Project at a glance
We helped this client achieve Federal Risk and Authorization Management Program (FedRAMP) accreditation to expand into regulated markets and open a substantial and long-term revenue pipeline. KPMG leveraged leading insights from our deep understanding of what it takes to achieve FedRAMP authority to operate (ATO).
- Client challenge
- Key KPMG initiatives
- Business impact
- Why KPMG?
Our client is a global technology conglomerate that develops, manufactures, and sells networking hardware and software, telecommunications equipment, and other high-technology products and services. Having focused on commercial markets since its founding, it wanted to expand into regulated markets but lacked the internal capabilities, organization, and relationships to achieve FedRAMP accreditation on its own. Approval by the FedRAMP—considered the gold standard in cloud security—is critical for this cloud service providers wanting to sell cloud products to the public sector.
With mandates and initiatives increasing adoption of cloud services in the federal government, this cloud service provider (CSP) turned to KPMG—an independent and accredited third-party assessment organization for FedRAMP— to help it obtain the FedRAMP ATO that would open up a substantial and long-term revenue pipeline.
Key KPMG initiatives
KPMG leveraged leading insights from our deep understanding of FedRAMP authorization criteria and our extensive experience supporting major cloud service providers on their FedRAMP ATO journeys. Our multidisciplinary team of cloud, security, and regulatory subject matter professionals:
- conducted a deep-dive diagnostic assessment, examining the current security compliance posture, comparing it to key FedRAMP security controls; translated the gaps and recommendations into tailored, actionable plans
- created an organizational target operating model to support the new cloud product team and set up a project management office to centralize project execution
- wrote thousands of pages of compliance documentation
- advised engineers and developers how to build new environments for 325 most common FedRAMP access controls
- introduced the client to officials at the General Services Administration and the U.S. Department of Health and Human Services, which became the sponsoring agency
- prepared the client for the FedRAMP audit by performing internal readiness testing of technical controls and holding mock interviews
- designed, built, tested, and rolled out a continuous monitoring program after the client achieved its ATO.
The client achieved FedRAMP ATO in 11 months for its largest product line. All told, we helped the CSP receive FedRAMP approval for two-thirds of the products it presented for authorization. Since the average authorized cloud product generates $150 million per year—and the company has sold 34 projects to date—we helped this CSP gain significant traction in the regulated marketplace. In addition, the company has expanded its circle of trust with a new base of customers as it continues to transition from hardware provider to CSP, leveraging compliance, security, and privacy capabilities enabled by KPMG.
Our considerable experience with the FedRAMP authorization process provided the structure and support the client needed to fast-track its ATO journey in an unfamiliar, regulated market.
Our key relationships across the FedRAMP community allow us to identify the leading agencies that want to use cloud services so that we can help clients identify sponsors.
We are known for writing compliance documentation that meets FedRAMP standards for quality and engenders FedRAMP’s trust in our clients.