What It Takes to Sell Cloud-Based Software to the U.S. Government
The threat of hackers and/or hostile foreign governments using malicious code to gain backdoor access into the U.S. government’s IT infrastructure is a tremendous national security risk. Just imagine the implications and liabilities of a software system that provided third-party access to one of America’s critical infrastructures (i.e., power grid, water utilities, transportation systems), and the consequences of a cyber breach. That’s why software companies that want to sell their products to the U.S. government must ensure that they are delivering a product that is free of malicious code, ransomware, or some other “hidden hand” implanted by a hostile foreign intelligence service. As the U.S. Department of Defense (DOD) and other agencies transition into an era of global cyberwarfare and virtual battlefields, new companies are emerging to fill the Pentagon’s desperate cyber needs. This year alone, U.S. federal agencies will purchase more than $80 billion in private IT solutions, $9 billion of which will go towards cloud-based solutions. But simply having innovative cloud-based software is not enough — it must also be secure.
With the recent explosion of apps, software solutions, and the Internet of Things (IoT), it’s fairly inevitable that every Silicon Valley start-up, down to those scrappy teenage entrepreneurs writing revolutionary code in their parents’ garages, would want to sell their products and services to the U.S. federal government. The sales potential to Uncle Sam is virtually unlimited — just ask any major defense contractor who has taken advantage of the roughly $800 billion spent annually on defense. However, cracking into the federal space isn’t just about having the best product or service — it’s also about implementing effective cybersecurity protocols.
Vendors must be cognizant of the enormous threat that economic espionage poses toward the U.S. (both in the public and private sectors) and, therefore, provide technology that limits backdoor access to online platforms. With intellectual property theft costing the United States around $200 to $600 billion per year, those selling to the government must ensure that they are delivering a product that is free of malicious code, ransomware, or some other “hidden hand” implanted by a hostile foreign intelligence service. Taking it one step further, imagine the implications/liabilities of a software system that provided third-party access to one of America’s critical infrastructures (i.e., power grid, water utilities, transportation systems), and the consequences of a breach.
Asymmetrical military campaigns are no longer the exception, they are the rule. As such, defense spending is no longer solely meant for the procurement of military hardware. As the U.S. Department of Defense (DOD) and other agencies transition into an era of global cyberwarfare and virtual battlefields, new companies are emerging to fill the Pentagon’s desperate cyber needs. This year alone, U.S. federal agencies will purchase more than $80 billion in private IT solutions, $9 billion of which will go towards cloud-based solutions.
Unfortunately, simply having innovative cloud-based software is not enough — it must also be secure. The threat of hackers and/or hostile foreign governments using malicious code to gain backdoor access into the U.S. government’s IT infrastructure is a tremendous national security risk. For this reason, businesses looking to sell their cloud services to federal agencies must first comply with a regulation known as the Federal Risk and Authorization Management Program (FedRAMP). Think of it as the official security stamp of approval to sell cloud computing solutions inside the Washington D.C. beltway.
FedRAMP is a government-wide program for accrediting cloud services for consumption by U.S. Federal and DOD agencies. Its purpose is to adopt security cloud services across the government by providing a standardized approach to security assessments, authorization, and continuous monitoring for cloud technologies. The program is managed by the General Services Administration (GSA) FedRAMP Program Management Office (PMO). Every cloud service — software as a service (SaaS), platform as a Service (PaaS), and infrastructure as a service (IaaS) — must receive a Joint Accreditation Board (JAB) Provisional Authority To Operate (P-ATO) or Agency ATO, prior to consumption by a U.S. government agency.
General (Ret.) Frank McKenzie, executive director of the Florida Center for Cybersecurity and the Global and National Security Institute at the University of South Florida and former Commander, U.S. Central Command, told us in an interview: “While the FedRAMP process is extremely important to ensure that the software being shared on government platforms — particularly DoD platforms — is free of malicious code or back doors that our enemies can exploit, we must also be cognizant that we can’t stifle technology or competitive advantages due to bureaucracy and needless red tape.”
To become FedRAMP certified, the prospective vendor — known as a cloud service provider (CSP) — must undergo a rigorous third-party assessment by a FedRAMP-recognized Third Party Assessment Organization (3PAO). The 3PAO is responsible for ensuring that the CSP and their software offering has met the security requirements, as outlined by the National Institute of Standards and Technology (NIST) guidelines.
Once all the checks are complete and the cloud service has successfully achieved authorization, the next stop is being listed on the FedRAMP Marketplace. This website is the one-stop-shop for agencies to find cloud services that have been tested and approved as safe to use, making it much easier to determine if an offering meets security requirements. Once software makes it onto the platform, the provider is almost assured to win some hefty government contracts. There are currently close to 300 providers, ranging from software leaders Adobe and Box to Xerox and Zoom. (Note: Even though a provider is on FedRAMP Marketplace it doesn’t mean they are immune from threats. For example, Adobe was involved in one of the biggest data breaches of the 21st century in 2013, and Zoom recently resolved as many as four exploitable security breaches in their code).
It should be comforting to know that taxpayer dollars are at least trying to ensure that the software the U.S. government buys is safe and free from compromise. But here’s the kicker: The cost to obtain your FedRAMP certification isn’t a few hundred bucks. Nor it is a few thousand dollars… or tens of thousands. The cost to gain your FedRAMP certification can run anywhere from $400,000 to more than a million dollars. That price may be a drop in the bucket for a Fortune 500 company or even a Silicon Valley tech startup with deep-pocketed investors. But, for the aspiring entrepreneur with a great software product, he or she may get left out in the cold. But don’t think for a minute that only those who can pay-to-play can get on-board. On the contrary, FedRAMP certification is not a given, even if you can afford it. The testing process is rigorous, as are the ongoing assessments. It can also take anywhere from six months to two years to obtain your ATO.
According to John Verry, managing partner of Pivot Point Security, a leading cybersecurity firm, “More so than other cybersecurity frameworks such as ISO 27001 and SOC 2, FedRAMP requires a strong commitment from top management as it requires the initial and ongoing commitment of resources/dollars during the initial certification effort, operationalization of a continuous monitoring program, and annual assessments. In a typical sales call, we spend as much (or more) time determining whether there will be a business return on investment as we do about the process/impact of constructing a FedRAMP-compliant cybersecurity program.”
So, the question becomes, is FedRAMP worth the investment? If you want to take your software company to the next level, the short answer is a resounding yes. FedRAMP will almost ensure that your million-dollar investment will double, triple, quadruple, or more in contract value. Take for example, the popular business software company, Salesforce. The customer relationship management (CRM) technology is one of the most widely used in the private sector. After getting approved on the FedRAMP Marketplace in 2014, Salesforce has won more than 1,400 contracts with agencies such as the Department of Homeland Security, Department of State, and the National Science Foundation. Its contract with the Department of Veteran Affairs alone is worth $260 million. It’s safe to say, Salesforce has benefited immensely from FedRAMP.
On December 23, 2022, the Biden Administration signed the FedRAMP Authorization Act into law, which was intended to streamline the FedRAMP authorization process. This should hopefully bring new vendors with more competitive tech offerings into the government space. The U.S. government certainly could use a wider selection of cyber options. With the pressing need to upgrade Uncle Sam’s computing power, perhaps it’s the right time for those brilliant minds, developing the next big thing in their garage, to get their cloud-based software noticed. Let’s just hope that their cybersecurity measures are up to the task.