You need to know what FedRAMP is. Don't even bother clicking on the link until you do.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
It's a bland title for a key thing: It sets compliance standards for government use of cloud computing. Even companies like Google have had massive projects to get FedRAMP compliant so that the federal government can use their services.
I used to work on FedRamp and I’m fine with it. It’s just like SOC2 compliance, mostly dog and pony show for auditors who have conflict of interest and no clue what they are auditing.
Your example doesn't give details so it doesn't mean much.
First FedRAMP high is extremely strict. Most ATOs are NOT for FedRAMP high. Most people are good with a FedRAMP moderate.
Also, this doesn't mean the security controls are what stopped those other environments from being hacked. The other systems are just separate, that's why they weren't hacked with everything else.
Overall I think FedRAMP is good, because it at least gets somewhat of a baseline. But the other guy was pretty spot on. The auditors generally have no idea what they're looking at, there are a lot of security controls that don't make sense under many contexts and it is mostly a dog and pony show.
And really, it's not like these departments didn't have some type of due diligence to acquiring software, FedRAMP just makes it standardized and allows departments/agencies to piggyback off of other department/agency's due diligence.
The dog and pony show isn’t the point. Most companies are not blatantly committing fraud, especially against the federal government. It’s just not worth it. The process of thinking about the controls and speaking to them itself results in demonstrably more secure operating environments.
I worked extensively on fedramp compliance at multiple places include top cloud providers and banks. It’s considered the high bar standard globally and other than Australia IRAP the baseline that if you can meet it you satisfy almost all other compliance programs, so it’s the key program to meet.
Compliance is always a dog and pony show. It’s how you show your dogs and ponies to auditors whose job it is to judge your dog and pony. You get a fairly broad selection of auditors and there’s definitely a theatre to the compliance process. However it doesn’t mean you don’t do the work then pretend you did, because being found in non compliance - or worse willful non compliance (by treating it as a dog and pony show intentionally) - has serious consequences. The willful version is criminal.
The practices required are frankly what most people versed in security practice baseline. Most software however is written by people who don’t know much about security, aren’t particularly skilled, and are managed by managers who care less and know less. The people who know and agitate for better are treated as ivory tower non-commercial people and are managed out to other presumably better companies with less influential products because they spent time of security instead of feature grab.
I read the post and it talked a lot about accelerating fedramp by focusing less on compliance and more on security, which is like saying the bank is focusing more on a nicer vault and less on making sure the money is still there. It also lauded the enormous amount of integration of xAI into the program, which is essentially corruption at best, and transfer of massive amounts of sensitive security disclosure to an entity of poor repute for integrity. (See their methane gas turbine willful non compliance in Nashville). Everything I read made me remember this is the administration trying to jail Krebs for telling the truth.
My experience with it was most of time, there was a ton of truth stretching going on. Similar to SOC2 compliance. If a system couldn't be brought into compliance, a ton of stories why it was not in scope or compensating control was adequate.
Yes, there is criminal penalties but I haven't heard of them being enforced outside someone just outright lying.
Yes. But my point is the burden of compliance causes at least that much effort. Vibing security and calling it done with a rubber stamp is insufficient because even requiring an audit people try to fudge around the edges. Without a detailed audit with high compliance expectations you’ll just get outright lies by default.
I feel like certification is worse. People fudge the truth, get the certification, get compromised and because they had certification, no meaningful action is taken. InfoSec problem is not lack of "certification" but lack of consequences.
> because being found in non compliance - or worse willful non compliance (by treating it as a dog and pony show intentionally) - has serious consequences. The willful version is criminal.
this had big effect on implementation project that I did. After legal made training about fedramp legal aspects, people started to take it very seriously.
The article points out this is just due to it being a separate system. If anything, your argument is one against cloud computing and SaaS where your data is intermingled with everyone elses.
You forgot that it costs at min $1M to get certified up to several dozen millions once everything is said and done; and that does not guarantee any government contracts or agency purchases. You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
We got FedRAMP certified at a previous job. At first I balked at you saying it cost $1M but, doing some back-of-the-napkin math, that's probably pretty accurate once you take into account the salaries of everybody involved, time that we had to spend figuring out all the auditing, outside companies we had to hire and involve, and extra cloud costs and setup. Not to mention the ongoing cost of maintaining all of that and ongoing audits.
We were also a pretty small startup (~50 people?) but were focused solely on government data storage and management, so it made a lot of sense for us to get the certification. It definitely paid for itself in the number of contracts it unlocked.
The 3paos can do FedRAMP audits for much lower. I've seen as low as $150k. We dropped our auditor for another because we were priced at $X, but when they came into our office and saw that we bring in a ton of money (we used to have our sales info on every screen on every floor of the office) they updated their pricing for next year's audit.
> You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
You seem to working from the faulty premise that FedRAMP only isna concern for durect federal contracting. Because FedRAMP applies to systems with federal data, and because entities other than the federal government often have a mix of federal and non-federal data, it is quite common for a vendor who does not have FedRAMP certification (either at all or for some services) to know by non-corrupt means that some of their customers have workloads that are in-house or with a different vendor due to FedRAMP that they would bring to the first vendor if that vendor was FedRAMP compliant for the services involved.
Honestly if those numbers you’re providing are accurate, that’s not a lot of money.
The research I’ve done pegs the cost at $500,000 to $1.5 million.
That actually is “small SaaS company” territory.
And don’t forget that VCs throw more money than that around for much riskier propositions. The whole VC business is that you’ll have 1 success and 10 failures, throwing $2 million in hopes of landing a government contract (stable revenue above market rates) is probably a great investment for a lot of small/medium sized companies.
Anything involving auditors or policy people in tech turns into a clown show. Dunno what it is like for other industries (but my friends in pharmaceutical research feel similarly).
These are deeply nontechnical people attempting to enforce regulations drafted by deeply nontechnical people (typically academics that graduated from an Ivy but have zero industry experience, like the folks at modern-day RAND) and it's just a clown show all the way down.
> And this announcement is basically just that they're going to massively lower the bar
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5-
2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
It’s mostly an easy button for procurement officers. You’re required to meet the control standards that FedRAMP requires anyway, and it saves months of the customer’s time to do it once.
Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway.
> It’s mostly an easy button for procurement officers
I know. I have never had an issue with FedRAMP as a single marketplace. The issue has always been arbitrary compliance requirements
> Startups are always problematic for government procurement
Absolutely, and ensuring that they are within a verified marketplace such as that which FedRAMP intended to make is good.
The issue is the upfront cost to become FedRAMP compliant is so high, that most vendors do not even try until extremely late in their lifecycle.
Furthermore, a lack of vendors does lead to extremely suboptimal pricing. There is some cost to recoup from going through FedRAMP compliance hurdles, but a lot of it is also because once you are FedRAMP compliant, depending on the tooling, you have a captive market with maybe 1 or 2 competitors.
> Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway
I'm not talking about SIs or MSSPs. I'm talking about specific FedRAMP compliance partners. They provide no value except checkboxing, but all of vendors need to partner with them.
Trump is basically living the dream of every computer illiterate boomer who responds to a text message asking for their bank account details so stolen money can be deposited. "This cyber thing is pretty great. I've been saying this for a long time, thanks J-Kush. By the way, I said, I'm sorry for calling you 'mid' yesterday. Am I am I using that right? I am using that right. I'm not doing that to brag, because, you know what, I don't have to brag."
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
[1]: https://en.wikipedia.org/wiki/FedRAMP