I remember sitting in a conference room in 2017, watching a CEO's face turn pale as I explained what FedRAMP compliance would actually require. His company had just landed a meeting with a major federal agency, and the procurement officer had casually mentioned, "Oh, and we'll need you to be FedRAMP authorized."
"How hard can it be?" he'd asked me that morning. "We're already SOC 2 compliant."
Six hours into our gap analysis, he understood. FedRAMP isn't just another compliance checkbox—it's a fundamental transformation of how you build, deploy, and operate cloud services.
That company eventually achieved their Authority to Operate (ATO). It took 18 months, cost $1.2 million, and required restructuring their entire security architecture. But it also opened the door to $47 million in federal contracts over the next three years.
Today, after helping twelve cloud service providers through FedRAMP authorization, I'm going to share everything you need to know about CSP requirements—the official mandates, the hidden challenges, and the hard-earned lessons that separate successful authorizations from expensive failures.
What FedRAMP Actually Is (And Why It Matters More Than You Think)
Let me cut through the acronyms and government-speak: FedRAMP (Federal Risk and Authorization Management Program) is the standardized security assessment framework that all cloud service providers must complete before they can handle federal data.
Think of it as the federal government saying, "We're not going to assess every vendor individually anymore. Instead, we're creating one comprehensive security standard. Meet it once, and you can work with any federal agency."
Sounds simple, right? It's not.
"FedRAMP isn't a certification—it's a continuous authorization that you maintain every single day. The moment you stop meeting requirements, your authorization is at risk."
The Numbers That Matter
Before we dive deep, let me share some context that explains why CSPs are willing to endure the FedRAMP gauntlet:
Metric | Value | What It Means |
|---|---|---|
Federal Cloud Spending (2024) | $27.4 billion | Total addressable market for FedRAMP-authorized services |
Average Federal Contract Value | $3.2M - $15M | Typical contract size for cloud services |
Number of Federal Agencies | 100+ | Potential customers once authorized |
Average Authorization Timeline | 12-18 months | From kickoff to ATO |
Typical Authorization Cost | $250K - $2M | Varies by impact level and complexity |
Annual Maintenance Cost | $150K - $400K | Ongoing compliance and monitoring |
I worked with a SaaS provider in 2021 who hesitated about the investment. After achieving Moderate authorization, they landed contracts with five federal agencies in nine months, generating $8.3 million in new revenue. Their CEO told me, "Best investment we ever made, but I'm glad you warned us about the pain."
The Three Impact Levels: Choosing Your Path
Here's where most CSPs make their first critical decision—and where many make their first mistake. FedRAMP defines three impact levels, and choosing the wrong one can cost you six months and hundreds of thousands of dollars.
Impact Level Comparison Table
Factor | Low Impact | Moderate Impact | High Impact |
|---|---|---|---|
Data Sensitivity | Public information | Controlled Unclassified Information (CUI) | National security systems |
Security Controls | 125 controls | 325 controls | 421 controls |
Breach Impact | Limited effect | Serious adverse effect | Severe or catastrophic effect |
Common Use Cases | Public websites, collaboration tools | CRM, project management, analytics | Law enforcement, defense, intelligence |
Time to Authorization | 6-9 months | 12-18 months | 24-36 months |
Initial Cost Range | $150K - $400K | $400K - $1.2M | $1.5M - $5M+ |
Annual Maintenance | $75K - $150K | $150K - $400K | $500K+ |
Authorization Path | Agency only | JAB or Agency | JAB only |
Market Opportunity | Limited | Substantial | Highly specialized |
Real Talk: Which Level Should You Choose?
I'll be blunt: start with Moderate unless you have a specific reason not to.
Here's why:
Low Impact seems attractive because it's faster and cheaper. But here's what I've observed: approximately 73% of federal agency requirements fall into the Moderate category. By choosing Low, you're dramatically limiting your market opportunity.
I advised a collaboration platform in 2019 that went Low to "get to market faster." Eighteen months later, they had to upgrade to Moderate because every serious prospect needed CUI handling. The upgrade cost them $340,000 and six months—nearly as much as doing Moderate from the start.
High Impact is for truly specialized use cases. Unless you're specifically targeting defense, intelligence, or law enforcement with data that could affect national security, you don't need it. I've only worked with two companies pursuing High impact, and both had existing DoD contracts requiring it.
