You need to know what FedRAMP is. Don't even bother clicking on the link until you do.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
It's a bland title for a key thing: It sets compliance standards for government use of cloud computing. Even companies like Google have had massive projects to get FedRAMP compliant so that the federal government can use their services.
And this announcement is basically just that they're going to massively lower the bar.
stackskipton · 16h ago
I used to work on FedRamp and I’m fine with it. It’s just like SOC2 compliance, mostly dog and pony show for auditors who have conflict of interest and no clue what they are auditing.
tw04 · 15h ago
That’s just easily and provably not true. FedRamp is absolutely not “mostly dog and pony”.
See: Okta being compromised, and their FedRamp High environment remaining secure:
Your example doesn't give details so it doesn't mean much.
First FedRAMP high is extremely strict. Most ATOs are NOT for FedRAMP high. Most people are good with a FedRAMP moderate.
Also, this doesn't mean the security controls are what stopped those other environments from being hacked. The other systems are just separate, that's why they weren't hacked with everything else.
Overall I think FedRAMP is good, because it at least gets somewhat of a baseline. But the other guy was pretty spot on. The auditors generally have no idea what they're looking at, there are a lot of security controls that don't make sense under many contexts and it is mostly a dog and pony show.
And really, it's not like these departments didn't have some type of due diligence to acquiring software, FedRAMP just makes it standardized and allows departments/agencies to piggyback off of other department/agency's due diligence.
MrDarcy · 12h ago
The dog and pony show isn’t the point. Most companies are not blatantly committing fraud, especially against the federal government. It’s just not worth it. The process of thinking about the controls and speaking to them itself results in demonstrably more secure operating environments.
fnordpiglet · 2h ago
I worked extensively on fedramp compliance at multiple places include top cloud providers and banks. It’s considered the high bar standard globally and other than Australia IRAP the baseline that if you can meet it you satisfy almost all other compliance programs, so it’s the key program to meet.
Compliance is always a dog and pony show. It’s how you show your dogs and ponies to auditors whose job it is to judge your dog and pony. You get a fairly broad selection of auditors and there’s definitely a theatre to the compliance process. However it doesn’t mean you don’t do the work then pretend you did, because being found in non compliance - or worse willful non compliance (by treating it as a dog and pony show intentionally) - has serious consequences. The willful version is criminal.
The practices required are frankly what most people versed in security practice baseline. Most software however is written by people who don’t know much about security, aren’t particularly skilled, and are managed by managers who care less and know less. The people who know and agitate for better are treated as ivory tower non-commercial people and are managed out to other presumably better companies with less influential products because they spent time of security instead of feature grab.
I read the post and it talked a lot about accelerating fedramp by focusing less on compliance and more on security, which is like saying the bank is focusing more on a nicer vault and less on making sure the money is still there. It also lauded the enormous amount of integration of xAI into the program, which is essentially corruption at best, and transfer of massive amounts of sensitive security disclosure to an entity of poor repute for integrity. (See their methane gas turbine willful non compliance in Nashville). Everything I read made me remember this is the administration trying to jail Krebs for telling the truth.
sidewndr46 · 4h ago
The article points out this is just due to it being a separate system. If anything, your argument is one against cloud computing and SaaS where your data is intermingled with everyone elses.
tw04 · 4h ago
It’s a separate environment with STRICTER security requirements. That’s the point….
sidewndr46 · 4h ago
Where does it say that the FedRAMP was not affected due to stricter security requirements?
tguvot · 2h ago
okta was hacked through employee credentials stored in private google account that got compromised.
fedramp requires two factor authentication with second factor been physical token
hoseyor · 16h ago
I wish I could vote more for this.
You forgot that it costs at min $1M to get certified up to several dozen millions once everything is said and done; and that does not guarantee any government contracts or agency purchases. You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
TranquilMarmot · 14h ago
We got FedRAMP certified at a previous job. At first I balked at you saying it cost $1M but, doing some back-of-the-napkin math, that's probably pretty accurate once you take into account the salaries of everybody involved, time that we had to spend figuring out all the auditing, outside companies we had to hire and involve, and extra cloud costs and setup. Not to mention the ongoing cost of maintaining all of that and ongoing audits.
