AI transcript
0:00:05 Hi everyone, welcome to the A6NZ podcast. I’m Sonal and today’s episode is all about a compliance
0:00:10 topic, FedRamp, which is going to affect a lot of enterprise SaaS companies selling to government,
0:00:15 and actually even if not. So, we share everything that startups need to know in this episode.
0:00:19 Please note you can find all the pointers, templates, and other links they mention
0:00:24 in the show notes at A6NZ.com/FedRamp. I highly recommend you check that out, too,
0:00:29 to get all the resources after listening to this episode. Okay, so now onto the intros.
0:00:35 This episode is hosted by A6NZ board partner Stephen Sinovsky, who interviews Lisa Hock,
0:00:40 VP of Security and Compliance at A6NZ company Everlaw. By the way, you can also catch both
0:00:45 Lisa and Stephen on another interesting compliance topic that applies to many tech startups as well,
0:00:52 GDPR, which we covered last year by going to a6nz.com/GDPR. But this episode is all about FedRamp,
0:00:57 which stands for the Federal Risk and Authorization Management Program.
0:01:02 And here’s what they cover, what risk means in selling to the government depending on your
0:01:06 product features, some of the most commonly used acronyms to be aware of, which they quickly
0:01:12 lightning round in between, how similar or different FedRamp is to other types of certification,
0:01:18 authorization, and compliance, such as ISO, SOC2, GDPR, even HIPAA. Most importantly,
0:01:23 they break down the steps to FedRamp certification, including how and when to engage third-party
0:01:28 auditors and advisors, how long it takes, and how it affects sales. They also share the best
0:01:33 strategy for moving forward with a customer lined up first, but they begin by discussing
0:01:39 why startups should consider FedRamp in the first place. Before everybody gets cynical about
0:01:46 acronyms with the word Fed in them and security and the government and all this other stuff,
0:01:51 this is some pretty interesting things that you can do for your company, and it opens up a world
0:01:57 of opportunity in terms of selling to the United States government and beyond, as we’ll talk about.
0:02:02 So first, welcome, Lisa. Thanks, Stephen. So if you’re the CEO of a company, what are the core
0:02:09 benefits of pursuing a FedRamp authorization? So if you’re the CEO of a cloud company and you
0:02:14 want to sell your product to federal agencies, FedRamp is probably going to be the only way in.
0:02:19 There are some exceptions, very limited, for instance, if you wanted to a private deployment
0:02:23 in a facility for a single agency, but that’s not what we’re talking about today. We’re talking
0:02:29 about having a FedRamp authorization, which, for the record, we are in process at Everla. We don’t
0:02:34 have our authorization yet, but it does open up a whole new market for you for all of the federal
0:02:39 agencies, and as well, it provides some credibility to the general market from a security standpoint
0:02:43 outside of government. Yeah, that’s something that we hear all the time, is that even if you want
0:02:50 to sell to a company, a private or public company that isn’t the government, they might look to see
0:02:55 like, “Hey, did you get FedRamp certified?” So we know now that FedRamp’s a requirement to sell
0:02:59 to the government, and in most markets, especially in the US, the government is potentially a very
0:03:06 big or the biggest potential customer for enterprise SaaS. No matter which agency you want to sell to,
0:03:11 you know, from DoD to Ag or HHS or whatever, FedRamp is going to be required. And in many cases,
0:03:15 like these connected or affiliated state organizations as well, something we learned in
0:03:20 Everla is that if you want to sell to a state attorney general, they’re going to want FedRamp
0:03:25 authorization as well, just because chances are they’re going to be involved in litigation with
0:03:31 the federal agencies. So what is it that FedRamp actually, you know, quote, tests for in its process?
0:03:38 So FedRamp stands for the Federal Risk and Authorization Management Program. So FedRamp,
0:03:44 like the acronym says, it’s all about risk. It’s really a program that’s designed to provide
0:03:50 federal agencies with the information they need to make their own informed risk-based decision
0:03:55 about whether to adopt cloud and, you know, a specific product. I think there was a general
0:04:01 recognition that in order for federal agencies to adopt cloud, they had to put in place a way for
0:04:08 companies to meet the federal standards and, you know, allow the federal agencies to do these risk
0:04:13 assessments. Risk is a very amorphous concept. How do they actually evaluate what risk? Well,
0:04:18 for the security folks listening, hopefully this will be comforting in the sense that
0:04:27 they didn’t make up something new. They use the CIA framework. Not the CIA. No, confidentiality,
0:04:34 integrity, and availability. So for companies that have been through, say, a SOC2 or maybe ISO,
0:04:41 they’ll have heard these terms. And in addition, they also look at baseline or impact levels,
0:04:45 high, moderate, or low. The high, moderate, or low are actually pretty important because that
0:04:51 puts people into buckets of sort of users of the product. Yeah, exactly. So when you’re going
0:04:56 through a FedRamp authorization, you’re going to have to look at your product and figure out,
0:05:02 okay, based on the impact and the information that is going to be in that cloud product,
0:05:10 what level are you high? So think law enforcement for high. Think DoD, federal criminal information,
0:05:15 or are you moderate? Like normal, the agriculture department or something like that, where it’s
0:05:23 sort of routine work. Yeah, exactly. And then for low or there’s even another… Like a low or low?
0:05:28 A low or low. Yeah, it’s called low impact SaaS. That’s a mean name. We don’t mean that your product
0:05:34 is low impact. No, but they did create the low impact SaaS for products that only contain enough
0:05:39 personal information to essentially set up an account. So they need your name, they need your
0:05:44 email, there’s going to be a password, but you’re not holding really confidential or sensitive
0:05:50 agency information. So based on those impact levels, that is going to determine which baseline,
0:05:56 and the baseline is the set of controls, and they have on the high end, the most controls on the
0:06:02 moderate, around 300. The four levels of impact levels, it’s super interesting. There’s only
0:06:07 seven authorizations for high security stuff, and they’re all mostly… They’re just the
0:06:11 cloud infrastructure providers. In fact, of the seven highs, I actually went and looked at
0:06:14 those, I thought it was interesting, three of them are Microsoft, just the different parts of
0:06:20 Microsoft, and then Oracle and some specialized ones and AWS. So nobody has to worry about this
0:06:25 extreme bar if you’re mostly an app. They’ll guide you to moderate or low.
0:06:31 One cool thing about the FedRAMP.gov website is they have a marketplace for the folks out there
0:06:35 kind of wondering, all right, what companies are doing the high, who’s doing low, who’s doing
0:06:40 moderate, you can sort by that. And it’s kind of interesting because like you pointed out,
0:06:45 the great majority are in the moderate category. And then there’s a handful of highs and a handful
0:06:50 of lows. So given that they’re not there to really bug Silicon Valley companies and make it hard for
0:06:54 the government to become a cloud provider, it’s the opposite. The directive was specifically,
0:06:59 we want to get the government on cloud. Like it’s too expensive to be on-prem, it’s let’s secure,
0:07:03 it’s harder to do, it’s less agile. So we want to get the government on cloud.
0:07:08 If you’re a government agency, what are some of the things that you observe right away when you
0:07:13 see a FedRAMP authorized product sort of show up? Like what is it different about it?
0:07:19 Well, I think if you’ve gone through FedRAMP, you’re going to show up looking a lot more organized.
0:07:24 You’re going to have that governance infrastructure in place because FedRAMP is a mix of very
0:07:30 technical things, but also governance related things. So if you’ve set up your security program
0:07:36 in a way that addresses things like personnel security, policies and procedures for specific
0:07:41 things like role-based access control, then you’re going to show up as looking like you really have
0:07:47 your act together compared to a company that has these various security controls in place,
0:07:52 but maybe hasn’t gelled them into a program. I should have mentioned this earlier. So all of
0:07:58 these sets of controls for the high, moderate and low baseline are separated into control families.
