the General Services Administration (GSA), recently reached out to more than 40 small businesses engaged with FedRAMP to hear their feedback, learn about their experience with FedRAMP, and gather best practices to share across the small business CSP community. These CSPs spanned all stages of the FedRAMP process: In-Process, Ready, and Authorized.
From these meetings, GSA learned that most of the best practices for achieving a FedRAMP ATO are the same for both large and small CSP. For example:
- Be prepared and utilize the Readiness Assessment Report,
- Engage early and often with the FedRAMP PMO, and
- Know the ins and outs of your system.
However, there were three unique differences that small businesses who have made it through FedRAMP repeatedly told us during our interviews:
Bigger Impact to Resources – But More Agile Teams
Pursuing and maintaining a FedRAMP Authority to Operate (ATO) proportionally requires more resources for a small business, requiring a team with specialized skillsets and costs associated with hiring a Third Party Assessment Organization (3PAO). As a result, staff often wear multiple hats and blend several duties into their role. This requires monitoring resource allocation carefully. Yet, the organizational structure of small businesses may provide some advantages. For example, teams don’t operate in silos and CSPs don’t have to navigate bureaucracy. With more centralized decision making and fewer layers of management, the process can go faster.
Levels Playing Field During Acquisition
Additionally, having a FedRAMP Authorization levels the playing field for acquisitions, as some Federal Agencies choose to require a FedRAMP ATO in their competitive procurement process.
Finally, being FedRAMP-Authorized can enhance the company’s internal security processes and rigor across all their products — not just those that are authorized — creating higher and more rigorous security standards for all systems and increasing system maturity.