We were also a pretty small startup (~50 people?) but were focused solely on government data storage and management, so it made a lot of sense for us to get the certification. It definitely paid for itself in the number of contracts it unlocked.
kaydub · 15h ago
You are getting ripped off.
The 3paos can do FedRAMP audits for much lower. I've seen as low as $150k. We dropped our auditor for another because we were priced at $X, but when they came into our office and saw that we bring in a ton of money (we used to have our sales info on every screen on every floor of the office) they updated their pricing for next year's audit.
justincormack · 8h ago
Fedramp 20x is an attempt to change this and make it much cheaper and simpler to pass, via modernization.
dangus · 15h ago
Honestly if those numbers you’re providing are accurate, that’s not a lot of money.
The research I’ve done pegs the cost at $500,000 to $1.5 million.
That actually is “small SaaS company” territory.
And don’t forget that VCs throw more money than that around for much riskier propositions. The whole VC business is that you’ll have 1 success and 10 failures, throwing $2 million in hopes of landing a government contract (stable revenue above market rates) is probably a great investment for a lot of small/medium sized companies.
No comments yet
xvector · 15h ago
Anything involving auditors or policy people in tech turns into a clown show. Dunno what it is like for other industries (but my friends in pharmaceutical research feel similarly).
These are deeply nontechnical people attempting to enforce regulations drafted by deeply nontechnical people (typically academics that graduated from an Ivy but have zero industry experience, like the folks at modern-day RAND) and it's just a clown show all the way down.
voidfunc · 15h ago
That's the point. It's all designed to setup a huge moat around products and service providers that can play the game.
estebarb · 16h ago
It feels like enforcing that everything must be written in Ada. And then relaxing the requirement... history always repeats itself, it seems.
solardev · 16h ago
Sounds like a good time to invest in Russian VPS hosts.
alephnerd · 16h ago
> And this announcement is basically just that they're going to massively lower the bar
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5-
2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
Spooky23 · 15h ago
It’s mostly an easy button for procurement officers. You’re required to meet the control standards that FedRAMP requires anyway, and it saves months of the customer’s time to do it once.
Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway.
alephnerd · 15h ago
> It’s mostly an easy button for procurement officers
I know. I have never had an issue with FedRAMP as a single marketplace. The issue has always been arbitrary compliance requirements
> Startups are always problematic for government procurement
Absolutely, and ensuring that they are within a verified marketplace such as that which FedRAMP intended to make is good.
The issue is the upfront cost to become FedRAMP compliant is so high, that most vendors do not even try until extremely late in their lifecycle.
Furthermore, a lack of vendors does lead to extremely suboptimal pricing. There is some cost to recoup from going through FedRAMP compliance hurdles, but a lot of it is also because once you are FedRAMP compliant, depending on the tooling, you have a captive market with maybe 1 or 2 competitors.
> Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway
I'm not talking about SIs or MSSPs. I'm talking about specific FedRAMP compliance partners. They provide no value except checkboxing, but all of vendors need to partner with them.
drivingmenuts · 14h ago
Well, it explains why all the SV billionaires were so hot to get Trump in office. Basically, a taxpayer funded payday for them.
mindslight · 13h ago
Trump is basically living the dream of every computer illiterate boomer who responds to a text message asking for their bank account details so stolen money can be deposited. "This cyber thing is pretty great. I've been saying this for a long time, thanks J-Kush. By the way, I said, I'm sorry for calling you 'mid' yesterday. Am I am I using that right? I am using that right. I'm not doing that to brag, because, you know what, I don't have to brag."
SomaticPirate · 16h ago
Everyone in startups should be a fan of this. More competition in government space is a net benefit for everyone.
Its quite funny to see the comments complaining about "lowering the bar" when FedRAMP compliance is essentially a compliance regime that is so convoluted that most startups wouldn't be able to afford the entry barrier.
Now, there is a chance that a smaller vendor could feasibility compete with a massive consultancy like Accenture since the artificial barriers have been decreased.
