We have a client we have known since they were just three people in 2019. They are working in healthtech and have built an amazing SaaS platform that uses machine learning to analyze patient medication interactions that may be overlooked by humans, and advises the medical professionals caring for that person. That team has grown over the years, and we have helped them iterate as they incorporate security to protect patient health records. Smart crew, awesome mission, great to work with.
Earlier this year when we spoke, I asked them if they had considered selling their platform to Veterans Affairs. ScaleSec has helped many teams get their Federal Risk and Authorization Management Program (FedRAMP) Authority to Operate (ATO), required to sell cloud based platforms to the government. We shared our FedRAMP whitepaper with them, and said if they ever wanted to know more, as a trusted partner we would love to help them estimate cost and timelines, so they would go into the FedRAMP journey with eyes wide open. They are mulling it over, as it is a big uplift with a huge potential upside with the VA: the civil agency with the largest IT budget.
Why pursue FedRAMP? There’s opportunities AND budget for necessary products that have demonstrated commercial success. (Source: whitehouse.gov/ap_14_it_fy2024.pdf)
And did you know the US Department of Defense has a $60B IT budget for 2024? Selling cloud services to the DoD has requirements similar to FedRAMP. (Source: iq.govwin.com)
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP®) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information. In December 2022, the FedRAMP Authorization Act was signed as part of the FY23 National Defense Authorization Act (NDAA). The Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. (Source fedramp.gov)
For a SaaS company with a robust pipeline and a busy team, the idea of broadening their market to include governmental clients might seem daunting. Many organizations consider pursuing FedRAMP authorization as a strategy to tap into the lucrative public sector market. Yet the complexity, dedication, and financial investment required to achieve and sustain this ATO are often underestimated. The process of preparing for a FedRAMP assessment and obtaining authorization demands a high level of preparedness in terms of personnel, processes, and technology to meet its stringent standards. And as we say here at ScaleSec: FedRAMP is forever, meaning you need continuous monitoring and demonstration of keeping your system secure, even after initial ATO.
Embarking on this path towards a FedRAMP Authority to Operate (ATO) can be a lengthy endeavor, often stretching over years. Nonetheless, with a well-considered strategy, expanding into the government sector can be a viable and beneficial strategic move for numerous reasons.
- Stable Revenue Stream: Governments typically offer a more stable and reliable revenue stream compared to private sector customers. This stability can be crucial, especially during uncertain economic times.
- Large Contracts: Government contracts are often substantial in size and can lead to significant revenue for a company. These contracts usually span multiple years, providing a long-term income source.
- Reduced Risk: Preparing for FedRAMP means thinking through security for every component of your system. Reducing your likelihood of a system breach aligns well with the goal of earning trust, growing customers, and increasing revenue.
- Diversification: Including government entities in a customer base helps diversify the client portfolio, reducing the risk associated with relying on a limited number of clients or a single sector.
- Reputation and Credibility Enhancement: Winning government contracts can enhance a company's reputation and credibility, not just in the public sector but also in the private sector. This can lead to new business opportunities.
- Compliance and Quality Improvement: Working with government entities often requires adherence to strict standards and regulations. This helps drive improvements in a company's processes and product quality.
- Innovation and R&D Opportunities: Some government contracts, especially in sectors like defense, technology, and healthcare, can encourage innovation and research and development, potentially leading to new product lines or services.
- Economic and Social Impact: Government contracts can align a company with public sector goals such as improving infrastructure, healthcare, or education, contributing positively to society.
Of significant note, FedRAMP authorization permits inheritance of controls, which is to say the FedRAMP program allows SaaS platforms to reduce the effort required to obtain an authorization by incorporating (or inheriting) controls from vendors that are already authorized. This ability aligns nicely with the "shared responsibility model," which lets you inherit controls managed by your cloud provider. And it's not just the "hyperscaler" cloud providers. The FedRAMP Marketplace has over 450 products you can use to build your FedRAMP system.
Yes! There is a "Lite" version …
FedRAMP Tailored LI-SaaS is a relatively new baseline designed to accelerate time to market for low-risk SaaS applications. The FedRAMP Tailored uses qualifying questions you can review with your sponsor during the categorization of your system. Notably, the system cannot contain any personally identifiable information (PII) beyond the username, password and email address used to register users.
As a veteran and the leader of a cybersecurity company, I have big feels about empowering our government to utilize shared services as a direct investment in enhancing community health services, disaster relief efforts, and the provision of information resources. When companies embark on this FedRAMP journey, they are bringing the results of commercial success to bear to help our government run more effectively and securely. With controls inheritance, this not only speeds up the potential authorization of these services but also ensures they are delivered in a more secure and reusable manner. Utilizing control inheritance is a key strategy for security and compliance experts to collaborate and expedite this process of investment.
If this sounds daunting to you, I get it. I have the data you need to help you make an informed decision that you can share with your broader leadership team. Maybe 2024 is the year?
I'm ready to share straight talk so you can determine when the timing could be right for you to prepare your platform to sell to the government. Reach out to me or my colleagues here at ScaleSec.