0:08:02 So for example, incident responses of family, but the more technical ones are things like
0:08:07 configuration management, which deals with creating blueprints for the server types to
0:08:12 meet functionality and hardening requirements, things that require implementing center for
0:08:18 internet security benchmarks. And we’ll provide a link to the CIS benchmarks as well.
0:08:23 Obviously, one of the things that ends up mattering the most security is just sort of access and
0:08:28 identity and the role of authorization in general. Where does that fit in in these families?
0:08:34 So it spans several of them, but there is one control family called IA, which means identification
0:08:39 and authorization, which deals with how you implement your system accounts, including credential
0:08:44 management, version control, multi-factor authentication, which has to meet certain
0:08:51 cryptographic standards. And it’s worth noting that in these control families, sometimes you,
0:08:57 as a cloud service provider, are going to have the responsibility for the implementation,
0:09:03 like something for authentication, but also sometimes the federal agency also has a responsibility
0:09:08 in terms of how they implement their users and distribute out their user names and so forth.
0:09:12 So that is also something that’s noted in the control family.
0:09:16 So you don’t go through this authorization process and it’s a recipe. There’s like
0:09:22 lots of decisions to make, lots of product design questions that are favorable to enterprise SASS
0:09:26 and have to sort of allow room to adapt to the variations across the government.
0:09:31 And most of the controls a company can implement them in their commercial
0:09:35 environment as well. We want all of our commercial customers to benefit from the
0:09:39 same level of security as our future federal customers.
0:09:43 Because chances are, whether you try to sell to a big tech company or a non-tech company,
0:09:49 that they’ve probably developed some list of things that look like these families,
0:09:53 but might not be exactly the same and ultimately you’re going to end up in the same boat trying
0:09:57 to get all these done. I mean, the federal government and federal agencies are not the
0:10:01 only ones that use the NIST framework for security and privacy. Many companies do it.
0:10:05 A lot of security questionnaires are going to be based around NIST. So
0:10:08 it’s one of many acronyms. I think we’re going to go over it today, right?
0:10:11 Yeah. So I’m just going to go through a few of them and like make sure people know because
0:10:15 we’ll say them and then we’ll forget to expand them. And so NIST is one of my favorites because
0:10:20 that goes so far back. That feels like 1950s NASA and they’re like in charge of
0:10:24 weights and measures and stuff like that. But what do they do with this?
0:10:28 NIST does a lot of cool stuff. But as it relates to what we’re talking about today,
0:10:33 NIST, the National Institute of Standards and Technology is the agency that defines
0:10:39 government-wide standards for technology and security. And the one specific NIST document
0:10:44 that we’re talking about today is a special publication, 853, which deals with security
0:10:50 and privacy controls for federal information systems. So FISMA? Yeah. So FISMA stands for
0:10:55 Federal Information Security Management Act. And this is something that applies
0:11:01 to federal government agencies and requires them to put in place a security framework
0:11:04 to secure their information. So it doesn’t apply to the private sector.
0:11:07 So next was obviously a big government agency called OMB?
0:11:13 Yeah. OMB is sort of like the COO for the federal government. They oversee budgeting
0:11:21 and spending. And then their sibling agency GSA is the General Services Administration
0:11:25 and the FedRAMP office. So our friends in the FedRAMP PMO, which means Project Management
0:11:31 Office, they sit under GSA. Awesome. And then finally, this whole thing is about
0:11:36 the acronym they invented called CSPs. Yeah. CSP stands for Cloud Service Provider,
0:11:42 and you’ll also hear CSO, which stands for Cloud Service Offering. So FedRAMP is all about cloud,
0:11:46 which is why I think we’re here today talking about it for the SAS folks out there.
0:11:50 Okay. So we have a bunch of acronyms out of the way. I got to tell you, as Lisa took me through
0:11:56 the EverLaw certification, I have never seen so many acronyms exist in this process.
0:12:03 So your typical Series B enterprise startup, is FedRAMP anything like what they’ve done before
0:12:10 in terms of running the sales process or a security process? Is it like SOX2? Is it like GDPR?
0:12:15 I think it depends on what a company has done up until the point they decide, “Hey, let’s do FedRAMP.”
0:12:21 So if you’ve been through a SOX2 type 2, which is the audit that tests your operational effectiveness,
0:12:26 then you’re probably in a better position than if you’d only done a SOX2 type 1,
0:12:31 which is just, “Do I have a program in place?” So I would say it really depends on what the
0:12:34 company has done up until then. And what are some of the dimensions to really think about?
0:12:38 Like, is it the size of the company thing? Is it the number of people you have dedicated
0:12:42 security? Is it like how much data you store? Like, what are some of the variables that people
0:12:49 should be aware of that might impact their time and effort and need and complexity of going through
0:12:55 authorization? Yeah, it’s a great question. The first thing is that if you have a motivated
0:12:59 federal agency, that is going to be the biggest factor that either pushes you ahead or slows you
0:13:04 down. So if you’re in a place where a federal agency has already expressed interest in your
0:13:09 product or you’ve already been in conversations and they’re motivated to be your partner in the
0:13:15 process and give you the confidence you need to make that financial commitment because it’s
0:13:20 going to take internal resources, which has a cost. Like, one of the things that you mentioned was
0:13:26 just how the lens of FedRAMP changed the Everlaw culture a little bit to be much more focused
0:13:32 on sort of this continuous monitoring sort of mindset. How did that come about? From a continuous
0:13:39 monitoring standpoint, we found that the FedRAMP controls helped us gel around things like configuration
0:13:46 management, making sure there are security checks and security impact analyses. So putting in some
0:13:51 of those processes, which on a continuous basis, now we’re doing every release, in addition to the
0:13:55 things that are just straight up required by continuous monitoring like vuln scanning. I think
0:14:01 there’s a perception of FedRAMP that it’s, you know, a lot of policy, it’s a lot of checking
0:14:08 the box. And like any team that is staring down the face of a major security compliance and
0:14:13 technical project, we were kind of thinking, oh no, there are going to be so many controls in
0:14:19 here that are just check the box. And like any compliance framework, there certainly is some
0:14:25 box checking involved. It’s a lot of governance, which is true. There are a lot of control families
0:14:31 that deal with a company’s infrastructure like personnel security is the PS control, AT is
0:14:35 the awareness training control. But we found that on the whole, a lot of the controls really
0:14:40 pushed us forward. And a lot of things we were already doing, there were some things that we
0:14:46 needed to improve. But the process has really made our entire infrastructure more secure.
0:14:51 No one at Everla had FedRAMP experience before. I mean, we’d been through SOC2,
0:14:57 and we’d been through, we were actually undertook it at the same time as GDPR, which looking back
0:15:01 is a little bit crazy. We didn’t really get a choice in GDPR though, so. That’s true.
0:15:05 So if you’re a startup where the team has varying levels of experience and actually
0:15:09 haven’t gone through all of these things collectively, it sounds like what you’re
0:15:13 saying is just by virtue of having gone through the process, the whole organization
0:15:18 sort of gets up leveled and consistent based on just using this as a framework.
0:15:22 You mentioned that it is also deeply technical. Like this is not just a list of, you know,
0:15:26 do you have a security policy manual? Do you have cipher locks on your door?
0:15:31 There’s stuff about the code and the product. What are some of the things that are technical
0:15:36 that you had to sort of bring in engineering or product or DevOps and security ops to really
0:15:41 think about? Yeah, and I’ve already mentioned a few of the other more governance-related
0:15:46 controls before. There’s also IR, which is incident response, but some are very technical and just
0:15:52 anecdotally in the system where Everla tracks sort of our features and what the things our
0:15:56 engineers are working on, there were over a hundred tickets in there. I don’t know if
0:16:01 ticket’s the right word, but basically, you know, feature ideas, functionality that we
0:16:06 were going to implement that all required dev resources. And they ranged from simple things
0:16:10 like adding a banner into the platform that says, you know, you’re entering a federal
0:16:14 environment in our federal environment to very complicated things.
