Fortinetics
← Case Studies · Commercial Software (Cloud SaaS) ·

FedRAMP Moderate for a commercial cloud provider: winning a first federal agency

A commercial cloud SaaS provider pursuing its first federal agency opportunity through an agency-sponsored ATO (name withheld per engagement confidentiality)

Duration
15 months
Frameworks
FedRAMP Moderate · NIST SP 800-53 Rev 5 · FedRAMP ConMon
Outcome
Authorization boundary, SSP, and full Moderate package delivered to assessable standard; the 3PAO assessment was completed; the agency authorization is in final review at time of writing, with the continuous monitoring program already operating on its monthly cadence. The provider entered its first federal opportunity with a credible, in-progress authorization path rather than a standing start.
FedRAMP Moderate authorization architecture — boundary, 3PAO assessment, agency ATO, and continuous monitoring A commercial cloud SaaS provider's FedRAMP Moderate path. A dedicated government-region tenant forms the authorization boundary, holding the in-boundary system and the NIST 800-53 Rev 5 Moderate control families, sitting on an inherited FedRAMP-authorized IaaS. A Third-Party Assessment Organization assesses the boundary and produces the Security Assessment Report and POA&M; the sponsoring agency's authorizing official issues the ATO; the continuous-monitoring program operates on a monthly cadence. PLATE CS-05 · FEDRAMP MODERATE · AGENCY ATO PATH NIST 800-53 REV 5 · 3PAO · CONMON ASSESSMENT THE AUTHORIZATION BOUNDARY AUTHORIZATION · CONMON STEP 01 3PAO Third-party assessment org — selected & coordinated OUTPUT SAR Security Assessment Report findings worked, not buried OUTPUT POA&M Plan of Action & Milestones realistic remediation dates STEP 02 Agency AO Sponsoring agency authorizing official DECISION ATO Authorization — in final agency review STANDING ConMon Monthly: scans · POA&M deviations · deliverables AUTHORIZATION BOUNDARY REV 5 MODERATE Dedicated government-region tenant Multi-tenant SaaS platform IN-BOUNDARY SYSTEM SSP authored to 3PAO-assessable standard REV 5 MODERATE CONTROL FAMILIES SC · Boundary protection AU · Audit & acct. IA · Identity & auth. CM · Config. mgmt CP · Contingency IR · Incident response Drawn tightly — no orphaned dependencies; inheritance documented, not re-claimed as system-owned. INHERITED · BENEATH THE BOUNDARY Underlying FedRAMP-authorized cloud (IaaS) Controls inherited from the authorized service beneath the system 15 MONTHS · COMMERCIAL BASELINE → FIRST AGENCY ATO · CONMON LIVE FORTINETICS · BOUNDARY + PACKAGE + CONMON LEAD
Fig. · FedRAMP Moderate authorization architecture. A dedicated government-region tenant is the authorization boundary; the 3PAO assesses it, the sponsoring agency authorizes it, and continuous monitoring runs monthly beneath it. All references anonymized per engagement confidentiality.

The situation

A commercial cloud SaaS provider had a federal agency that wanted to buy its product. The agency could not contract for it until the service carried a FedRAMP authorization at the Moderate impact level. This is a familiar inflection point: a company with real commercial traction and a capable engineering team discovers that the federal market runs on an authorization process its commercial posture does not satisfy, and that the process is measured in quarters, not weeks.

The provider ran a modern multi-tenant cloud platform. It had a security program adequate for its commercial customers, but nothing scoped to a federal authorization boundary, no System Security Plan, and no experience with a Third Party Assessment Organization or an agency authorizing official. The control gap was real but bounded; the larger gaps were the authorization boundary itself, the documentation set a 3PAO would assess, the continuous monitoring program a federal authorization obligates in perpetuity, and a sponsoring agency willing to issue the authorization.

The engagement was scoped to take the provider from commercial baseline to an agency-sponsored authorization at FedRAMP Moderate — boundary, package, assessment, and the standing ConMon program — on the agency ATO path, with the sponsoring agency engaged early so the authorization had a destination from the start.

The constraints

The path choice — 20x evaluated, traditional path chosen. FedRAMP’s modernization work, including the 20x initiative, has been reshaping how authorizations can be pursued, with an emphasis on automation, machine-readable evidence, and a faster cadence than the document-heavy traditional process. We evaluated whether the 20x track fit this engagement. For this provider, with a sponsoring agency already engaged and that agency’s reviewers most fluent in the traditional package format, the conventional agency-sponsored path was the lower-risk route to the authorization the agency needed to issue. The decision was driven by the agency’s review posture and the engagement timeline, not by a preference for the older process. We treated the modernization direction as a reason to design the documentation and evidence to be as automation-ready as the traditional path allows, so the provider is not rebuilding from scratch as the program evolves.

Rev 5 baseline. The authorization targeted the FedRAMP Moderate baseline under NIST SP 800-53 Rev 5. The control set, parameter values, and documentation expectations were aligned to Rev 5 throughout — the SSP, the assessment, and the ConMon deliverables were all authored to the current baseline rather than a prior revision.

