The threat of hackers and/or hostile foreign governments using malicious code to gain backdoor access to US government IT infrastructure is a major national security risk. Just consider the implications and liabilities of a software system that provides third-party access to one of America’s critical infrastructures (ie, power grid, water utilities, transportation system), and the consequences of a cyber breach. . So software companies that want to sell their products to the US government must make sure they deliver a product that doesn’t contain malicious code, ransomware, or other “hidden hands” planted by a a hostile foreign intelligence service. As the US Department of Defense (DOD) and other agencies transition to an era of global cyberwarfare and virtual battlefields, new companies are emerging to fill the desperate cyber needs of Pentagon. This year alone, US federal agencies will purchase more than $80 billion in private IT solutions, $9 billion of which will go to cloud-based solutions. But it’s not enough to just have innovative cloud-based software — it also needs to be secure.
With the recent explosion of apps, software solutions, and the Internet of Things (IoT), it’s inevitable that every startup in Silicon Valley, down to the inept teenage entrepreneurs writing the revolutionary code of their parents’ garages, want to sell their products and services to the US federal government. Uncle Sam’s sales potential is almost limitless – just ask any major defense contractor who is taking advantage of almost $800 billion spent annually on defense. However, cracking the federal space isn’t just about having the best product or service — it’s also about implementing effective cybersecurity protocols.
Vendors must be aware of the great threat posed by economic espionage to the US (in the public and private sectors) and, therefore, provide technology that limits backdoor access to online platforms. With the theft of intellectual property worth the United States around $200 to $600 billion per year, those who sell to the government must ensure that they deliver a product that does not contain malicious code, ransomware, or other “hidden hands” planted by an adversary foreign intelligence service. To take this a step further, consider the implications/liabilities of a software system that gives a third party access to one of America’s critical infrastructures (ie, power grid, water utilities, transportation system), and the consequences of a violation.
Asymmetric military campaigns are no longer the exception, they are the rule. Consequently, defense spending is no longer just for the purchase of military hardware. As the US Department of Defense (DOD) and other agencies transition to an era of global cyberwarfare and virtual battlefields, new companies are emerging to fill the desperate cyber needs of Pentagon. This year alone, US federal agencies will purchase more than $80 billion in private IT solutions, $9 billion where to go with cloud-based solutions.
Unfortunately, just having the latest cloud-based software isn’t enough – it also needs to be secure. The threat of hackers and/or hostile foreign governments using malicious code to gain backdoor access to US government IT infrastructure is a major national security risk. As a result, businesses looking to sell their cloud services to federal agencies must first comply with a regulation known as Federal Risk and Authorization Management Program (FedRAMP). Think of it as the official security seal of approval for selling cloud computing solutions within the Washington DC beltway.
FedRAMP is a government-wide program for accrediting cloud services for consumption by US Federal and DOD agencies. Its purpose is the adoption of cloud security services throughout the government by providing a standardized approach to security assessments, authorization, and continuous monitoring for cloud technologies. The program is administered by the General Services Administration (GSA) FedRAMP Program Management Office (PMO). Every cloud service — software as a service (SaaS), platform as a Service (PaaS), and infrastructure as a service (IaaS) — must receive Joint Accreditation Board (JAB) Provisional Authority To Operate (P-ATO) or Agency ATO, prior to consumption by a US government agency.
General (Ret.) Frank McKenzie, executive director of the Florida Center for Cybersecurity and the Global and National Security Institute at the University of South Florida and former Commander, US Central Command, told us in an interview: “While the FedRAMP process is extremely It is important to ensure that the software shared on government platforms – especially DoD platforms – does not contain malicious code or back doors that our adversaries can exploit, we also need to know that we cannot stop technology. or competitive advantages due to bureaucracy and unnecessary. red tape.”
To become FedRAMP certified, a prospective vendor – known as a cloud service provider (CSP) – must undergo a rigorous third-party review by a FedRAMP-recognized Third Party Assessment Organization (3PAO). 3PAO is responsible for ensuring that the CSP and their software offering meet the security requirements, as set out in National Institute of Standards and Technology (NIST) guidelines..
When all the checks are complete and the cloud service has successfully achieved authorization, the next stop is listed in FedRAMP Marketplace. This website is the one-stop-shop for agencies to find cloud services that have been tested and approved to be safe to use, making it easier to find out if an offer meets the security requirements. Once the platform software does this, the provider is almost guaranteed to win more government contracts. Currently there are around 300 providers, from software leaders Adobe and Box to Xerox and Zoom. (Note: Just because a provider is on the FedRAMP Marketplace does not mean they are immune to threats. For example, Adobe involved in one of the largest data breaches of the 21st century in 2013, and Zooming recently resolved as many as four exploitable security breaches in their code).
It should be comforting to know that taxpayer dollars are at least trying to ensure that software purchased by the US government is secure and free of compromise. But here’s the kicker: The cost to get your FedRAMP certification isn’t a few hundred bucks. It’s not even a few thousand dollars… or tens of thousands. The cost to get your FedRAMP certification can run anywhere from $400,000 to over a million dollars. That price could be a drop in the bucket for a Fortune 500 company or even a Silicon Valley tech startup with deep investors. However, for the aspiring entrepreneur with a great software product, he can be left out in the cold. But don’t think for a minute that only those who can pay-to-play can get on board. In contrast, FedRAMP certification is not a given, although you can do it. The testing process is rigorous, as are ongoing assessments. It can also take anywhere from six months to two years to get your ATO.
According to John Verry, managing partner at Pivot Point Security, a leading cybersecurity firm, “More than other cybersecurity frameworks such as ISO 27001 and SOC 2, FedRAMP requires a strong commitment from top management because it requires an initial and ongoing commitment of resources/dollars during the initial certification effort, operating an ongoing monitoring program, and annual assessments. In a typical sales call, we spend as much (or more) time determining whether there is a return on investment in the business as we do about the process/impact of building a FedRAMP-compliant cybersecurity program. .
So, the question becomes, is FedRAMP worth the investment? If you want to take your software company to the next level, the short answer is a resounding yes. FedRAMP almost guarantees that your million dollar investment will double, triple, quadruple, or more the value of the contract. For example, the popular business software company, Salesforce. Customer relationship management (CRM) technology is one of the most widely used in the private sector. After being approved by the FedRAMP Marketplace in 2014, Salesforce won more than 1,400 contracts with agencies such as the Department of Homeland Security, the Department of State, and the National Science Foundation. Its contract with the Department of Veteran Affairs is the only value $260 million. It’s safe to say, Salesforce has benefited greatly from FedRAMP.
On December 23, 2022, the Biden Administration signed the FedRAMP Authorization Act to the law, which is intended to streamline the FedRAMP approval process. This should hopefully bring new vendors with more competitive tech offerings into the government space. The US government could certainly use a wider selection of cyber options. With the urgent need to upgrade Uncle Sam’s computing power, maybe it’s the right time for bright minds, who are developing the next big thing in their garage, to notice their cloud- based software. Let’s just hope their cybersecurity measures are up to the task.