0:16:18 I think one of the things that is kind of interesting too is that this is not like a
0:16:23 secret part of the government. Like all the CIOs across all the agencies sort of know this is
0:16:28 going on. And so it sounds like it’s become their common vocabulary and security is for the
0:16:32 government the first order priority before functionality. So their sales team is just
0:16:37 going to need to know all of these words just to interact with the customer.
0:16:42 Yeah, I presented our sales kickoff this year presentation on selling security to help them
0:16:48 understand what does it mean to be FedRAMP in process to make sure that they’re not misrepresenting
0:16:52 what our status is to the market, but also so that they can talk about it confidently and
0:16:55 understand how it’s different from our SOC2 and so forth.
0:17:01 So clearly there’s a series of steps that have to happen. Like what are these steps?
0:17:07 So that flowchart is actually in the cloud service provider playbook, which will provide a link to.
0:17:12 And the first step is going to be establishing a partnership with a federal agency. I mean,
0:17:16 like we were talking about before, it’s just really critical that you have that agency support.
0:17:21 And then once you have that agency support, then you’re probably going to feel confident enough to
0:17:26 start using your internal resources. So that’s going to be putting together the package. And when
0:17:31 I say the package, it means system security package or SSP, which is another acronym.
0:17:36 So working on that documentation and then also working on any technical remediation you might
0:17:41 have to do. And so then eventually, like someone who doesn’t work for the agency or
0:17:44 forever law is going to show up and sort of test you.
0:17:50 That’s right. The step before that authorization is a full security assessment by an independent
0:17:57 auditing firm. And in FedRAMP lingo, it’s called a 3POW. It’s a third party assessing organization.
0:18:02 And there’s a small set of companies that can do this because they have to meet FedRAMP standards.
0:18:07 And so you have to bring them in just like any other independent auditor and they review all of…
0:18:08 And this is like on site?
0:18:14 Yeah. Yeah, they came on site for a week, but they review all of your implementations. I mean,
0:18:18 your screenshotting, your work in the command line in front of them to show them how you’ve
0:18:20 implemented specific things.
0:18:23 And do they like snoop around and everybody’s like, who are these people in suits?
0:18:27 And like, do they have special badges? Like, how does this really work?
0:18:33 I mean, they’re very technical. And they’re there to make sure that what you’ve represented
0:18:36 in your security documentation is the actual thing you’ve implemented.
0:18:41 I mean, the federal agency is trusting them to help them form their risk-based decisions.
0:18:43 So they’re serious about it, but they’re great. They’re nice.
0:18:50 And they’re basically consultants that come in on behalf of the OMB basically execute on this plan.
0:18:54 I mean, they are working for the agency, not for you. You can engage an advisor.
0:18:55 What does that entail?
0:19:00 So there are other companies that can serve as the independent assessor or they can serve
0:19:06 as a consulting advisor. The key thing though is that if you engage a FedRAMP consulting advisor
0:19:10 to help you put together your documentation, you can’t use them as then the independent assessor.
0:19:11 So you’ve got to swap.
0:19:17 Basically, there are these specialists in doing security audits and there are a list of them
0:19:23 that OMB supports and you can use them either to help you or to audit you.
0:19:23 Yeah.
0:19:26 And you just pick and you might end up engaging too.
0:19:27 But they’re basically it’s a consulting engagement.
0:19:30 That’s right. And you might be thinking, why would I want to engage a consultant?
0:19:32 To help you with a consultant.
0:19:38 Yeah, exactly. But the fact is, even with all of the program documentation that we had at Everlaw,
0:19:42 you know, the whole suite of infosec policies, we had great procedures around personnel security
0:19:47 and training. But we still needed to engage a consulting advisor to help us put together
0:19:52 the system security package. It’s of course a template that you can pull down from FedRAMP.gov.
0:19:58 And since we’re an AWS customer and we inherit a lot of the cloud infrastructure controls from AWS,
0:20:01 AWS will also provide you with that as well.
0:20:08 But some things are just hard to navigate without the experience of knowing what the
0:20:14 agency will accept. So a couple of examples are the consulting advisor can help you translate
0:20:17 what the agency is actually looking for when it comes to an implementation.
0:20:21 So if you have to do a deviation from a CIS benchmark.
0:20:25 Ultimately, this process boils down to creating a lot of documentation.
0:20:27 Like they don’t just have a phone call and take your word for it.
0:20:32 So a lot of it sounds, I mean, like you said, like, oh, you inherit some of it from AWS.
0:20:36 So it sounds like sort of this large amount of paper that has a bunch of forms that are all
0:20:42 filled in already. Well, our full SSP without the attachments with the implementations described
0:20:47 is around 500 pages. But the template itself, even without those is probably, I don’t know,
0:20:52 it’s probably 30 pages or 40 pages just without all our info in it. It’s a big lift to do that.
0:20:58 So we found that a consulting advisor could we could spend some time talking with them chatting
0:21:02 with them on the phone explaining things. And then they would go write it up for us.
0:21:06 And then we would QA it. So instead of us having to do that big lift,
0:21:10 they did that for us. And then it was much more efficient that way.
0:21:13 So, you know, obviously, there’s a bunch of sections and chapters and different parts,
0:21:17 which part of it was the part that really was like a ton of work where like,
0:21:22 the engineers needed to engage and you needed really detailed technical answers.
0:21:24 Like, what was the scope of that and where in the process?
0:21:28 So we went back and forth with our consulting advisor. So we would
0:21:34 describe our technical implementations and then they would take the first crack at writing them
0:21:38 up. And then our director of infrastructure had to edit things out because every once in a while,
0:21:45 but also describing our entire system architecture and doing the architecture diagrams. Those are
0:21:48 all things that, you know, our engineering team definitely had a hand in.
0:21:51 Right. And it turns out it’s one of those things that like, well, we didn’t really
0:21:56 have a good architecture diagram of our system. And so now we have one. And now we keep it up to
0:22:00 date because we have to because of con mon and all that, but sort of ended up being beneficial.
0:22:07 Anyway, okay. So you’ve got like this 500 page SSP thing sort of all bound up and ready to go.
0:22:12 How do you know you’re getting to the finishing line? And what does that start to look like?
0:22:17 So once we had all of the documentation wrapped up and, you know, you can’t get too hung up on,
0:22:21 you know, the final product, because the whole thing is meant to be a living document,
0:22:25 because, you know, when we finished documenting it, then we knew we were going to implement
0:22:28 something else. So it’s sort of, you know, you’re going to have to keep updating it.
0:22:33 But the finish line comes when you’re ready to actually hand that package over to the independent
0:22:37 auditor and to say, all right, you know, here is all our stuff. We’re putting it out there for
0:22:43 you to review and schedule that onsite audit. And so then the auditors show up, they read a lot,
0:22:49 they watch you doing the work. And then what happens? Then they put together what’s called
0:22:56 a SAR, which means security assessment report. The SAR is the auditor’s report on your overarching
0:23:02 compliance with the baseline. And if they have findings, they’ll rank them as, you know, high,
0:23:11 medium or low. Like concern? Yeah, exactly. Because what their job is, is to describe to the agency
0:23:16 what the risks are to using the system. So if they find things during the audit that they deem as a
0:23:21 high risk, and, you know, it’s all scoped out what those risk categories are, but they’ll deliver
0:23:27 that to the agency. And again, to your point about risk, it’s not like a pass fail, because then the
0:23:34 agency who’s the customer looks and says, ooh, you have two highs, that might be too, too many. Or
0:23:37 are you planning on fixing this? If you’re planning on it, there’s like a whole give or take.