Sponsor-driven cadence. The authorization rests with the agency’s authorizing official, whose review cadence and information requests set the rhythm of the back half of the engagement. The plan was built to keep the package responsive to agency questions as the review progressed, rather than assuming a fixed assessment-to-authorization interval.

The approach

The engagement ran roughly fifteen months across four phases — boundary and environment, documentation and control implementation, 3PAO assessment, and agency authorization with ConMon stand-up — with the phases overlapping where the work allowed.

Boundary and environment. The authorization boundary is the single most consequential design decision in a FedRAMP engagement; it determines what the 3PAO assesses, what the SSP must describe, and what the ConMon program monitors for the life of the authorization. We designed a dedicated government-region tenant to hold the in-boundary system, defining what was inside the boundary, what was an inherited authorized service beneath it, and what was external. Drawing the boundary tightly — without orphaning components the system genuinely depended on — kept the assessment and the standing monitoring obligation proportionate to what the agency actually needed authorized.

Documentation and control implementation. We authored the System Security Plan to a standard a 3PAO can assess without a second pass — control implementation descriptions that were specific, traceable to a real system of record, and honest about inherited versus system-specific responsibility. In parallel, we closed the control gaps against the Moderate baseline: boundary protection, audit and accountability, identification and authentication aligned to federal expectations, configuration management, contingency planning, and incident response among them. Where the platform inherited controls from an underlying authorized cloud service, we documented the inheritance precisely rather than re-claiming controls the provider did not actually own.

3PAO assessment. We selected and coordinated the Third Party Assessment Organization, supported the Security Assessment Plan, coordinated the penetration test, and walked the assessors through the environment and the evidence. The assessment produced a Security Assessment Report; the findings were worked into a Plan of Action and Milestones with realistic remediation timelines rather than optimistic ones the agency would later see slip.

Agency authorization and ConMon stand-up. With the assessment complete, the package went to the sponsoring agency. We supported the authorizing official’s review — clarifications, supplemental evidence, and POA&M updates as requested. In parallel, we stood up the continuous monitoring program so it was operating on its monthly cadence by the time the authorization decision was in front of the agency: monthly vulnerability scans, POA&M maintenance, deviation requests where warranted, and the monthly deliverable package the agency would expect to receive for the life of the authorization. A FedRAMP authorization is not a finish line; it is the start of a monthly obligation, and a program that treats ConMon as an afterthought loses the authorization it worked to earn.

What made this engagement fit

The hard part was boundary and documentation, not the technology. The provider had built a capable platform. What it needed was the authorization boundary, the assessable SSP, and the standing ConMon program — the architecture and documentation work that turns a commercial service into an authorizable one. That is the center of how we work: the implementation is the minority of the effort, and the boundary design, the documentation, and the operating discipline are the majority.

Framework currency on Rev 5 and the modernization direction. Authoring to the Rev 5 Moderate baseline, and designing the evidence to stay relevant as FedRAMP’s automation and 20x work matures, meant the provider was not building to a baseline already being superseded. Our team’s hands-on work across federal frameworks — including direct work on CMMC at the Department of Defense in 2019 — informed how we approached control-narrative authorship and the boundary decisions that an assessor reads first.

ConMon designed in, not bolted on. Standing up continuous monitoring before the authorization decision, rather than after, meant the provider crossed into authorization with the monthly machine already running. The most common way a hard-won FedRAMP authorization erodes is a ConMon program that was treated as a post-authorization problem.

The outcome

The authorization boundary, System Security Plan, and full FedRAMP Moderate package were delivered to an assessable standard, and the 3PAO completed its assessment. At the time of writing, the agency authorization is in final review, and the continuous monitoring program is already operating on its monthly cadence — scans, POA&M maintenance, and the monthly deliverable package the agency expects. The provider entered its first federal opportunity with a credible authorization path in motion rather than a standing start, which is what let the agency keep the procurement alive.

This is a young firm describing an in-progress engagement, and the honest framing is exactly that: the package is delivered, the assessment is done, the authorization is in final agency review, and the ConMon program is live. We are not claiming a portfolio of completed federal authorizations; we are describing one Moderate authorization taken from commercial baseline to the agency’s final review, with the operating program already running underneath it.

Commercial structure

The engagement combined a firm fixed-price scope for boundary design, SSP authoring, and control implementation with a time-and-materials period covering 3PAO coordination, agency review support, and the ConMon stand-up — phases whose effort depends on assessor findings and the agency’s review cadence. The 3PAO assessment and penetration test were contracted directly between the client and the assessment organization; we coordinated but did not mark up the assessor’s work. Engagement pricing is scope-dependent and is defined during a scoping call; we do not publish price lists.

If you have a federal agency waiting on a FedRAMP authorization, book a thirty-minute scoping call — we’ll give you an honest read on the boundary, the package, and the runway to an agency ATO.

Similar engagement?

Start a scoping conversation.

If you're building a classified facility, pursuing a certification, or scoping an accreditation — we'll walk through your situation honestly in a thirty-minute call.

Book a scoping call →