FedRAMP compliance are also required for SaaS vendors. Datadog is famous for having it (and it took them awhile)
bluedino · 15h ago
Every FedRAMP/GRC cloud service seems to be some funky version that's missing features or behind on releases
solatic · 11h ago
FedRAMP High requires having separate operators (developers are not allowed to deploy directly to production). Being behind on features is considered a feature, not a bug.
tguvot · 15h ago
Updates of service that alter controls, change crypto libraries and some other stuff require assessment and approval.
For most of companies it's easier just to update it once a year of ever
So, is there any evidence of actual improvement in anything that taxpayers care about?
Spooky23 · 15h ago
The .gov be able to host cloud products in their tenants, and get the ability to do so more quickly. Perhaps cheaper.
It’s probably a good thing.
alephnerd · 16h ago
Better procurement rates.
I've been a Engineer, PM, and VC in the cybersecurity for more than a decade now, and most of us would need to spend $15-20M and 1.5-2 years just to get FedRAMP compliance.
In return, most vendors charge significantly higher than private sector rates despite selling the exact same product. And usually, an oligopoly forms per security feature.
Making it easier to have multiple vendors makes it easier for federal agencies to negotiate a competitive price.
kaydub · 14h ago
If it's costing $15-$20M to get a FedRAMP ATO you are probably doing at least some things VERY wrong. A ton of the security controls you should already be implementing in ANY environment.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
tguvot · 14h ago
I work for an established saas company with rather large and complicated system. For fedramp we had to build a new dedicated environment (because it was impossible to certify existing one which is hybrid, located in multiple countries ), hire dedicated us personal (agency requirements) and redo a bunch of internal processes to comply with fedramp controls.
I think cost was around $15m
alephnerd · 12h ago
This.
Spivak · 14h ago
> I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls
That's kind of cheating, no? It's practical but "I moved the company to a hosting provider that already did all of the hard bits" understates the difficulty.
tguvot · 12h ago
There is also a difference between dozen of vm or containers that were developed in last couple years by startup and hybrid behemoth with "legacy tech" that developed and supported by hundreds of people over decades.
Former you can lift and shift easily. For later it's multimillion investment that takes a bunch of time to implement
0xbadcafebee · 15h ago
So for ya'll who haven't been involved with DoD/secret/etc cloud projects, there's a bunch of jargon to learn, but suffice to say there's a lot legally-required standards that define the right way to run secure government IT. It's normal good practice, but cranked up, standardized, and verified.
There is a problem though. With so many companies moving projects to the cloud, the government would need to take time to verify everyone is as secure as they're supposed to be. But that would require a huge number of new employees (thus $$$) and it would still take a lot of time. So how does the government make sure they're all secure before they send them secret data? Here's a tip:
> The concept emphasizes security over compliance
Huh? How can you have security without compliance?
Afaik, "compliance" means "we make sure they're as secure as they say they are". And how do they do that? For the past few years at least, it's involved a process called self-attestation. The company fills out a bunch of forms, and sends them to the government, saying "we promise we are doing all these things like you told us to". And then the government... takes them at their word. As you can imagine, with millions/billions of dollars to earn, companies might be incentivized to fudge it a bit. And fudge it they do... (not just FedRAMP, but NIST 800-54, 800-171, CMMC v1/2/3, etc etc).
Now, with so many companies and use cases, there are obviously some things that won't apply to some companies, so it would be nice if they could avoid that red tape. With the old processes, if you were actually doing things the right way, it could take a company between 6 months and 1 year to set everything up securely / the way the govt wants it. There's a whole cottage industry dedicated to helping companies understand how the fuck to follow these regulations. But since that's expensive and time consuming.... a lot of companies just fudge it, or call a friend who knows a friend who knows a General.
That was the state of things before this "20x" version of FedRAMP was released. Personally I was not thrilled by the state of things before, but this seems to be both accelerating the process, and providing less oversight. Not great for the military, not great for national security, but really great for "industry" and any military branch getting a contract faster and cheaper than otherwise.
(disclaimer: i'm a noob in this area, but I dipped my toes in last year, and "shitshow" would be one way to put it...)
paulddraper · 12h ago
Most people in the security space realize there are two things you do: (1) things for security (2) things for compliance.