0:23:42 After you do 18 months worth of work or nine months worth of work, you don’t fail and have to go back.
0:23:48 And the customer is in control of evaluating the risk of like still buying you or not.
0:23:54 Yeah. And those findings would go on to what’s called a POAM or plan of action and milestones.
0:24:00 So once you have those findings, then you would describe what you’re going to do to fix it. What’s
0:24:04 your timeline? What are your milestones and so forth. And one of the benefits of having that
0:24:07 consulting advisor looking at your package and helping you do that is they’ll tell you what a
0:24:12 showstopper is. They’ll say, hey, that implementation is not going to cut it. Don’t do that. Let us help
0:24:17 you. So sometimes people think about compliance. They think about it as sort of like getting your
0:24:21 driver’s license. Like you get annoyed, you go through a process, you take a test and then poof
0:24:26 you have a driver’s license basically for the rest of your life. But FedRAMP isn’t really like
0:24:30 that. There’s a lot about monitoring and keeping things. And so what did you learn going through
0:24:34 the process that was different than other types of certification or authorization?
0:24:39 I mean, the one thing I’ve learned is that FedRAMP is not over. And I have to laugh.
0:24:43 Okay. That’s like an uplifting motion. Like, yeah, please list our podcast for the thing that’s
0:24:48 never going to end. Well, it’s just funny because we’ve been working on this and every time we hit
0:24:52 a big milestone, we like to celebrate it with the wider team and everybody’s like, yay. And then
0:24:58 they’re like, oh, you’re done with FedRAMP now, right? And we’re like, no. So continuous monitoring
0:25:04 is one thing we already mentioned where even once you obtain your authority to operate or your ATO
0:25:08 and you have that authorization, you’re still going to be working with the agency on a regular
0:25:13 basis. So you have your ATO and you’ve got a bunch of Kanman going on just to use all the
0:25:18 acronyms in one sentence. Yeah. And we’ll link to the Kanman guide, which talks about what that
0:25:24 looks like. But in a nutshell, you’re doing monthly scanning, your ranking vulnerabilities,
0:25:28 you’re responding to those on a specified time basis, et cetera.
0:25:34 So let’s say that the company is ready to dive in. They have a product that they’ve been selling to
0:25:40 commercial customers. The first cohorts believe it meets their needs for security and privacy and
0:25:44 things like that. The product is selling, but now if agency is interested, for whatever reason,
0:25:50 that inbound or you spoke at a conference or something. So first, how long do the salespeople
0:25:57 have to wait until the deal is closed now? Well, be nice. Yeah. I mean, again, it depends on how
0:26:02 motivated the agency is. That’s a super important point. It’s not just how motivated you are as
0:26:06 the company. Like if the agency really wants you, they can pull you through in a lot of ways.
0:26:12 Yeah. Because again, it’s all about risk and the agency is the decider of what kind of risk
0:26:18 they’re going to tolerate. And so if an agency is really motivated, then they can help push you
0:26:25 along to becoming in process. And in process is a designation that requires explicit agency support.
0:26:30 But if you’re at that stage where you’ve got that interest, you have to choose, okay, am I going to
0:26:34 go, there are two ways to get authorized. There’s the agency route and then there’s something called
0:26:39 the JAB, which is the Joint Authorization Board, which is a little bit harder to do because you
0:26:44 have to do a business case. So I think for our purposes, it makes more sense to address the agency
0:26:49 route, which is probably the situation you’re talking about, where somebody expresses interest.
0:26:53 Right. So that’s probably a good lesson for folks, which is that the best bet for going
0:26:58 through this is in a sense to first line up a potential customer rather than just sort of say,
0:27:01 oh, well, let’s preemptively go and do FedRAM because it actually makes more work for yourself
0:27:05 if you don’t have the first customer lined up. Yeah, that’s right. And they do have that JAB
0:27:11 process, which is for companies that might have a broad application, but it’s a much different
0:27:17 process. Okay. So there’s a bunch of actual bureaucracy stuff about getting on the GSA list
0:27:24 and filling out those forms. But then is it a year, two years, five years? How long is this exactly?
0:27:28 Yeah, let’s not keep the sales team hanging too long. So if you’re counting from the time you
0:27:33 have your package already, it could be as little as a few months, maybe even six weeks we’ve heard
0:27:39 for the agency to review that package and grant you the authorization. I think if you’re counting
0:27:44 from the day, the team says, hey, let’s do FedRAMP and you still have to put the package together,
0:27:50 you’re probably looking at at least nine months or a year possibly. So it’s actually not wildly
0:27:54 out of bounds with what a procurement team might do or like any of the large tech companies that
0:27:59 just do what they call a security audit or something might easily take that same length of time.
0:28:04 It comes down to how many resources the company has to bring to bear on the project because,
0:28:08 you know, we took a little bit longer, but that’s because we didn’t stop people
0:28:13 from doing their full-time jobs only to work on FedRAMP. We didn’t stop feature development for
0:28:18 the product. So you decided you’re like flipping the switch and you’re going to go for it. Did
0:28:23 you have a team of 10? Like how many people have to do all of this checkboxing and process
0:28:30 documentation and conmon stuff? So when we started, it was just myself on the security team.
0:28:36 We had our engineers that were involved in sort of scoping and looking at how much work we thought
0:28:41 it would be. And then over time, we brought on a DevOps person. We hired a couple of people onto
0:28:47 my team. But again, none of us have been doing it full-time. So it’s been probably a core group
0:28:53 of five people working on various elements of it. And then when we were doing the push to
0:28:57 complete a lot of the technical and engineering work, we brought in other engineers.
0:29:01 And this is an interesting point because of the way you chose to do it. But you overlaid
0:29:07 like SOC2 and GDPR and other privacy work sort of all at the same time, which sounds overwhelming,
0:29:11 but it’s also closely related. Was it more efficient to do it that way?
0:29:17 Doing a lot of these broader things like GDPR and FedRAMP, you know, there is overlap. So
0:29:23 it certainly helps. I don’t know that I would wish that all those things on anyone, but certainly
0:29:28 you’re doing a lot of the same things. And, you know, for folks that do SOC2, you probably know
0:29:34 the COSO standards were added, I think last year. Okay. So one last thing, which is you go through
0:29:40 all of this, you’re given the label like in-process, authorized, like what is the specifics of that?
0:29:44 Because that’s something that salespeople often do get confused because of the FedRAMP lingo,
0:29:50 so to speak. The lingo can be slightly confusing. So in order to be listed in the FedRAMP marketplace
0:29:54 on the website, a marketplace, which is literally like these are the cloud things you can go buy
0:30:01 as a federal agency. Yeah, exactly. So there’s FedRAMP ready and FedRAMP in-process. And I think
0:30:07 people swap those around a lot. So FedRAMP ready means that you’ve gone through sort of a high
0:30:14 level of valuation. And if you get that ready stamp, it means that they think that you’re capable to
0:30:19 meet the FedRAMP requirements. And it’s just intended to help agencies look out there and say,
0:30:24 oh, well, you know, there’s an independent assessment that these folks are ready and can
0:30:31 probably do it. Whereas in-process is a designation where you have to have the authorizing official
0:30:36 add an agency, tell the FedRAMP office that we are working with this cloud service provider on
0:30:41 an authorization. You’re not authorized yet, but you’re affirmatively working on that authorization.
0:30:45 And don’t play fast and loose with those terms with your salespeople. Like,
0:30:50 don’t make up what they mean and don’t say what you aren’t. Because they like branding guidelines
0:30:54 and stuff. Yeah, the FedRAMP office has branding guidelines. And, you know, for a good reason,
0:30:59 they don’t want companies out there saying that, you know, they have a FedRAMP authorization if
0:31:04 they don’t. They’ve worked hard on creating this process and creating this framework. And
0:31:09 they don’t want companies misrepresenting. And so ultimately with security things, the reason,
0:31:13 you know, nobody wants anything to happen, like a breach or anything like that. But
0:31:17 if you’re operating in this environment where you’ve committed to a customer, in this case,
0:31:24 a federal agency that you do all this stuff, and then something happens, does FedRAMP have say in,
0:31:28 like, are they part of like adjudicating the failure? Or do they have remediation duties?