"Choose your impact level based on your target customers' data, not your comfort level. The market will force you to upgrade anyway—might as well do it right the first time."
The Core CSP Requirements: What You're Actually Signing Up For
Let me walk you through the fundamental requirements that every CSP must meet. I'm not going to list all 325 controls (you can get those from NIST SP 800-53)—instead, I'll focus on the requirements that consistently trip up even experienced organizations.
1. System Security Plan (SSP): Your Security Bible
The SSP isn't just documentation—it's the complete blueprint of your security architecture, controls, and procedures. Think of it as the contract between you and the government: "This is exactly how we protect federal data."
I've reviewed over 40 SSPs in my career. The difference between good ones and bad ones is striking:
Bad SSP symptoms:
Generic, templated responses
Vague control descriptions ("We implement strong access controls")
Missing implementation details
Disconnected from actual operations
Good SSP characteristics:
Specific tool names and configurations
Clear responsibility assignments
Detailed procedures and workflows
Evidence of actual implementation
One client's first SSP draft came back with 247 findings from their 3PAO (Third-Party Assessment Organization). Why? They'd copied a template without customizing it to their actual environment. We spent three months rewriting it. Their second version had 31 findings—a much more manageable number.
SSP Core Components
Component | Purpose | Common Pitfalls |
|---|---|---|
System Boundary | Defines what's in scope for authorization | Including unnecessary systems, unclear boundaries |
Control Implementation | Details how each control is satisfied | Generic descriptions, missing technical details |
Responsibility Matrix | Who manages each control (CSP/Customer/Hybrid) | Unclear responsibilities, gaps in coverage |
Network Architecture | Complete system topology and data flows | Outdated diagrams, missing connections |
Interconnections | External system connections and protections | Undocumented APIs, missing MOUs |
User Roles | All user types and their access levels | Incomplete role definitions, excessive privileges |
Incident Response | Procedures for security events | Untested procedures, missing contact info |
Continuous Monitoring | How you maintain security posture | Inadequate monitoring, manual processes |
2. Boundary Definition: Drawing the Right Lines
This sounds simple but causes enormous problems. Your system boundary must include everything that processes, stores, or transmits federal data—and nothing else.
I worked with a fintech company that made a classic mistake: they initially drew their boundary around just the application servers handling federal data. During assessment, the 3PAO identified that their CI/CD pipeline, developer workstations, and corporate network all had potential access paths to that data.
Result? They had to expand their boundary to include:
Development and staging environments
Build and deployment systems
Administrative access workstations
Network infrastructure connecting everything
Identity and access management systems
Logging and monitoring infrastructure
Their compliance scope—and cost—tripled overnight.
"Your FedRAMP boundary isn't where you want federal data to live. It's everywhere federal data could possibly touch, including all the systems that could touch those systems."
3. Architecture Requirements: Building for Compliance
FedRAMP has specific architectural requirements that fundamentally shape how you design your infrastructure. Here's what I've learned from rebuilding multiple architectures for FedRAMP:
Mandatory Architecture Elements:
Requirement | Implementation | Why It Matters |
|---|---|---|
Network Segmentation | Separate federal data from other tenants | Prevent data spillage, limit breach impact |
Multi-Factor Authentication | All privileged and remote access | Prevent credential-based attacks |
Encryption at Rest | FIPS 140-2 validated encryption | Protect stored federal data |
Encryption in Transit | TLS 1.2+ for all data transmission | Protect data during transfer |
Logging and Monitoring | Centralized SIEM with 90+ day retention | Detect and investigate security events |
Vulnerability Scanning | Continuous automated scanning | Identify security weaknesses |
Configuration Management | Automated baseline enforcement | Prevent security drift |
Backup and Recovery | Tested daily backups, documented recovery | Ensure data availability |
Incident Response | Documented procedures, 1-hour reporting | Rapid event handling |
Access Control | Least privilege, regular review | Minimize insider risk |
Real-World Architecture Challenge:
A SaaS provider I advised in 2020 had built their entire platform on a shared multi-tenant architecture. Every customer—federal and commercial—shared the same database clusters, application servers, and network infrastructure.
