If it's costing $15-$20M to get a FedRAMP ATO you are probably doing at least some things VERY wrong. A ton of the security controls you should already be implementing in ANY environment.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
I work for an established saas company with rather large and complicated system. For fedramp we had to build a new dedicated environment (because it was impossible to certify existing one which is hybrid, located in multiple countries ), hire dedicated us personal (agency requirements) and redo a bunch of internal processes to comply with fedramp controls.
> I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls
That's kind of cheating, no? It's practical but "I moved the company to a hosting provider that already did all of the hard bits" understates the difficulty.
There is also a difference between dozen of vm or containers that were developed in last couple years by startup and hybrid behemoth with "legacy tech" that developed and supported by hundreds of people over decades.
Former you can lift and shift easily. For later it's multimillion investment that takes a bunch of time to implement
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.