0:31:32 Like, or is they’re not involved in that? Like, where does the government come in
0:31:38 in terms of a security issue? Well, fortunately, I don’t have direct experience with that. But
0:31:45 the Kanban guide on continuous monitoring does cover various types of escalations like incidents.
0:31:51 And so I think if a company had an authorization and they had some kind of security incident or
0:31:57 breach occur, it would go through that escalation process in the Kanban. And certainly they contemplate
0:32:03 revocation of your authorization. But I imagine it would be a conversation with the folks at the
0:32:07 agency, you know, talking about your plan for remediation. Did you catch it? Did you limit the
0:32:12 damage? So I don’t have sort of a black and white answer on what would happen there, but
0:32:16 I know that they’ve put a framework in place to address those kinds of things.
0:32:20 All right. So in your role in Everlaw, you’ve gone through quite a few certifications. Like,
0:32:26 you’ve gone through GPR, you’ve gone through SOC2, you’re working on FedRAMP. Like, where does this
0:32:31 fall in the spectrum of effort and time and complexity compared to you’ve done some health
0:32:36 care, even though HIPAA is not a certification? Yeah, we’ve done the privacy SOC2, but we’ve
0:32:41 also done an independent sort of HIPAA compliance assessment as well. And FedRAMP has definitely
0:32:47 been the most work because it involves, you know, from an architectural standpoint, you know,
0:32:53 we’re creating a federal environment and there’s a lot of work that we’ve done to improve on the
0:32:59 back end. But I’m trying to think because GDPR is also a ton of work. It’s actually a good time
0:33:02 to mention too. One of the things that I found particularly interesting as I dove into this
0:33:10 with you is that at every step, the OMB has really worked to make this like attractive and easy.
0:33:15 That sounds weird, but their goal is not to stop you from getting authorized. It’s actually to
0:33:21 find ways to get you authorized. And for what it’s worth, the FedRAMP.gov website is one of the best
0:33:26 federal websites out there. They have a person who’s the customer success manager. So they really
0:33:32 are trying to make it easier for cloud companies to go through this process to understand. And,
0:33:37 you know, EverLaw, we met with those folks and they helped us. They helped guide us. And so
0:33:41 we found that to be really helpful. Yeah. So unlike what you’d normally think of in terms of
0:33:45 regulation or certification, they don’t come across as like, we’re here to prevent you from
0:33:50 getting this. No, not at all. It’s not even like the DMV in that regard. They actually just want
0:33:55 to help you. Yeah. I mean, their mandate is to help carry out the cloud first or, you know,
0:34:00 the policy that the government has to push IT modernization and cloud adoption in the federal
0:34:05 government. Well, this was super fun. So thanks so much. This has been Stephen Sinoski and
0:34:07 Lisa Hawk. Thank you. Thank you very much.
0:00:10 topic, FedRamp, which is going to affect a lot of enterprise SaaS companies selling to government,
0:00:15 and actually even if not. So, we share everything that startups need to know in this episode.
0:00:19 Please note you can find all the pointers, templates, and other links they mention
0:00:24 in the show notes at A6NZ.com/FedRamp. I highly recommend you check that out, too,
0:00:29 to get all the resources after listening to this episode. Okay, so now onto the intros.
0:00:35 This episode is hosted by A6NZ board partner Stephen Sinovsky, who interviews Lisa Hock,
0:00:40 VP of Security and Compliance at A6NZ company Everlaw. By the way, you can also catch both
0:00:45 Lisa and Stephen on another interesting compliance topic that applies to many tech startups as well,
0:00:52 GDPR, which we covered last year by going to a6nz.com/GDPR. But this episode is all about FedRamp,
0:00:57 which stands for the Federal Risk and Authorization Management Program.
0:01:02 And here’s what they cover, what risk means in selling to the government depending on your
0:01:06 product features, some of the most commonly used acronyms to be aware of, which they quickly
0:01:12 lightning round in between, how similar or different FedRamp is to other types of certification,
0:01:18 authorization, and compliance, such as ISO, SOC2, GDPR, even HIPAA. Most importantly,
0:01:23 they break down the steps to FedRamp certification, including how and when to engage third-party
0:01:28 auditors and advisors, how long it takes, and how it affects sales. They also share the best
0:01:33 strategy for moving forward with a customer lined up first, but they begin by discussing
0:01:39 why startups should consider FedRamp in the first place. Before everybody gets cynical about
0:01:46 acronyms with the word Fed in them and security and the government and all this other stuff,
0:01:51 this is some pretty interesting things that you can do for your company, and it opens up a world
0:01:57 of opportunity in terms of selling to the United States government and beyond, as we’ll talk about.
0:02:02 So first, welcome, Lisa. Thanks, Stephen. So if you’re the CEO of a company, what are the core
0:02:09 benefits of pursuing a FedRamp authorization? So if you’re the CEO of a cloud company and you
0:02:14 want to sell your product to federal agencies, FedRamp is probably going to be the only way in.
0:02:19 There are some exceptions, very limited, for instance, if you wanted to a private deployment
0:02:23 in a facility for a single agency, but that’s not what we’re talking about today. We’re talking
0:02:29 about having a FedRamp authorization, which, for the record, we are in process at Everla. We don’t
0:02:34 have our authorization yet, but it does open up a whole new market for you for all of the federal
0:02:39 agencies, and as well, it provides some credibility to the general market from a security standpoint
0:02:43 outside of government. Yeah, that’s something that we hear all the time, is that even if you want
0:02:50 to sell to a company, a private or public company that isn’t the government, they might look to see
0:02:55 like, “Hey, did you get FedRamp certified?” So we know now that FedRamp’s a requirement to sell
0:02:59 to the government, and in most markets, especially in the US, the government is potentially a very
0:03:06 big or the biggest potential customer for enterprise SaaS. No matter which agency you want to sell to,
0:03:11 you know, from DoD to Ag or HHS or whatever, FedRamp is going to be required. And in many cases,
0:03:15 like these connected or affiliated state organizations as well, something we learned in
0:03:20 Everla is that if you want to sell to a state attorney general, they’re going to want FedRamp
0:03:25 authorization as well, just because chances are they’re going to be involved in litigation with
0:03:31 the federal agencies. So what is it that FedRamp actually, you know, quote, tests for in its process?
0:03:38 So FedRamp stands for the Federal Risk and Authorization Management Program. So FedRamp,
0:03:44 like the acronym says, it’s all about risk. It’s really a program that’s designed to provide
0:03:50 federal agencies with the information they need to make their own informed risk-based decision
0:03:55 about whether to adopt cloud and, you know, a specific product. I think there was a general
0:04:01 recognition that in order for federal agencies to adopt cloud, they had to put in place a way for
0:04:08 companies to meet the federal standards and, you know, allow the federal agencies to do these risk
0:04:13 assessments. Risk is a very amorphous concept. How do they actually evaluate what risk? Well,
0:04:18 for the security folks listening, hopefully this will be comforting in the sense that
0:04:27 they didn’t make up something new. They use the CIA framework. Not the CIA. No, confidentiality,
0:04:34 integrity, and availability. So for companies that have been through, say, a SOC2 or maybe ISO,
0:04:41 they’ll have heard these terms. And in addition, they also look at baseline or impact levels,
0:04:45 high, moderate, or low. The high, moderate, or low are actually pretty important because that
0:04:51 puts people into buckets of sort of users of the product. Yeah, exactly. So when you’re going
0:04:56 through a FedRamp authorization, you’re going to have to look at your product and figure out,
0:05:02 okay, based on the impact and the information that is going to be in that cloud product,
0:05:10 what level are you high? So think law enforcement for high. Think DoD, federal criminal information,
0:05:15 or are you moderate? Like normal, the agriculture department or something like that, where it’s
0:05:23 sort of routine work. Yeah, exactly. And then for low or there’s even another… Like a low or low?
