Matt Goodrich, director of the Federal Risk and Authorization Management Program at the General Services Administration, has said a mid-range cloud service provider would incur a total median cost of $2.25 million in order to get a FedRAMP authorization.
Goodrich wrote in a blog entry posted Thursday a CSP would need to spend an additional $1 million to perform continuous monitoring operations on an annual basis once the FedRAMP certification is achieved.
The cost analysis is based on four CSPs that went through the old FedRAMP process for their software-as-a-service and infrastructure-as-a-service platforms, he said.
According to the analysis, the FedRAMP process’ baseline costs include documentation, evaluation by a FedRAMP-accredited third-party assessment organization, Joint Authorization Board review and engineering costs associated with the need to execute technical modifications to a cloud platform in order to meet FedRAMP requirements.
Goodrich noted that costs associated with the previous process prior to the launch of the FedRAMP Accelerated system also range between $500,000 and $4 million.
He said such large variances in costs are driven by several factors such as the employment of external consultants to help with the documentation process, engineering costs and length of 3PAO assessments.