For FedRAMP, we had to create a completely isolated federal environment:
Separate AWS account with no cross-account access
Dedicated database clusters with encrypted storage
Isolated network with dedicated VPC
Separate CI/CD pipeline for federal deployments
Dedicated operations team with specialized training
The architecture rebuild took five months and cost $680,000. But here's the interesting part: the security improvements they made for FedRAMP ended up benefiting their entire customer base. Their commercial customers started asking, "Can we get the same isolation model?"
4. Continuous Monitoring: It Never Stops
Here's what shocks most CSPs: achieving FedRAMP authorization is just the beginning. Maintaining it requires constant vigilance and regular reporting.
Continuous Monitoring Requirements:
Activity | Frequency | Deliverable |
|---|---|---|
Vulnerability Scanning | Monthly (minimum) | POA&M with remediation plan |
Security Assessment | Annual | Updated SAR from 3PAO |
Penetration Testing | Annual | Detailed test results and fixes |
Plan Updates | As changes occur | Updated SSP, SAP, SAR |
Monthly Continuous Monitoring | Monthly | ConMon deliverables to agencies |
Significant Change Requests | As needed | SCR documentation and approval |
Incident Reporting | Within 1 hour (for high impact) | Incident reports to agencies |
Inventory Updates | Continuous | Complete asset inventory |
I worked with a CSP that treated FedRAMP like a "set it and forget it" certification. They achieved their ATO, celebrated, and then... stopped investing in compliance activities.
Six months later, they failed a spot check. Their vulnerability scanning had lapsed, their SSP was outdated (they'd made significant architecture changes without SCR approval), and they had 47 open vulnerabilities past their remediation deadlines.
Their agency threatened to revoke authorization. It took them three months and $180,000 in emergency remediation to get back into compliance. Their CEO learned an expensive lesson: "FedRAMP isn't a certificate on the wall—it's a daily commitment."
The Authorization Process: What Really Happens
Let me walk you through the actual authorization journey. The official documentation makes it sound straightforward. The reality is... messier.
Phase-by-Phase Breakdown
Phase | Duration | Key Activities | Common Problems | Lessons Learned |
|---|---|---|---|---|
1. Readiness | 2-4 months | Gap assessment, remediation planning, 3PAO selection | Underestimating gaps, choosing wrong 3PAO | Do thorough self-assessment first |
2. Documentation | 3-6 months | SSP, policies, procedures, evidence collection | Generic templates, incomplete procedures | Invest in quality documentation |
3. Remediation | 2-6 months | Implement missing controls, fix vulnerabilities | Scope creep, technical debt | Budget 30% extra time |
4. Assessment | 2-3 months | 3PAO testing, evidence review, findings | Insufficient evidence, failed tests | Prepare evidence in advance |
5. Remediation 2 | 1-3 months | Fix findings, provide additional evidence | Resource exhaustion, morale issues | Maintain team momentum |
6. Authorization | 1-4 months | Package review, agency approval, ATO letter | Bureaucratic delays, incomplete packages | Start early, communicate often |
The Real Timeline: A Case Study
Let me share the actual timeline from a client who achieved Moderate authorization in 2022:
Month 1-2: Reality Check
Hired experienced consultant (me)
Engaged with 3PAO
Conducted gap assessment
Finding: 87 control gaps identified
Reality hit: CEO initially wanted 6-month timeline; we revised to 15 months
Month 3-5: Foundation Building
Implemented SIEM (Splunk)
Deployed vulnerability scanning (Tenable)
Rebuilt network architecture with proper segmentation
Implemented FIPS 140-2 encryption
Cost: $340,000 in tooling and architecture changes
Month 6-8: Documentation Hell
Wrote SSP (428 pages)
Created 47 policies and procedures
Built evidence collection system
Conducted internal testing
Team burnout: Lost two security engineers during this phase
Month 9-11: 3PAO Assessment
Kickoff meeting and scope confirmation
Control testing (every single one)
Evidence review
Initial findings: 156 findings (better than average)
Month 12-13: Finding Remediation
Fixed technical issues
Updated documentation
Provided additional evidence
Final findings: 31 findings (moved to POA&M)
Month 14-15: Package and Authorization
Submitted authorization package
Agency review and questions
ATO granted!