0:05:28 A low or low. Yeah, it’s called low impact SaaS. That’s a mean name. We don’t mean that your product
0:05:34 is low impact. No, but they did create the low impact SaaS for products that only contain enough
0:05:39 personal information to essentially set up an account. So they need your name, they need your
0:05:44 email, there’s going to be a password, but you’re not holding really confidential or sensitive
0:05:50 agency information. So based on those impact levels, that is going to determine which baseline,
0:05:56 and the baseline is the set of controls, and they have on the high end, the most controls on the
0:06:02 moderate, around 300. The four levels of impact levels, it’s super interesting. There’s only
0:06:07 seven authorizations for high security stuff, and they’re all mostly… They’re just the
0:06:11 cloud infrastructure providers. In fact, of the seven highs, I actually went and looked at
0:06:14 those, I thought it was interesting, three of them are Microsoft, just the different parts of
0:06:20 Microsoft, and then Oracle and some specialized ones and AWS. So nobody has to worry about this
0:06:25 extreme bar if you’re mostly an app. They’ll guide you to moderate or low.
0:06:31 One cool thing about the FedRAMP.gov website is they have a marketplace for the folks out there
0:06:35 kind of wondering, all right, what companies are doing the high, who’s doing low, who’s doing
0:06:40 moderate, you can sort by that. And it’s kind of interesting because like you pointed out,
0:06:45 the great majority are in the moderate category. And then there’s a handful of highs and a handful
0:06:50 of lows. So given that they’re not there to really bug Silicon Valley companies and make it hard for
0:06:54 the government to become a cloud provider, it’s the opposite. The directive was specifically,
0:06:59 we want to get the government on cloud. Like it’s too expensive to be on-prem, it’s let’s secure,
0:07:03 it’s harder to do, it’s less agile. So we want to get the government on cloud.
0:07:08 If you’re a government agency, what are some of the things that you observe right away when you
0:07:13 see a FedRAMP authorized product sort of show up? Like what is it different about it?
0:07:19 Well, I think if you’ve gone through FedRAMP, you’re going to show up looking a lot more organized.
0:07:24 You’re going to have that governance infrastructure in place because FedRAMP is a mix of very
0:07:30 technical things, but also governance related things. So if you’ve set up your security program
0:07:36 in a way that addresses things like personnel security, policies and procedures for specific
0:07:41 things like role-based access control, then you’re going to show up as looking like you really have
0:07:47 your act together compared to a company that has these various security controls in place,
0:07:52 but maybe hasn’t gelled them into a program. I should have mentioned this earlier. So all of
0:07:58 these sets of controls for the high, moderate and low baseline are separated into control families.
0:08:02 So for example, incident responses of family, but the more technical ones are things like
0:08:07 configuration management, which deals with creating blueprints for the server types to
0:08:12 meet functionality and hardening requirements, things that require implementing center for
0:08:18 internet security benchmarks. And we’ll provide a link to the CIS benchmarks as well.
0:08:23 Obviously, one of the things that ends up mattering the most security is just sort of access and
0:08:28 identity and the role of authorization in general. Where does that fit in in these families?
0:08:34 So it spans several of them, but there is one control family called IA, which means identification
0:08:39 and authorization, which deals with how you implement your system accounts, including credential
0:08:44 management, version control, multi-factor authentication, which has to meet certain
0:08:51 cryptographic standards. And it’s worth noting that in these control families, sometimes you,
0:08:57 as a cloud service provider, are going to have the responsibility for the implementation,
0:09:03 like something for authentication, but also sometimes the federal agency also has a responsibility
0:09:08 in terms of how they implement their users and distribute out their user names and so forth.
0:09:12 So that is also something that’s noted in the control family.
0:09:16 So you don’t go through this authorization process and it’s a recipe. There’s like
0:09:22 lots of decisions to make, lots of product design questions that are favorable to enterprise SASS
0:09:26 and have to sort of allow room to adapt to the variations across the government.
0:09:31 And most of the controls a company can implement them in their commercial
0:09:35 environment as well. We want all of our commercial customers to benefit from the
0:09:39 same level of security as our future federal customers.
0:09:43 Because chances are, whether you try to sell to a big tech company or a non-tech company,
0:09:49 that they’ve probably developed some list of things that look like these families,
0:09:53 but might not be exactly the same and ultimately you’re going to end up in the same boat trying
0:09:57 to get all these done. I mean, the federal government and federal agencies are not the
0:10:01 only ones that use the NIST framework for security and privacy. Many companies do it.
0:10:05 A lot of security questionnaires are going to be based around NIST. So
0:10:08 it’s one of many acronyms. I think we’re going to go over it today, right?
0:10:11 Yeah. So I’m just going to go through a few of them and like make sure people know because
0:10:15 we’ll say them and then we’ll forget to expand them. And so NIST is one of my favorites because
0:10:20 that goes so far back. That feels like 1950s NASA and they’re like in charge of
0:10:24 weights and measures and stuff like that. But what do they do with this?
0:10:28 NIST does a lot of cool stuff. But as it relates to what we’re talking about today,
0:10:33 NIST, the National Institute of Standards and Technology is the agency that defines
0:10:39 government-wide standards for technology and security. And the one specific NIST document
0:10:44 that we’re talking about today is a special publication, 853, which deals with security
0:10:50 and privacy controls for federal information systems. So FISMA? Yeah. So FISMA stands for
0:10:55 Federal Information Security Management Act. And this is something that applies
0:11:01 to federal government agencies and requires them to put in place a security framework
0:11:04 to secure their information. So it doesn’t apply to the private sector.
0:11:07 So next was obviously a big government agency called OMB?
0:11:13 Yeah. OMB is sort of like the COO for the federal government. They oversee budgeting
0:11:21 and spending. And then their sibling agency GSA is the General Services Administration
0:11:25 and the FedRAMP office. So our friends in the FedRAMP PMO, which means Project Management
0:11:31 Office, they sit under GSA. Awesome. And then finally, this whole thing is about
0:11:36 the acronym they invented called CSPs. Yeah. CSP stands for Cloud Service Provider,
0:11:42 and you’ll also hear CSO, which stands for Cloud Service Offering. So FedRAMP is all about cloud,
0:11:46 which is why I think we’re here today talking about it for the SAS folks out there.
0:11:50 Okay. So we have a bunch of acronyms out of the way. I got to tell you, as Lisa took me through
0:11:56 the EverLaw certification, I have never seen so many acronyms exist in this process.
0:12:03 So your typical Series B enterprise startup, is FedRAMP anything like what they’ve done before
0:12:10 in terms of running the sales process or a security process? Is it like SOX2? Is it like GDPR?
0:12:15 I think it depends on what a company has done up until the point they decide, “Hey, let’s do FedRAMP.”
0:12:21 So if you’ve been through a SOX2 type 2, which is the audit that tests your operational effectiveness,
0:12:26 then you’re probably in a better position than if you’d only done a SOX2 type 1,
0:12:31 which is just, “Do I have a program in place?” So I would say it really depends on what the
0:12:34 company has done up until then. And what are some of the dimensions to really think about?
