Finding an Advisor¶

All cloud service providers work with an independent assessor — and gain valuable experience and knowledge through that partnership specific to FedRAMP and the greater federal ecosystem. Further, your own team has access to all the guidance and instruction necessary to achieve a FedRAMP Certification of any class, type, or path on this site.

In spite of all of this information being available publicly, providers that are new to FedRAMP will almost always benefit from using a high quality FedRAMP Advisory Service.

Consider the Vibes¶

Selecting the right advisory service can set the foundation for a long term business relationship with large impacts.

FedRAMP recommends:

• Considering how the advisor engages with other providers, trade, or industry groups.
• Asking for references and really getting to know the organization you are considering.
• Considering the advisor’s ability to effectively communicate – a good advisor will tactfully articulate where you can improve but keep your business goals and system in front of mind.
• Check what kinds of resources the advisor will allocate towards advising you. For example:
• Are advisors able to offer reasoned technical recommendations? Do advisor teams consist primarily of junior technical employees?
• Do advisors have enough time to work with you comprehensively?

Review Experience & Qualifications¶

Ensure the advisory service has the appropriate expertise and staff who can be subject matter experts on the specific components and domain of YOUR service.

• Advisors are not A2LA certified, the way FedRAMP independent assessors are. Consider their other qualifications. For example:
  • Knowledge of specific platforms, third party services, or deployment models (serverless, kubernetes, etc.).
  • Expertise in self-hosted or hybrid solutions.
  • Ability to perform code review of automated validations.
• Some advisors provide access to purpose-built, proprietary platforms, scripts, or tools that could aid in automating the security artifact lifecycle.
• Marketing teams in every company love displaying endorsements. Look at testimonials on their website, LinkedIn, the Better Business Bureau, etc.

Review Past Performance¶

Investigate the past performance of the advisory service. For example:

• What types of FedRAMP Certification paths or classes they have already consulted on?
• Have they been an independent assessor for the Rev5 or 20x path?
• Have they achieved their own FedRAMP Certification at some point?
• When you ask questions about FedRAMP, generally, can they speak to the similarities and differences between Rev5 and 20x? The different classes? How do they see your profile shaping up?
• Do a quick search for any publicly available content the potential advisor has created that is useful, correct, peer-reviewed, etc.

Make Sure They're Up to Date¶

FedRAMP, like everyone in cybersecurity, adapts with technology. Further, since the release of The Office of Management and Budget's Memorandum M-24-15 in 2024, FedRAMP has radically evolved, meaning finding an advisor who is current with and can speak fluently about contemporary FedRAMP is essential.

A high quality advisor is proactive in keeping up-to-date with program updates and community discussions. They may be able to talk you through the reasoning for changes, the goals and intents of each KSI, releases like BIRs, etc., and can talk to you about them competently.

You can vet that in discussions with them and look up their participation in FedRAMP community discussions, attend FedRAMP-related conferences, have worked through one of the 20x pilot programs or Rev5 closed/open betas.

Comments