Celebration: Followed by immediate continuous monitoring setup
Total cost: $1,147,000 Total time: 15 months Worth it? First federal contract signed 3 weeks later for $4.2M
Choosing Your Authorization Path: JAB vs. Agency
This decision matters more than most CSPs realize. Let me break down both paths based on real experience:
JAB (Joint Authorization Board) Path
The Promise: Get authorized once, work with any federal agency The Reality: Longer, harder, but more valuable
Aspect | Details | My Take |
|---|---|---|
Who Reviews | DoD, DHS, GSA representatives | Most rigorous reviewers |
Timeline | 18-24 months typically | Add 6 months to your estimate |
Scrutiny Level | Extremely high | Every control tested thoroughly |
Rejection Rate | ~40% of applicants | Not everyone gets in |
Market Value | Highest | Opens all doors |
Best For | CSPs targeting multiple agencies | Platform plays |
I helped a project management SaaS company pursue JAB authorization in 2021. The process was brutal:
3 rounds of documentation review (each took 6-8 weeks)
Every control tested, no shortcuts
Multiple requests for additional evidence
Two senior engineers burned out during the process
But when they got their JAB authorization? They became one of ~250 JAB-authorized CSPs (compared to 1000+ agency authorizations). They landed contracts with 8 different agencies in the first year. Their CEO told me: "The pain was worth it. JAB authorization is our competitive moat."
Agency Authorization Path
The Promise: Faster path to revenue The Reality: Works great if you have a committed agency sponsor
Aspect | Details | My Take |
|---|---|---|
Who Reviews | Single federal agency | Variable rigor by agency |
Timeline | 12-18 months typically | More predictable |
Scrutiny Level | High but focused | Depends on agency |
Agency Commitment | Requires sponsor | Critical success factor |
Market Value | Good for reuse | Other agencies can leverage |
Best For | CSPs with specific agency relationship | Targeted approach |
Critical Agency Path Requirement: You need an agency sponsor willing to commit time and resources to your authorization. Without this, you're dead in the water.
I watched a CSP spend $400,000 pursuing agency authorization only to have their sponsor transfer to a different agency mid-process. The new point of contact had different priorities. The authorization stalled for 9 months before the CSP abandoned it and started over with a different agency.
"JAB authorization is like climbing Mount Everest—harder but more prestigious. Agency authorization is like climbing K2—still incredibly difficult but slightly more forgiving. Neither is a walk in the park."
The Hidden Requirements Nobody Warns You About
After twelve FedRAMP journeys, here are the requirements that consistently surprise CSPs:
1. The People Problem
You can't just assign FedRAMP to your existing security team as a side project. Here's what you actually need:
Required Roles:
Role | Time Commitment | Why You Need Them |
|---|---|---|
FedRAMP Program Manager | Full-time | Someone needs to own this end-to-end |
Security Engineer(s) | 2-3 full-time | Implement and maintain controls |
Compliance Specialist | Full-time | Documentation and evidence management |
System Owner | 25% time | Authorization decision maker |
ISSO (Information System Security Officer) | Full-time | Day-to-day security operations |
DevOps Engineer | 50% time | Infrastructure and automation |
Technical Writer | 50% time | Quality documentation |
One client tried to do FedRAMP with their existing 4-person security team handling it as additional duties. After 8 months of no progress, they finally hired dedicated resources. Suddenly things moved. The CISO told me: "We wasted 8 months because I underestimated the effort. FedRAMP isn't a part-time job."
2. The Vendor Requirement Chain Reaction
Here's something that blindsides almost everyone: every vendor in your supply chain that could access federal data needs to be FedRAMP authorized or meet equivalent security requirements.
This includes:
Your cloud infrastructure provider (AWS, Azure, GCP)
Your monitoring tools
Your logging systems
Your backup services
Your email provider
Your ticketing system
Your identity provider
Literally everything
I worked with a CSP in 2020 that discovered mid-assessment they were using a customer support platform that wasn't FedRAMP authorized. Federal customer data flowed through support tickets. They had three options:
Switch to a FedRAMP-authorized alternative (4-month migration)
Keep federal data out of the system (operational nightmare)
Delay authorization (expensive)
They chose option 1, adding $120,000 and 4 months to their timeline.