0:12:38 Like, is it the size of the company thing? Is it the number of people you have dedicated
0:12:42 security? Is it like how much data you store? Like, what are some of the variables that people
0:12:49 should be aware of that might impact their time and effort and need and complexity of going through
0:12:55 authorization? Yeah, it’s a great question. The first thing is that if you have a motivated
0:12:59 federal agency, that is going to be the biggest factor that either pushes you ahead or slows you
0:13:04 down. So if you’re in a place where a federal agency has already expressed interest in your
0:13:09 product or you’ve already been in conversations and they’re motivated to be your partner in the
0:13:15 process and give you the confidence you need to make that financial commitment because it’s
0:13:20 going to take internal resources, which has a cost. Like, one of the things that you mentioned was
0:13:26 just how the lens of FedRAMP changed the Everlaw culture a little bit to be much more focused
0:13:32 on sort of this continuous monitoring sort of mindset. How did that come about? From a continuous
0:13:39 monitoring standpoint, we found that the FedRAMP controls helped us gel around things like configuration
0:13:46 management, making sure there are security checks and security impact analyses. So putting in some
0:13:51 of those processes, which on a continuous basis, now we’re doing every release, in addition to the
0:13:55 things that are just straight up required by continuous monitoring like vuln scanning. I think
0:14:01 there’s a perception of FedRAMP that it’s, you know, a lot of policy, it’s a lot of checking
0:14:08 the box. And like any team that is staring down the face of a major security compliance and
0:14:13 technical project, we were kind of thinking, oh no, there are going to be so many controls in
0:14:19 here that are just check the box. And like any compliance framework, there certainly is some
0:14:25 box checking involved. It’s a lot of governance, which is true. There are a lot of control families
0:14:31 that deal with a company’s infrastructure like personnel security is the PS control, AT is
0:14:35 the awareness training control. But we found that on the whole, a lot of the controls really
0:14:40 pushed us forward. And a lot of things we were already doing, there were some things that we
0:14:46 needed to improve. But the process has really made our entire infrastructure more secure.
0:14:51 No one at Everla had FedRAMP experience before. I mean, we’d been through SOC2,
0:14:57 and we’d been through, we were actually undertook it at the same time as GDPR, which looking back
0:15:01 is a little bit crazy. We didn’t really get a choice in GDPR though, so. That’s true.
0:15:05 So if you’re a startup where the team has varying levels of experience and actually
0:15:09 haven’t gone through all of these things collectively, it sounds like what you’re
0:15:13 saying is just by virtue of having gone through the process, the whole organization
0:15:18 sort of gets up leveled and consistent based on just using this as a framework.
0:15:22 You mentioned that it is also deeply technical. Like this is not just a list of, you know,
0:15:26 do you have a security policy manual? Do you have cipher locks on your door?
0:15:31 There’s stuff about the code and the product. What are some of the things that are technical
0:15:36 that you had to sort of bring in engineering or product or DevOps and security ops to really
0:15:41 think about? Yeah, and I’ve already mentioned a few of the other more governance-related
0:15:46 controls before. There’s also IR, which is incident response, but some are very technical and just
0:15:52 anecdotally in the system where Everla tracks sort of our features and what the things our
0:15:56 engineers are working on, there were over a hundred tickets in there. I don’t know if
0:16:01 ticket’s the right word, but basically, you know, feature ideas, functionality that we
0:16:06 were going to implement that all required dev resources. And they ranged from simple things
0:16:10 like adding a banner into the platform that says, you know, you’re entering a federal
0:16:14 environment in our federal environment to very complicated things.
0:16:18 I think one of the things that is kind of interesting too is that this is not like a
0:16:23 secret part of the government. Like all the CIOs across all the agencies sort of know this is
0:16:28 going on. And so it sounds like it’s become their common vocabulary and security is for the
0:16:32 government the first order priority before functionality. So their sales team is just
0:16:37 going to need to know all of these words just to interact with the customer.
0:16:42 Yeah, I presented our sales kickoff this year presentation on selling security to help them
0:16:48 understand what does it mean to be FedRAMP in process to make sure that they’re not misrepresenting
0:16:52 what our status is to the market, but also so that they can talk about it confidently and
0:16:55 understand how it’s different from our SOC2 and so forth.
0:17:01 So clearly there’s a series of steps that have to happen. Like what are these steps?
0:17:07 So that flowchart is actually in the cloud service provider playbook, which will provide a link to.
0:17:12 And the first step is going to be establishing a partnership with a federal agency. I mean,
0:17:16 like we were talking about before, it’s just really critical that you have that agency support.
0:17:21 And then once you have that agency support, then you’re probably going to feel confident enough to
0:17:26 start using your internal resources. So that’s going to be putting together the package. And when
0:17:31 I say the package, it means system security package or SSP, which is another acronym.
0:17:36 So working on that documentation and then also working on any technical remediation you might
0:17:41 have to do. And so then eventually, like someone who doesn’t work for the agency or
0:17:44 forever law is going to show up and sort of test you.
0:17:50 That’s right. The step before that authorization is a full security assessment by an independent
0:17:57 auditing firm. And in FedRAMP lingo, it’s called a 3POW. It’s a third party assessing organization.
0:18:02 And there’s a small set of companies that can do this because they have to meet FedRAMP standards.
0:18:07 And so you have to bring them in just like any other independent auditor and they review all of…
0:18:08 And this is like on site?
0:18:14 Yeah. Yeah, they came on site for a week, but they review all of your implementations. I mean,
0:18:18 your screenshotting, your work in the command line in front of them to show them how you’ve
0:18:20 implemented specific things.
0:18:23 And do they like snoop around and everybody’s like, who are these people in suits?
0:18:27 And like, do they have special badges? Like, how does this really work?
0:18:33 I mean, they’re very technical. And they’re there to make sure that what you’ve represented
0:18:36 in your security documentation is the actual thing you’ve implemented.
0:18:41 I mean, the federal agency is trusting them to help them form their risk-based decisions.
0:18:43 So they’re serious about it, but they’re great. They’re nice.
0:18:50 And they’re basically consultants that come in on behalf of the OMB basically execute on this plan.
0:18:54 I mean, they are working for the agency, not for you. You can engage an advisor.
0:18:55 What does that entail?
0:19:00 So there are other companies that can serve as the independent assessor or they can serve
0:19:06 as a consulting advisor. The key thing though is that if you engage a FedRAMP consulting advisor
0:19:10 to help you put together your documentation, you can’t use them as then the independent assessor.
0:19:11 So you’ve got to swap.
0:19:17 Basically, there are these specialists in doing security audits and there are a list of them
0:19:23 that OMB supports and you can use them either to help you or to audit you.
0:19:23 Yeah.
0:19:26 And you just pick and you might end up engaging too.
0:19:27 But they’re basically it’s a consulting engagement.
0:19:30 That’s right. And you might be thinking, why would I want to engage a consultant?
0:19:32 To help you with a consultant.
0:19:38 Yeah, exactly. But the fact is, even with all of the program documentation that we had at Everlaw,
0:19:42 you know, the whole suite of infosec policies, we had great procedures around personnel security
0:19:47 and training. But we still needed to engage a consulting advisor to help us put together
0:19:52 the system security package. It’s of course a template that you can pull down from FedRAMP.gov.
0:19:58 And since we’re an AWS customer and we inherit a lot of the cloud infrastructure controls from AWS,
0:20:01 AWS will also provide you with that as well.
0:20:08 But some things are just hard to navigate without the experience of knowing what the
0:20:14 agency will accept. So a couple of examples are the consulting advisor can help you translate
0:20:17 what the agency is actually looking for when it comes to an implementation.
0:20:21 So if you have to do a deviation from a CIS benchmark.
0:20:25 Ultimately, this process boils down to creating a lot of documentation.
0:20:27 Like they don’t just have a phone call and take your word for it.
0:20:32 So a lot of it sounds, I mean, like you said, like, oh, you inherit some of it from AWS.
0:20:36 So it sounds like sort of this large amount of paper that has a bunch of forms that are all
0:20:42 filled in already. Well, our full SSP without the attachments with the implementations described
0:20:47 is around 500 pages. But the template itself, even without those is probably, I don’t know,
0:20:52 it’s probably 30 pages or 40 pages just without all our info in it. It’s a big lift to do that.