And the Venn diagram has less overlap than you might think.
tguvot · 15h ago
Fedramp 20x as of now is only for low impact services that are hosted on fedramp authorized cloud.
It's not suitable for more complicated services.
On the upside, pmo seems to stop reviewing packages. It should resolve certification delays
tw04 · 17h ago
If there’s one thing I don’t really want to see “accelerated” it’s the pace at which our state secrets add new, unvetted technology.
“Move fast and break things” is absolutely insane for the things that let us all sleep soundly at night…
derektank · 16h ago
FedRAMP services, even FedRAMP High services, aren't authorized to host classified material. My understanding is that those agreements are still largely negotiated directly between the intelligence / defense services and the big providers, such as the Joint Warfighting Cloud Capability contract. FedRAMP is a program for vetting SaaS services for use by government agencies broadly. FedRAMP Moderate and High certified services are qualified to host Controlled Unclassified Information, which might be sensitive and held by either the government or private companies like defense contractors, but I wouldn't call them state secrets per se
lordofgibbons · 16h ago
This is a false dichotomy. There's a massive grand canyon sized gulf between "unvetted technology" and whatever the hell SAP/Oracle/Tyler-Technologies are.
paulddraper · 12h ago
FedRAMP can’t have classified data.
This is for a lot of very benign government tools that that are expensive, stodgy, with very little competition.
echelon · 17h ago
What is this, exactly?
Is this Oracle (or whomever) getting government cloud contracts without a bidding / RFP process?
Is there adequate security review being done?
_bin_ · 16h ago
The point here is to avoid the oracles of the world getting everything. Please trust me on this one: fedramp isn’t really about security. Compliance with it doesn’t ensure it and noncompliance doesn’t preclude it. It was okay when originally released but that’s not been the case for years now.
tcfunk · 17h ago
Oracle was already on the FedRAMP list I think. AFAIK this is about getting smaller cloud providers approved to host government projects so there’s more options available.
ritwikgupta · 16h ago
This is about changing the way FedRAMP accreditation is done for any cloud service, like Box (or a new SaaS that you may create tomorrow). The FedRAMP process requires you go through a certain set of audits, meet a certain set of standards, etc., in order to be approved to host CUI (IL4/5) or SECRET (IL6) information.
Normally this can take a lot of time and monetary investment. On one hand, these processes encode cybersecurity best practices. On another hand, it keeps new companies out of the market.
It seems this effort is doing away with a lot of those processes. I hope the level of compliance stays the same.
kaydub · 14h ago
I'm pretty sure IL4/5/6 are all outside the scope of FedRAMP
tguvot · 16h ago
IL 4/5/6 actually add a bunch of additional controls and parameters on top of standard fedramp baselines
ksec · 16h ago
But why would any agency chooses smaller cloud providers other than Oracle, AWS, Azure and Google? They are the lowest risk selection in terms of responsibility.
Edit: Another comments actually replied it is much more than hosting but cloud services like BOX. I assume even SaaS could fall into this category.
Spooky23 · 15h ago
They tend to converge on each other. Also the Feds may have particular needs for connectivity, location, etc.
cyberge99 · 16h ago
To stay off the radar. To do shady stuff at a small company that you can easily control/manipulate.
justincormack · 8h ago
SaaS companies, not just cloud providers.
tguvot · 16h ago
Saas is most common use case
ecb_penguin · 15h ago
Serious question: Why don't you spend a few minutes learning about it, rather than throwing negative comments out?
Do you think vomiting a negative talking point without understanding it is considered "smart"?
tomrod · 16h ago
FedRAMP is a set of technologies vetted by a common standard by GSA. It assists in moving technologies from one-off authority to operate (ATO) with a specific CIO office in an agency or department to a shared standard.
It takes some investment, but it is cheaper than each company jumping through arbitrary hoops and opens most of the federal government as a client.
It was part of the brainchild of GSA's 18F, recently DOGE'd.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
[1]: https://en.wikipedia.org/wiki/FedRAMP
See for example: https://fedscoop.com/google-earns-fedramp-high-authorization...
And this announcement is basically just that they're going to massively lower the bar.
