The Cost of a FedRAMP Assessment from a 3PAO Perspective

September 22, 2016, Abel Sussman, Director, TAAS – Public Sector and Cyber Risk Advisory, Coalfire recently published a blog titled ‘How Much Does It Cost to Go Through FedRAMP?’ As a FedRAMP Third Party Assessment Organization (3PAO), we wanted to provide additional factors for consideration for organizations that are evaluating or pursuing a FedRAMP authorization.

Historically, FedRAMP projects have a lot of variation in terms of cost and time. Industry estimates place the cost of projects between $75,000 and $3.5 million. It covers at least 325 security test cases as defined by NIST for a “Moderate” system and 421 security test cases for a “High” system.  Many of the costs listed by Mr. Goodrich, the Director of FedRAMP, stem from Cloud Service Providers (CSP) owning their own infrastructure (not outsourcing the IaaS) and bringing in outside expertise for engineering and other services. Under the new FedRAMP Accelerated program, the FedRAMP authorization can take as little as 3 months, although proper preparation can reduce that timeframe further, while the total cost will remain about the same, as the cost may be transferred from Assessment to the preparation.

Coalfire has performed the most FedRAMP Advisory and Assessments of any Third Party Assessment Organization (3PAO). In our experience with the previous approval process for FedRAMP, the majority of FedRAMP Assessments and the requisite JAB Review can be successfully completed for under $250,000 and within six months if a CSP takes preparation steps, including appropriately defining their system boundary, building security measures within the development lifecycle, and implementing industry best practices for security procedures. The new FedRAMP Accelerated program shows a great deal of promise in saving time for CSPs that go through a FedRAMP Readiness Assessment. Time and cost saving here is achieved by catching auditing issues early. Achieving FedRAMP Ready will allow CSPs to be listed on the GSA website and can be used for RFP documentation as meeting FedRAMP critical requirements. Additionally, CSPs should consider engaging with another FedRAMP 3PAO as part of their preparedness process in an effort to save time and money on the FedRAMP Assessment and JAB Review.  

Much of the variation in timing and price depends on the CSP solution size and familiarity with compliance frameworks. If the CSP has generated artifacts for other industry regulatory compliance or security assessments, such as security controls inventory, policies, and procedures, then a number of artifacts can be reused, which will shorten the pre-assessment cycle time. Most organizations rely on a third party to help guide them through the process, which saves both cost and time: cost, by building in the correct security requirements during development; time by efficiently creating documentation to the level of detail expected by FedRAMP auditors and providing experience in understanding federal feedback.

Examples of other industry regulatory compliance or security assessments are:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Federal Information Security Management Act (FISMA)
  • Service Organization Control (SOC) Reports (e.g. SOC 2, SOC 3)
  • ISO 9001 Quality Management Systems
  • ISO 27001 Information Technology Security Techniques
  • Health Insurance Portability and Accountability Act (HIPAA) Security
  • Capability Maturity Model Integration (CMMI)

The timeframe of the FedRAMP 3PAO Assessment is mostly dictated by the path chosen by the CSP for their federal partnership and readiness and ability to respond to comments throughout the Assessment. Generally, the timeframes for each of the authorization types are:

  • JAB P-ATOs: 3 – 6 months (as indicated by several FedRAMP Accelerated pilot programs)
  • Agency ATOs: 2 - 4+ months (historical tracking from Coalfire’s experience)

A FedRAMP project is an extremely detailed and complex process, as it is a multifaceted undertaking that requires the involvement of the entire organization—from senior leaders providing the strategic vision and top-level goals and objectives for the organization, to mid-level leaders planning and managing projects, to individuals on the frontlines developing, implementing, and operating the systems supporting the organization’s core missions and business processes. An organization needs to go beyond IT maintenance to a variety of corporate areas covering engineering, operations, human resources, training, physical security, project management office, data center operations, and vendor contracting to present their holistic security posture to outside auditors. A great first step is to perform a gap analysis comparing the system capabilities to the appropriate baseline controls as directed by the required confidentiality, integrity, and availability for federal implementation.

We encourage a CSP considering applying for a FedRAMP 3PAO Assessment to contact us to discuss developing a project plan for FedRAMP activities. You can reach out to Coalfire via our Contact Us page or email Nick Son, Coalfire’s VP of Public Sector and Cyber Risk management, at

Abel Sussman


Abel Sussman — Director, TAAS – Public Sector and Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics