I used to work on FedRamp and I’m fine with it. It’s just like SOC2 compliance, mostly dog and pony show for auditors who have conflict of interest and no clue what they are auditing.
Your example doesn't give details so it doesn't mean much.
First FedRAMP high is extremely strict. Most ATOs are NOT for FedRAMP high. Most people are good with a FedRAMP moderate.
Also, this doesn't mean the security controls are what stopped those other environments from being hacked. The other systems are just separate, that's why they weren't hacked with everything else.
Overall I think FedRAMP is good, because it at least gets somewhat of a baseline. But the other guy was pretty spot on. The auditors generally have no idea what they're looking at, there are a lot of security controls that don't make sense under many contexts and it is mostly a dog and pony show.
And really, it's not like these departments didn't have some type of due diligence to acquiring software, FedRAMP just makes it standardized and allows departments/agencies to piggyback off of other department/agency's due diligence.
The dog and pony show isn’t the point. Most companies are not blatantly committing fraud, especially against the federal government. It’s just not worth it. The process of thinking about the controls and speaking to them itself results in demonstrably more secure operating environments.
I worked extensively on fedramp compliance at multiple places include top cloud providers and banks. It’s considered the high bar standard globally and other than Australia IRAP the baseline that if you can meet it you satisfy almost all other compliance programs, so it’s the key program to meet.
Compliance is always a dog and pony show. It’s how you show your dogs and ponies to auditors whose job it is to judge your dog and pony. You get a fairly broad selection of auditors and there’s definitely a theatre to the compliance process. However it doesn’t mean you don’t do the work then pretend you did, because being found in non compliance - or worse willful non compliance (by treating it as a dog and pony show intentionally) - has serious consequences. The willful version is criminal.
The practices required are frankly what most people versed in security practice baseline. Most software however is written by people who don’t know much about security, aren’t particularly skilled, and are managed by managers who care less and know less. The people who know and agitate for better are treated as ivory tower non-commercial people and are managed out to other presumably better companies with less influential products because they spent time of security instead of feature grab.
I read the post and it talked a lot about accelerating fedramp by focusing less on compliance and more on security, which is like saying the bank is focusing more on a nicer vault and less on making sure the money is still there. It also lauded the enormous amount of integration of xAI into the program, which is essentially corruption at best, and transfer of massive amounts of sensitive security disclosure to an entity of poor repute for integrity. (See their methane gas turbine willful non compliance in Nashville). Everything I read made me remember this is the administration trying to jail Krebs for telling the truth.
My experience with it was most of time, there was a ton of truth stretching going on. Similar to SOC2 compliance. If a system couldn't be brought into compliance, a ton of stories why it was not in scope or compensating control was adequate.
Yes, there is criminal penalties but I haven't heard of them being enforced outside someone just outright lying.
Yes. But my point is the burden of compliance causes at least that much effort. Vibing security and calling it done with a rubber stamp is insufficient because even requiring an audit people try to fudge around the edges. Without a detailed audit with high compliance expectations you’ll just get outright lies by default.
I feel like certification is worse. People fudge the truth, get the certification, get compromised and because they had certification, no meaningful action is taken. InfoSec problem is not lack of "certification" but lack of consequences.
> because being found in non compliance - or worse willful non compliance (by treating it as a dog and pony show intentionally) - has serious consequences. The willful version is criminal.
this had big effect on implementation project that I did. After legal made training about fedramp legal aspects, people started to take it very seriously.
The article points out this is just due to it being a separate system. If anything, your argument is one against cloud computing and SaaS where your data is intermingled with everyone elses.
You forgot that it costs at min $1M to get certified up to several dozen millions once everything is said and done; and that does not guarantee any government contracts or agency purchases. You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
We got FedRAMP certified at a previous job. At first I balked at you saying it cost $1M but, doing some back-of-the-napkin math, that's probably pretty accurate once you take into account the salaries of everybody involved, time that we had to spend figuring out all the auditing, outside companies we had to hire and involve, and extra cloud costs and setup. Not to mention the ongoing cost of maintaining all of that and ongoing audits.
We were also a pretty small startup (~50 people?) but were focused solely on government data storage and management, so it made a lot of sense for us to get the certification. It definitely paid for itself in the number of contracts it unlocked.
The 3paos can do FedRAMP audits for much lower. I've seen as low as $150k. We dropped our auditor for another because we were priced at $X, but when they came into our office and saw that we bring in a ton of money (we used to have our sales info on every screen on every floor of the office) they updated their pricing for next year's audit.
> You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
You seem to working from the faulty premise that FedRAMP only isna concern for durect federal contracting. Because FedRAMP applies to systems with federal data, and because entities other than the federal government often have a mix of federal and non-federal data, it is quite common for a vendor who does not have FedRAMP certification (either at all or for some services) to know by non-corrupt means that some of their customers have workloads that are in-house or with a different vendor due to FedRAMP that they would bring to the first vendor if that vendor was FedRAMP compliant for the services involved.
Honestly if those numbers you’re providing are accurate, that’s not a lot of money.
The research I’ve done pegs the cost at $500,000 to $1.5 million.
That actually is “small SaaS company” territory.
And don’t forget that VCs throw more money than that around for much riskier propositions. The whole VC business is that you’ll have 1 success and 10 failures, throwing $2 million in hopes of landing a government contract (stable revenue above market rates) is probably a great investment for a lot of small/medium sized companies.
Anything involving auditors or policy people in tech turns into a clown show. Dunno what it is like for other industries (but my friends in pharmaceutical research feel similarly).
These are deeply nontechnical people attempting to enforce regulations drafted by deeply nontechnical people (typically academics that graduated from an Ivy but have zero industry experience, like the folks at modern-day RAND) and it's just a clown show all the way down.