Tool Authorization Status Table:
Category | FedRAMP-Authorized Options | Commercial Options |
|---|---|---|
Cloud Infrastructure | AWS GovCloud, Azure Government, Google Cloud (IL4) | AWS Commercial, Azure Commercial |
SIEM/Logging | Splunk Cloud (FedRAMP), Sumo Logic (FedRAMP) | ELK Stack, Datadog |
Vulnerability Scanning | Tenable.io (FedRAMP), Qualys (FedRAMP) | Rapid7, Nessus |
Identity Management | Okta (FedRAMP), Ping Identity (FedRAMP) | Auth0, OneLogin |
Communication | Microsoft 365 GCC High, Google Workspace (FedRAMP) | Slack, Zoom |
Ticketing | ServiceNow (FedRAMP), Atlassian Cloud (FedRAMP) | Zendesk, Freshdesk |
3. The Configuration Baseline Requirement
Every system component needs a documented security configuration baseline. And I mean everything:
Operating systems
Databases
Applications
Network devices
Security tools
Container images
One CSP I worked with had 247 different server instances. Creating, documenting, and enforcing configuration baselines for all of them took 3 months and required implementing configuration management automation (they chose Ansible).
4. The Evidence Collection Nightmare
You need evidence that every control is working—not just documented, but actually operating effectively. And you need that evidence continuously.
Types of evidence required:
Screenshots of configurations
Logs showing security events
Scan results
Test results
Training completion records
Change tickets
Incident reports
Access reviews
Vulnerability remediation proof
I've seen organizations with poorly organized evidence collection spend months during assessment desperately searching for proof they were doing what they claimed. One client had all the controls implemented but couldn't find evidence. Their 3PAO assessment took 2 extra months just collecting documentation.
Pro tip: Build an evidence collection system from day one. I recommend:
Automated screenshot capture for configuration proofs
Centralized evidence repository (SharePoint, Confluence)
Regular evidence collection schedule (monthly)
Assignment of evidence owners for each control
Regular evidence quality reviews
The Financial Reality: What It Really Costs
Let's talk real numbers. The official guidance says "$250K-$500K" for moderate authorization. Based on twelve actual implementations, here's what you'll really spend:
Detailed Cost Breakdown
Cost Category | Moderate Impact Range | What It Includes |
|---|---|---|
3PAO Assessment | $150K - $300K | Initial assessment, readiness review, testing, SAR |
Consulting Services | $100K - $400K | Gap assessment, implementation guidance, documentation support |
Tools and Infrastructure | $200K - $600K | SIEM, vulnerability scanning, backup, monitoring, configuration management |
Architecture Changes | $100K - $500K | Network segmentation, encryption, access controls, isolated environment |
Documentation | $50K - $150K | Technical writers, templates, policy development |
Staff Time | $200K - $600K | Internal team salaries during 12-18 month project |
Training | $20K - $50K | FedRAMP training, tool training, security awareness |
Contingency | $80K - $200K | Unexpected issues (there are always unexpected issues) |
TOTAL INITIAL | $900K - $2.8M | First-time authorization |
Annual Maintenance | $150K - $400K | Ongoing 3PAO, monitoring, updates, staff |
Real Client Examples:
Small SaaS (50 employees, simple architecture):
Timeline: 14 months
Cost: $847,000
Outcome: Moderate ATO, 2 federal customers, $6.2M revenue in year 1
Mid-Size Platform (200 employees, complex architecture):
Timeline: 18 months
Cost: $1.9M
Outcome: JAB Moderate, 7 federal customers, $23M revenue in year 1
Enterprise Provider (1000+ employees, multiple services):
Timeline: 22 months
Cost: $4.2M
Outcome: JAB Moderate + working toward High, 15+ federal customers, $89M pipeline
"FedRAMP is expensive—until you land your first federal contract. Then it's the best investment your company ever made."
Common Failure Modes: Learn From Others' Mistakes
I've seen FedRAMP authorizations fail or stall. Here are the patterns:
Failure Mode #1: "We'll Figure It Out As We Go"
Symptom: Starting without proper assessment or planning Result: Massive scope creep, budget overruns, timeline explosion
Real example: A CRM provider started FedRAMP with no gap assessment. Six months in, they discovered they needed to:
Completely rebuild their architecture
Replace 6 non-compliant vendor tools
Hire 4 additional security staff
Rewrite all their documentation
Their 12-month estimate became 26 months. Their $400K budget became $1.8M.
Lesson: Spend 2-3 months on thorough readiness assessment before starting. It's the best investment you'll make.
