“Online” vs “Go-Live / Production” vs “Fully Operational”
Challenge
As advisors, one of the most frequently asked questions we receive from Cloud Service Provider (CSP)’s pursuing FedRAMP / DoD / any form of ATO is “What is In Production/Go-Live”? The question also comes with a lot of constraints.
So, we have decided to help clarify the differences between each. Let’s begin with the following guidance from the FedRAMP PMO, Designations for Cloud Service Providers, Version 2.0, dated 10/28/2021. In the context of meeting FedRAMP In-Process Requirements, one of the requirements state the following on Printed Page 4.
The footnote indicates the following:
The footnote indicates the following:
CSP’s commonly misinterpret/misunderstand what “Fully Operational” / “Production” environment means – and it’s an honest misunderstanding, especially if you have not previously worked with the Federal Government.
From a standard Commercial SaaS product management standpoint, “In production” typically refers to the stage where a software or system is being used in a live environment. When a feature or application is “in production,” it means that it has passed the stages of development and testing and is now actively being used by end-users.
If a CSP was not pursuing FedRAMP or DoD authorizations, the puck would simply stop at the definition above. However, as we are all aware, the article is intended for CSP’s pursuing an ATO. Thus, for simplicity, let’s call the definition above, “Online”.
Designations |
Description |
“Online” / “MVP” |
From a standard Commercial SaaS product management standpoint, “In production” typically refers to the stage where a software or system is being used in a live environment. When a feature or application is “in production,” it means that it has passed the stages of development and testing and is now can actively be used by end-users, but may have gaps and not have all the necessary bells and whistles from a required security standpoint if we consider “Online” and/or “MVP” in the context of FedRAMP/DoD.
For simplicity, and purposes of CSP’s pursuing authorizations, we will call this designation “Online” or “MVP” |
Go-Live / Production / Fully Operational |
I need to be fully defined! Maybe I’ll be defined later on… |
What are the differences?
In the table above, we have purposely put “Go-Live”, “Production” and “Fully Operational” in the same bucket(s) because if you’ve been in the FedRAMP/DoD/NIST space long enough, you’ve heard all three used interchangeably. The use of the terms causes CSP’s a lot of confusion, and rightfully so!
For simplicity, we will be using “Go-Live” synonymously with “Production” and “Fully Operational” going forward. So let’s define what “Go-Live” is.
Go-Live: “Go-Live”, in the context of FedRAMP/DoD, signifies the stage at which a CSP service offering is “fully operational”, “fully implemented”, “in-production”, and ready for use by federal agencies. This indicates that the service offering has successfully traversed all the development, testing, and approval stages, aligning with the stated System Security Plan (SSP) and the depicted authorization boundary.
The “Go-Live” stage means all security controls, as per the authorization package, have been fully implemented. This includes the deployment of all technologies, the establishment of applicable processes, and the readiness of personnel involved in managing and maintaining the system’s security as stated in the SSP.
The service offering, now in production, precisely mirrors the service offering as it has been detailed in the authorization package.
Furthermore, upon reaching the “Go-Live” stage, the system is subject to continuous monitoring and maintenance to ensure its ongoing security compliance, operational efficiency, and user satisfaction. This includes prompt identification and remediation of vulnerabilities, and potential development of new features, all while adhering to the rigorous FedRAMP/DoD security standards.
Lastly, the “Go-Live” stage designates that the CSP’s service offering is primed for evaluation by a Third-Party Assessment Organization (3PAO) in the production environment. The environment is isolated from the development and staging environments to prevent any untested or unapproved changes from impacting the federal users and the overall system security.
Quite a mouthful – but we believe the level of detail is necessary to fully convey the meaning of what “Go-Live” really means in the context of FedRAMP/DISA.
Why do I, as a CSP, care?
Great question – what’s the hubbub about all these terms? Well, if you’re like any other CSP out there, you want to be listed on the FedRAMP marketplace / DISA Service Catalog ASAP!
· FedRAMP/DoD Ready (RAR)
· FedRAMP In-Process
· FedRAMP/DoD Authorized
To achieve any of the designations above, you will come to a point where your service offering must “Go-Live” (NOT “Online”). Take a look for yourself below — if your “Go-Live” date shifts, guess what — your entire timeline shifts as well! (Doh!)
What this means:
To ensure a successful assessment, a golden rule of thumb in the FedRAMP/DoD/NIST space is after “Go-Live” the system must stay “Fully Operational” / “In-Production” for at least:
· Highest Risk – thirty (30) days (Highly discouraged)
· Moderate Risk – Forty-five (45) days (Recommended if relationship with your 3PAO is strong)
· Lowest Risk – ninety (90) days (Preferred/Highly recommended)
Common questions:
1. “Why do I need to be operational for X number of days?”
a. Short answer – you must be able to demonstrate Continuous Monitoring requirements are being met the 3PAO.
b. Long answer – You must demonstrate to a 3PAO security controls are satisfactorily (effectively) implemented.
Controls within the FedRAMP/DoD baseline require varying levels of frequencies (Incident reporting, tracking, automated detection of assets, reviewal of access records, web/app/infra scans, verification of security functions, review of privileges, change/refresh authenticators, disable inactive accounts after X number of days, etc..) All which need to be evaluated.
Bear in mind, some exceptions for “non-occurrences” are made. However, a common question from an experienced 3PAO will be “How long have you been “Live” for?” because any experienced 3PAO will ensure they are not assessing a service offering with no evidence to provide (said in another way, an experienced 3PAO will likely delay the assessment for a service offering which just went “Go-Live” yesterday).
2. “Does this imply that my system will not have any customers during the operational buffer period?”
a. Short answer: Yes!
b. Long answer: Yes, that is typically the case. However, there might be exceptions where an Interim Authority to Operate (Interim-ATO) is granted for a system or service that has recently been launched. The nuances of Interim-ATO are more complex, with their own benefits and drawbacks. In most cases, during the ‘Go-Live’ phase, it’s generally safe to assume that the service will need to be managed in a way that ensures it is authorized and actively utilized by an agency.
Our table above has now been fully defined!
Designations |
Description |
“Online” / “MVP” |
From a standard Commercial SaaS product management standpoint, “In production” typically refers to the stage where a software or system is being used in a live environment. When a feature or application is “in production,” it means that it has passed the stages of development and testing and is now actively being used by end-users.
For simplicity, and purposes of CSP’s pursuing authorizations, we will call this designation “Online” |
Go-Live / Production / Fully Operational |
“Go-Live”, in the context of FedRAMP/DoD, signifies the stage at which a Cloud Service Provider’s (CSP) service offering is “fully operational”, “fully implemented”, “in-production”, and ready for use by federal agencies. This indicates that the service offering has successfully traversed all the development, testing, and approval stages, aligning with the stated System Security Plan (SSP) and the depicted authorization boundary.
The “Go-Live” stage means all security controls, as per the authorization package, have been fully implemented. This includes the deployment of all technologies, the establishment of applicable processes, and the readiness of personnel involved in managing and maintaining the system’s security as stated in the SSP.
The service offering, now in production, precisely mirrors the service offering as it has been detailed in the authorization package.
Furthermore, upon reaching the “Go-Live” stage, the system is subject to continuous monitoring and maintenance to ensure its ongoing security compliance, operational efficiency, and user satisfaction. This includes prompt identification and remediation of vulnerabilities, and potential development of new features, all while adhering to the rigorous FedRAMP/DoD security standards.
Lastly, the “Go-Live” stage designates that the CSP’s service offering is primed for evaluation by a Third-Party Assessment Organization (3PAO) in the production environment. The environment is isolated from the development and staging environments to prevent any untested or unapproved changes from impacting the federal users and the overall system security. |