See: Okta being compromised, and their FedRamp High environment remaining secure:
https://www.meritalk.com/articles/okta-hack-didnt-touch-fedr...
First FedRAMP high is extremely strict. Most ATOs are NOT for FedRAMP high. Most people are good with a FedRAMP moderate.
Also, this doesn't mean the security controls are what stopped those other environments from being hacked. The other systems are just separate, that's why they weren't hacked with everything else.
Overall I think FedRAMP is good, because it at least gets somewhat of a baseline. But the other guy was pretty spot on. The auditors generally have no idea what they're looking at, there are a lot of security controls that don't make sense under many contexts and it is mostly a dog and pony show.
And really, it's not like these departments didn't have some type of due diligence to acquiring software, FedRAMP just makes it standardized and allows departments/agencies to piggyback off of other department/agency's due diligence.
Compliance is always a dog and pony show. It’s how you show your dogs and ponies to auditors whose job it is to judge your dog and pony. You get a fairly broad selection of auditors and there’s definitely a theatre to the compliance process. However it doesn’t mean you don’t do the work then pretend you did, because being found in non compliance - or worse willful non compliance (by treating it as a dog and pony show intentionally) - has serious consequences. The willful version is criminal.
The practices required are frankly what most people versed in security practice baseline. Most software however is written by people who don’t know much about security, aren’t particularly skilled, and are managed by managers who care less and know less. The people who know and agitate for better are treated as ivory tower non-commercial people and are managed out to other presumably better companies with less influential products because they spent time of security instead of feature grab.
I read the post and it talked a lot about accelerating fedramp by focusing less on compliance and more on security, which is like saying the bank is focusing more on a nicer vault and less on making sure the money is still there. It also lauded the enormous amount of integration of xAI into the program, which is essentially corruption at best, and transfer of massive amounts of sensitive security disclosure to an entity of poor repute for integrity. (See their methane gas turbine willful non compliance in Nashville). Everything I read made me remember this is the administration trying to jail Krebs for telling the truth.
fedramp requires two factor authentication with second factor been physical token
You forgot that it costs at min $1M to get certified up to several dozen millions once everything is said and done; and that does not guarantee any government contracts or agency purchases. You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
We were also a pretty small startup (~50 people?) but were focused solely on government data storage and management, so it made a lot of sense for us to get the certification. It definitely paid for itself in the number of contracts it unlocked.
The 3paos can do FedRAMP audits for much lower. I've seen as low as $150k. We dropped our auditor for another because we were priced at $X, but when they came into our office and saw that we bring in a ton of money (we used to have our sales info on every screen on every floor of the office) they updated their pricing for next year's audit.
The research I’ve done pegs the cost at $500,000 to $1.5 million.
That actually is “small SaaS company” territory.
And don’t forget that VCs throw more money than that around for much riskier propositions. The whole VC business is that you’ll have 1 success and 10 failures, throwing $2 million in hopes of landing a government contract (stable revenue above market rates) is probably a great investment for a lot of small/medium sized companies.
No comments yet
These are deeply nontechnical people attempting to enforce regulations drafted by deeply nontechnical people (typically academics that graduated from an Ivy but have zero industry experience, like the folks at modern-day RAND) and it's just a clown show all the way down.
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5- 2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway.
I know. I have never had an issue with FedRAMP as a single marketplace. The issue has always been arbitrary compliance requirements
> Startups are always problematic for government procurement
Absolutely, and ensuring that they are within a verified marketplace such as that which FedRAMP intended to make is good.
The issue is the upfront cost to become FedRAMP compliant is so high, that most vendors do not even try until extremely late in their lifecycle.
Furthermore, a lack of vendors does lead to extremely suboptimal pricing. There is some cost to recoup from going through FedRAMP compliance hurdles, but a lot of it is also because once you are FedRAMP compliant, depending on the tooling, you have a captive market with maybe 1 or 2 competitors.
> Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway
I'm not talking about SIs or MSSPs. I'm talking about specific FedRAMP compliance partners. They provide no value except checkboxing, but all of vendors need to partner with them.
