“Move fast and break things” is absolutely insane for the things that let us all sleep soundly at night…
This is for a lot of very benign government tools that that are expensive, stodgy, with very little competition.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
See for example: https://fedscoop.com/google-earns-fedramp-high-authorization...
And this announcement is basically just that they're going to massively lower the bar.
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5- 2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway.
I know. I have never had an issue with FedRAMP as a single marketplace. The issue has always been arbitrary compliance requirements
> Startups are always problematic for government procurement
Absolutely, and ensuring that they are within a verified marketplace such as that which FedRAMP intended to make is good.
The issue is the upfront cost to become FedRAMP compliant is so high, that most vendors do not even try until extremely late in their lifecycle.
Furthermore, a lack of vendors does lead to extremely suboptimal pricing. There is some cost to recoup from going through FedRAMP compliance hurdles, but a lot of it is also because once you are FedRAMP compliant, depending on the tooling, you have a captive market with maybe 1 or 2 competitors.
> Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway
I'm not talking about SIs or MSSPs. I'm talking about specific FedRAMP compliance partners. They provide no value except checkboxing, but all of vendors need to partner with them.
You forgot that it costs at min $1M to get certified up to several dozen millions once everything is said and done; and that does not guarantee any government contracts or agency purchases. You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
The research I’ve done pegs the cost at $500,000 to $1.5 million.
That actually is “small SaaS company” territory.
And don’t forget that VCs throw more money than that around for much riskier propositions. The whole VC business is that you’ll have 1 success and 10 failures, throwing $2 million in hopes of landing a government contract (stable revenue above market rates) is probably a great investment for a lot of small/medium sized companies.
The 3paos can do FedRAMP audits for much lower. I've seen as low as $150k. We dropped our auditor for another because we were priced at $X, but when they came into our office and saw that we bring in a ton of money (we used to have our sales info on every screen on every floor of the office) they updated their pricing for next year's audit.
We were also a pretty small startup (~50 people?) but were focused solely on government data storage and management, so it made a lot of sense for us to get the certification. It definitely paid for itself in the number of contracts it unlocked.
These are deeply nontechnical people attempting to enforce regulations drafted by deeply nontechnical people (typically academics that graduated from an Ivy but have zero industry experience, like the folks at modern-day RAND) and it's just a clown show all the way down.
See: Okta being compromised, and their FedRamp High environment remaining secure:
https://www.meritalk.com/articles/okta-hack-didnt-touch-fedr...
First FedRAMP high is extremely strict. Most ATOs are NOT for FedRAMP high. Most people are good with a FedRAMP moderate.
Also, this doesn't mean the security controls are what stopped those other environments from being hacked. The other systems are just separate, that's why they weren't hacked with everything else.
Overall I think FedRAMP is good, because it at least gets somewhat of a baseline. But the other guy was pretty spot on. The auditors generally have no idea what they're looking at, there are a lot of security controls that don't make sense under many contexts and it is mostly a dog and pony show.
And really, it's not like these departments didn't have some type of due diligence to acquiring software, FedRAMP just makes it standardized and allows departments/agencies to piggyback off of other department/agency's due diligence.
I've been a Engineer, PM, and VC in the cybersecurity for more than a decade now, and most of us would need to spend $15-20M and 1.5-2 years just to get FedRAMP compliance.
In return, most vendors charge significantly higher than private sector rates despite selling the exact same product. And usually, an oligopoly forms per security feature.
Making it easier to have multiple vendors makes it easier for federal agencies to negotiate a competitive price.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
That's kind of cheating, no? It's practical but "I moved the company to a hosting provider that already did all of the hard bits" understates the difficulty.
Former you can lift and shift easily. For later it's multimillion investment that takes a bunch of time to implement
I think cost was around $15m
It’s probably a good thing.
Its quite funny to see the comments complaining about "lowering the bar" when FedRAMP compliance is essentially a compliance regime that is so convoluted that most startups wouldn't be able to afford the entry barrier.
Now, there is a chance that a smaller vendor could feasibility compete with a massive consultancy like Accenture since the artificial barriers have been decreased.
FedRAMP compliance are also required for SaaS vendors. Datadog is famous for having it (and it took them awhile)
It's not suitable for more complicated services.
On the upside, pmo seems to stop reviewing packages. It should resolve certification delays
There is a problem though. With so many companies moving projects to the cloud, the government would need to take time to verify everyone is as secure as they're supposed to be. But that would require a huge number of new employees (thus $$$) and it would still take a lot of time. So how does the government make sure they're all secure before they send them secret data? Here's a tip:
> The concept emphasizes security over compliance
Huh? How can you have security without compliance?
Afaik, "compliance" means "we make sure they're as secure as they say they are". And how do they do that? For the past few years at least, it's involved a process called self-attestation. The company fills out a bunch of forms, and sends them to the government, saying "we promise we are doing all these things like you told us to". And then the government... takes them at their word. As you can imagine, with millions/billions of dollars to earn, companies might be incentivized to fudge it a bit. And fudge it they do... (not just FedRAMP, but NIST 800-54, 800-171, CMMC v1/2/3, etc etc).
Now, with so many companies and use cases, there are obviously some things that won't apply to some companies, so it would be nice if they could avoid that red tape. With the old processes, if you were actually doing things the right way, it could take a company between 6 months and 1 year to set everything up securely / the way the govt wants it. There's a whole cottage industry dedicated to helping companies understand how the fuck to follow these regulations. But since that's expensive and time consuming.... a lot of companies just fudge it, or call a friend who knows a friend who knows a General.
That was the state of things before this "20x" version of FedRAMP was released. Personally I was not thrilled by the state of things before, but this seems to be both accelerating the process, and providing less oversight. Not great for the military, not great for national security, but really great for "industry" and any military branch getting a contract faster and cheaper than otherwise.
(disclaimer: i'm a noob in this area, but I dipped my toes in last year, and "shitshow" would be one way to put it...)
And the Venn diagram has less overlap than you might think.
RFC-0005: Minimum Assessment Scope Standard, https://github.com/FedRAMP/rfcs/discussions/17
RFC-0006: 20x Phase One Key Security Indicators, https://github.com/FedRAMP/rfcs/discussions/18
RFC-0007: Significant Change Notification Standard, https://github.com/FedRAMP/rfcs/discussions/19
RFC-0008: Continuous Reporting Standard, https://github.com/FedRAMP/rfcs/discussions/27
echelon•5h ago
Is this Oracle (or whomever) getting government cloud contracts without a bidding / RFP process?
Is there adequate security review being done?
tcfunk•5h ago
ritwikgupta•5h ago
Normally this can take a lot of time and monetary investment. On one hand, these processes encode cybersecurity best practices. On another hand, it keeps new companies out of the market.
It seems this effort is doing away with a lot of those processes. I hope the level of compliance stays the same.
tguvot•4h ago
kaydub•3h ago
ksec•5h ago
Edit: Another comments actually replied it is much more than hosting but cloud services like BOX. I assume even SaaS could fall into this category.
cyberge99•4h ago
tguvot•4h ago
Spooky23•3h ago
tomrod•4h ago
It takes some investment, but it is cheaper than each company jumping through arbitrary hoops and opens most of the federal government as a client.
It was part of the brainchild of GSA's 18F, recently DOGE'd.
_bin_•4h ago
ecb_penguin•3h ago
Do you think vomiting a negative talking point without understanding it is considered "smart"?