More details on FedRAMP
We recognize the federal government sales process can be a maze, especially for first-time contractors. This guide should help you to get acquainted with the steps you must take to sell your software.
Do I need FedRAMP? All cloud software interacting with federal systems or managing federal information must comply with FedRAMP. If you have a SaaS offering of any variety, you will need FedRAMP certification.
Step One: Integrate controls
Summary
To achieve compliance, it is critical to determine your system’s specific requirements and build these into your architecture. Be mindful of the complexity and specificity of these requirements, as they can be intricate and challenging to navigate.
Selecting your "threat level"
Depending on what you’re building, you will need to select your FIPS 199 classification. This classification indicates how “risky” your software is when used by the government.
• Low: Minimal impact; typically requires minimal security measures. • Moderate: Significant adverse effects, though not life-threatening. • High: Severe or catastrophic impact, including potential loss of life.
overnment agencies often default to a Moderate classification for most systems. Avoid selecting Low unless you can thoroughly justify your decision to government stakeholders, as this classification will be subject to additional scrutiny.
Software integration
Once you’ve selected a classification, you can begin reviewing the security controls you will need. NIST SP 800-53 (rev 5) is the single source of truth for all controls, providing prescriptive guidance on what needs to be implemented where. You can determine which controls apply to you based on your classification using this spreadsheet.
Beware using any non-compliant software. This includes vulnerability scanners, external APIs, etc. These processes will be subject to much additional scrutiny.
Where Archon helps
Archon SDK for Government provides pre-configured modules for implementing critical controls, including user authentication, logging, and access management. These modules are developed in alignment with NIST SP 800-53 requirements, enabling seamless adoption of necessary controls while reducing the complexity of custom implementation.
What else can I use? FedRAMP places significantly more scrutiny on non-compliant APIs or other tools you may use in your environment. As a rule of thumb, avoid any software without a preexisting authorization. However, more software may be compliant than you would expect! If you're using Archon, AWS services are the easiest to integrate. See their Services in Scope page for more info.
Step Two: Write a system security plan
After integrating your security controls, the next step is to demonstrate that your system fully aligns with FedRAMP’s stringent requirements. This is done through a System Security Plan (SSP). The SSP explains, in meticulous detail, how each control has been implemented. For every control, you’ll write 1-3 paragraphs describing how your system meets the requirement and why it should be approved.
In addition to the narrative sections, the SSP requires diagrams, analyses, and other technical artifacts that support your implementation. These might include network diagrams, data flow diagrams, contingency plans, risk assessments, and more. For reference, you can explore FedRAMP’s Moderate Baseline SSP Template.
Archon customers can take advantage of our document infrastructure when using SDK for Government. We use a team of human experts as well as AI-enhanced drafting to create policies and plans quickly and accurately. Existing customers should check their dashboard for more information.
Your SSP is the most important document for government customers. It’s a living document, meaning that it must be continuously updated every time a change happens to your system. It is also the most heavily scrutinized during audit and procurement.
Once your SSP is complete and compliant processes are in place, it’s important to begin operating your system as soon as possible. You’ll need to collect at least 90 days of operational evidence (e.g., monitoring logs, incident reports, access controls in action) to prove that your controls are effective over time.
Step Three: Third Party Audit
Summary
Submit your System Security Plan (SSP) and system code for review by a FedRAMP-approved Third Party Assessment Organization (3PAO). They will conduct a thorough review, including penetration testing, to evaluate your system’s security and compliance.
The process
After finalizing your SSP, you’ll need an approved 3PAO to validate your system and documentation before progressing to the FedRAMP office. This process begins with the 3PAO reviewing your SSP and preparing a Security Assessment Plan (SAP), which outlines how they’ll evaluate your system. Once you approve the SAP, the 3PAO initiates their assessment. This typically includes:
• Penetration testing to identify security vulnerabilities.
• Code review to ensure it adheres to FedRAMP requirements.
• Documentation review to confirm alignment between your SSP and system implementation.
• Personnel interviews to assess organizational security posture and processes.
For a deeper understanding of how testing is conducted, refer to NIST 800-53A, which provides detailed guidance on assessment methods.
The outcome
Once the assessment is complete, the 3PAO will issue a Security Assessment Report (SAR), summarizing their findings. They’ll also highlight any issues that require remediation.
• Minor issues: These are typically straightforward to address without significant delays. • Major issues: These can stall progress and may require substantial system changes.
You’ll need to update a critical subdocument of your SSP, known as the Plan of Action & Milestones (POA&M). This document outlines any weaknesses discovered during the audit and your plan to mitigate them. The POA&M will remain a key part of your documentation as it must be continuously updated with progress on resolving identified issues.
Step Four: Send results to FedRAMP
Summary
Once your 3PAO completes their Security Assessment Report (SAR), your entire documentation package—including the SSP, SAP, SAR, and POA&M—must be submitted to the FedRAMP Project Management Office (PMO) for final review.
You need a federal customer to sponsor you before beginning this process. You cannot join the queue without a sponsor.
PMO review process
After submission, your package will be placed in the PMO’s review queue. Once it reaches the top, the PMO will verify all implemented controls and assess the 3PAO’s findings to ensure compliance.
This step is highly rigorous, as the PMO rechecks controls and documentation to ensure everything meets FedRAMP’s exacting standards. If issues are discovered during this review, they can cause significant timeline delays—errors caught by the PMO can take weeks or even months to resolve.
The outcome
If your package passes the PMO review without issues, you will receive a favorable determination from the 3PAO and the FedRAMP PMO. This officially designates your product as FedRAMP Authorized, allowing it to be procured by any federal agency. This designation is a significant milestone, opening the door to working with government customers and signaling that your system meets the highest security and compliance standards.
Step Five: Receive your Authority to Operate (ATO)
Once you’re authorized, your contracting agency can move you through the process to receive an ATO. This process entirely depends on the agency you’re selling to, with timelines differing from 1 month to 3 years. Refer to agency contacts for more info
Step Six: Continuous Monitoring
After beginning to operate your software, you will need to monitor it for issues in a defined process called Continuous Monitoring (ConMon). This process has many intricacies that are likely not relevant at your company’s stage, but feel free to look at more details from the FedRAMP office . Archon customers should contact their representative for more information.
At what point do I need a federal customer?
It depends. And it’s also about to change.
As of right now, there are two paths. One is via the Joint Authorization Board (JAB), which doesn’t require an agency customer. However, the JAB requires “significant demonstrated or potential demand” for software providers to use this process. See here for the worksheet when requesting JAB approval.
The other is the standard Agency process, where you cannot begin the FedRAMP PMO step (Step 4 above) until having an agency partner. For more details on this process, look at the diagram on page 13 of this document.
HOWEVER, there are significant changes coming to FedRAMP soon (which will hopefully make everything much easier for small businesses!). The JAB is going to be removed and replaced with a new entity, but it is yet unclear what form this will take. See this policy memo for more info.