Its quite funny to see the comments complaining about "lowering the bar" when FedRAMP compliance is essentially a compliance regime that is so convoluted that most startups wouldn't be able to afford the entry barrier.
Now, there is a chance that a smaller vendor could feasibility compete with a massive consultancy like Accenture since the artificial barriers have been decreased.
FedRAMP compliance are also required for SaaS vendors. Datadog is famous for having it (and it took them awhile)
RFC-0005: Minimum Assessment Scope Standard, https://github.com/FedRAMP/rfcs/discussions/17
RFC-0006: 20x Phase One Key Security Indicators, https://github.com/FedRAMP/rfcs/discussions/18
RFC-0007: Significant Change Notification Standard, https://github.com/FedRAMP/rfcs/discussions/19
RFC-0008: Continuous Reporting Standard, https://github.com/FedRAMP/rfcs/discussions/27
It’s probably a good thing.
I've been a Engineer, PM, and VC in the cybersecurity for more than a decade now, and most of us would need to spend $15-20M and 1.5-2 years just to get FedRAMP compliance.
In return, most vendors charge significantly higher than private sector rates despite selling the exact same product. And usually, an oligopoly forms per security feature.
Making it easier to have multiple vendors makes it easier for federal agencies to negotiate a competitive price.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
I think cost was around $15m
That's kind of cheating, no? It's practical but "I moved the company to a hosting provider that already did all of the hard bits" understates the difficulty.
Former you can lift and shift easily. For later it's multimillion investment that takes a bunch of time to implement
There is a problem though. With so many companies moving projects to the cloud, the government would need to take time to verify everyone is as secure as they're supposed to be. But that would require a huge number of new employees (thus $$$) and it would still take a lot of time. So how does the government make sure they're all secure before they send them secret data? Here's a tip:
> The concept emphasizes security over compliance
Huh? How can you have security without compliance?
Afaik, "compliance" means "we make sure they're as secure as they say they are". And how do they do that? For the past few years at least, it's involved a process called self-attestation. The company fills out a bunch of forms, and sends them to the government, saying "we promise we are doing all these things like you told us to". And then the government... takes them at their word. As you can imagine, with millions/billions of dollars to earn, companies might be incentivized to fudge it a bit. And fudge it they do... (not just FedRAMP, but NIST 800-54, 800-171, CMMC v1/2/3, etc etc).
Now, with so many companies and use cases, there are obviously some things that won't apply to some companies, so it would be nice if they could avoid that red tape. With the old processes, if you were actually doing things the right way, it could take a company between 6 months and 1 year to set everything up securely / the way the govt wants it. There's a whole cottage industry dedicated to helping companies understand how the fuck to follow these regulations. But since that's expensive and time consuming.... a lot of companies just fudge it, or call a friend who knows a friend who knows a General.
That was the state of things before this "20x" version of FedRAMP was released. Personally I was not thrilled by the state of things before, but this seems to be both accelerating the process, and providing less oversight. Not great for the military, not great for national security, but really great for "industry" and any military branch getting a contract faster and cheaper than otherwise.
(disclaimer: i'm a noob in this area, but I dipped my toes in last year, and "shitshow" would be one way to put it...)
And the Venn diagram has less overlap than you might think.
It's not suitable for more complicated services.
On the upside, pmo seems to stop reviewing packages. It should resolve certification delays
“Move fast and break things” is absolutely insane for the things that let us all sleep soundly at night…
This is for a lot of very benign government tools that that are expensive, stodgy, with very little competition.
Is this Oracle (or whomever) getting government cloud contracts without a bidding / RFP process?
Is there adequate security review being done?
Normally this can take a lot of time and monetary investment. On one hand, these processes encode cybersecurity best practices. On another hand, it keeps new companies out of the market.
It seems this effort is doing away with a lot of those processes. I hope the level of compliance stays the same.
Edit: Another comments actually replied it is much more than hosting but cloud services like BOX. I assume even SaaS could fall into this category.
Do you think vomiting a negative talking point without understanding it is considered "smart"?
It takes some investment, but it is cheaper than each company jumping through arbitrary hoops and opens most of the federal government as a client.
It was part of the brainchild of GSA's 18F, recently DOGE'd.