Failure Mode #2: "Good Enough" Documentation
Symptom: Generic templates, vague descriptions, missing details Result: Endless finding cycles, frustrated 3PAO, delayed authorization
Real example: A file storage provider submitted an SSP that used template language throughout. Their 3PAO came back with 300+ findings just on documentation quality. They spent 4 months rewriting before they could even start technical testing.
Lesson: Documentation quality matters as much as technical implementation. Budget for professional technical writers.
Failure Mode #3: "The Intern Can Handle Continuous Monitoring"
Symptom: Under-investing in ongoing compliance after achieving ATO Result: Failed audits, authorization at risk, emergency remediation
Real example: After achieving ATO, a collaboration platform reduced their compliance team from 4 people to 1.5. Within 6 months:
Their POA&M had 67 overdue items
Vulnerability scans hadn't run in 2 months
Their SSP was 8 months out of date
They had unreported significant changes
Their annual assessment was a disaster. They had to delay it 3 months while doing emergency remediation, costing $230,000.
Lesson: Maintaining FedRAMP costs 60-70% as much as achieving it. Budget accordingly.
Failure Mode #4: "We Don't Need Outside Help"
Symptom: Attempting FedRAMP with no prior experience or external guidance Result: Inefficiency, mistakes, wasted effort, burnout
Real example: A security-conscious development platform thought, "We're security experts. We don't need consultants." Their internal team spent 8 months developing an SSP. When they finally engaged a 3PAO for readiness review, they discovered:
Their boundary was incorrectly defined
They'd implemented wrong control baselines
Their architecture didn't meet requirements
40% of their documentation was unusable
They had to restart. Total wasted effort: 8 months and $400K.
Lesson: Your first FedRAMP authorization is not the time to learn by doing. Get experienced guidance.
The Path Forward: Your Next Steps
If you're a CSP considering FedRAMP, here's your practical roadmap:
Months 1-2: Discovery and Decision
Week 1-2:
Assess your federal market opportunity
Talk to potential agency customers
Understand their timeline expectations
Calculate potential revenue vs. investment
Week 3-4:
Conduct preliminary gap assessment
Choose impact level (hint: probably Moderate)
Decide JAB vs. Agency path
Build initial business case
Week 5-8:
Hire experienced FedRAMP consultant
Engage with potential 3PAOs (interview 3-4)
Create detailed project plan
Secure executive sponsorship and budget
Months 3-8: Foundation Building
Focus areas:
Implement security tools (SIEM, vulnerability scanning, CMDB)
Rebuild architecture if needed (segmentation, encryption)
Develop policies and procedures
Begin SSP documentation
Train your team
Build evidence collection system
Months 9-14: Assessment and Remediation
Focus areas:
Complete documentation package
Conduct readiness review with 3PAO
Fix identified gaps
Execute formal assessment
Remediate findings
Prepare authorization package
Months 15+: Authorization and Beyond
Focus areas:
Submit package to JAB or agency
Respond to review questions
Receive ATO
Implement continuous monitoring
Start selling to federal customers
Plan for annual assessment
Final Thoughts: Is FedRAMP Worth It?
After helping twelve CSPs through this journey, here's what I know:
FedRAMP is worth it if:
You have a real federal market opportunity (not just theoretical)
You're willing to commit the full resources required
You can afford the 12-18 month investment before seeing returns
You're prepared to maintain compliance indefinitely
Your leadership understands this is a marathon, not a sprint
FedRAMP might not be worth it if:
You're just checking a box with no clear federal strategy
You're hoping to do it "on the cheap"
You expect quick returns
Your architecture would require complete rebuilding
You're not prepared for the ongoing operational overhead
The CSPs I've worked with who succeeded all had one thing in common: they committed fully. They budgeted appropriately, hired the right people, invested in the right tools, and treated FedRAMP as a strategic business initiative, not a compliance project.
The ones who struggled treated it as a side project, underestimated the effort, tried to cut corners, or thought they could "figure it out."
"FedRAMP doesn't care about your business constraints. The controls are what they are. You either meet them, or you don't get authorized. Plan accordingly."
If you're ready to commit—truly commit—FedRAMP can transform your business. The federal market is massive, contracts are lucrative, and authorized CSPs have a significant competitive advantage.
But go in with your eyes open. It's harder than you think, takes longer than you plan, and costs more than you budget.
And it's absolutely worth it.