0:20:58 So we found that a consulting advisor could we could spend some time talking with them chatting
0:21:02 with them on the phone explaining things. And then they would go write it up for us.
0:21:06 And then we would QA it. So instead of us having to do that big lift,
0:21:10 they did that for us. And then it was much more efficient that way.
0:21:13 So, you know, obviously, there’s a bunch of sections and chapters and different parts,
0:21:17 which part of it was the part that really was like a ton of work where like,
0:21:22 the engineers needed to engage and you needed really detailed technical answers.
0:21:24 Like, what was the scope of that and where in the process?
0:21:28 So we went back and forth with our consulting advisor. So we would
0:21:34 describe our technical implementations and then they would take the first crack at writing them
0:21:38 up. And then our director of infrastructure had to edit things out because every once in a while,
0:21:45 but also describing our entire system architecture and doing the architecture diagrams. Those are
0:21:48 all things that, you know, our engineering team definitely had a hand in.
0:21:51 Right. And it turns out it’s one of those things that like, well, we didn’t really
0:21:56 have a good architecture diagram of our system. And so now we have one. And now we keep it up to
0:22:00 date because we have to because of con mon and all that, but sort of ended up being beneficial.
0:22:07 Anyway, okay. So you’ve got like this 500 page SSP thing sort of all bound up and ready to go.
0:22:12 How do you know you’re getting to the finishing line? And what does that start to look like?
0:22:17 So once we had all of the documentation wrapped up and, you know, you can’t get too hung up on,
0:22:21 you know, the final product, because the whole thing is meant to be a living document,
0:22:25 because, you know, when we finished documenting it, then we knew we were going to implement
0:22:28 something else. So it’s sort of, you know, you’re going to have to keep updating it.
0:22:33 But the finish line comes when you’re ready to actually hand that package over to the independent
0:22:37 auditor and to say, all right, you know, here is all our stuff. We’re putting it out there for
0:22:43 you to review and schedule that onsite audit. And so then the auditors show up, they read a lot,
0:22:49 they watch you doing the work. And then what happens? Then they put together what’s called
0:22:56 a SAR, which means security assessment report. The SAR is the auditor’s report on your overarching
0:23:02 compliance with the baseline. And if they have findings, they’ll rank them as, you know, high,
0:23:11 medium or low. Like concern? Yeah, exactly. Because what their job is, is to describe to the agency
0:23:16 what the risks are to using the system. So if they find things during the audit that they deem as a
0:23:21 high risk, and, you know, it’s all scoped out what those risk categories are, but they’ll deliver
0:23:27 that to the agency. And again, to your point about risk, it’s not like a pass fail, because then the
0:23:34 agency who’s the customer looks and says, ooh, you have two highs, that might be too, too many. Or
0:23:37 are you planning on fixing this? If you’re planning on it, there’s like a whole give or take.
0:23:42 After you do 18 months worth of work or nine months worth of work, you don’t fail and have to go back.
0:23:48 And the customer is in control of evaluating the risk of like still buying you or not.
0:23:54 Yeah. And those findings would go on to what’s called a POAM or plan of action and milestones.
0:24:00 So once you have those findings, then you would describe what you’re going to do to fix it. What’s
0:24:04 your timeline? What are your milestones and so forth. And one of the benefits of having that
0:24:07 consulting advisor looking at your package and helping you do that is they’ll tell you what a
0:24:12 showstopper is. They’ll say, hey, that implementation is not going to cut it. Don’t do that. Let us help
0:24:17 you. So sometimes people think about compliance. They think about it as sort of like getting your
0:24:21 driver’s license. Like you get annoyed, you go through a process, you take a test and then poof
0:24:26 you have a driver’s license basically for the rest of your life. But FedRAMP isn’t really like
0:24:30 that. There’s a lot about monitoring and keeping things. And so what did you learn going through
0:24:34 the process that was different than other types of certification or authorization?
0:24:39 I mean, the one thing I’ve learned is that FedRAMP is not over. And I have to laugh.
0:24:43 Okay. That’s like an uplifting motion. Like, yeah, please list our podcast for the thing that’s
0:24:48 never going to end. Well, it’s just funny because we’ve been working on this and every time we hit
0:24:52 a big milestone, we like to celebrate it with the wider team and everybody’s like, yay. And then
0:24:58 they’re like, oh, you’re done with FedRAMP now, right? And we’re like, no. So continuous monitoring
0:25:04 is one thing we already mentioned where even once you obtain your authority to operate or your ATO
0:25:08 and you have that authorization, you’re still going to be working with the agency on a regular
0:25:13 basis. So you have your ATO and you’ve got a bunch of Kanman going on just to use all the
0:25:18 acronyms in one sentence. Yeah. And we’ll link to the Kanman guide, which talks about what that
0:25:24 looks like. But in a nutshell, you’re doing monthly scanning, your ranking vulnerabilities,
0:25:28 you’re responding to those on a specified time basis, et cetera.
0:25:34 So let’s say that the company is ready to dive in. They have a product that they’ve been selling to
0:25:40 commercial customers. The first cohorts believe it meets their needs for security and privacy and
0:25:44 things like that. The product is selling, but now if agency is interested, for whatever reason,
0:25:50 that inbound or you spoke at a conference or something. So first, how long do the salespeople
0:25:57 have to wait until the deal is closed now? Well, be nice. Yeah. I mean, again, it depends on how
0:26:02 motivated the agency is. That’s a super important point. It’s not just how motivated you are as
0:26:06 the company. Like if the agency really wants you, they can pull you through in a lot of ways.
0:26:12 Yeah. Because again, it’s all about risk and the agency is the decider of what kind of risk
0:26:18 they’re going to tolerate. And so if an agency is really motivated, then they can help push you
0:26:25 along to becoming in process. And in process is a designation that requires explicit agency support.
0:26:30 But if you’re at that stage where you’ve got that interest, you have to choose, okay, am I going to
0:26:34 go, there are two ways to get authorized. There’s the agency route and then there’s something called
0:26:39 the JAB, which is the Joint Authorization Board, which is a little bit harder to do because you
0:26:44 have to do a business case. So I think for our purposes, it makes more sense to address the agency
0:26:49 route, which is probably the situation you’re talking about, where somebody expresses interest.
0:26:53 Right. So that’s probably a good lesson for folks, which is that the best bet for going
0:26:58 through this is in a sense to first line up a potential customer rather than just sort of say,
0:27:01 oh, well, let’s preemptively go and do FedRAM because it actually makes more work for yourself
0:27:05 if you don’t have the first customer lined up. Yeah, that’s right. And they do have that JAB
0:27:11 process, which is for companies that might have a broad application, but it’s a much different
0:27:17 process. Okay. So there’s a bunch of actual bureaucracy stuff about getting on the GSA list
0:27:24 and filling out those forms. But then is it a year, two years, five years? How long is this exactly?
0:27:28 Yeah, let’s not keep the sales team hanging too long. So if you’re counting from the time you
0:27:33 have your package already, it could be as little as a few months, maybe even six weeks we’ve heard
0:27:39 for the agency to review that package and grant you the authorization. I think if you’re counting
0:27:44 from the day, the team says, hey, let’s do FedRAMP and you still have to put the package together,
0:27:50 you’re probably looking at at least nine months or a year possibly. So it’s actually not wildly
0:27:54 out of bounds with what a procurement team might do or like any of the large tech companies that
0:27:59 just do what they call a security audit or something might easily take that same length of time.
0:28:04 It comes down to how many resources the company has to bring to bear on the project because,
0:28:08 you know, we took a little bit longer, but that’s because we didn’t stop people
0:28:13 from doing their full-time jobs only to work on FedRAMP. We didn’t stop feature development for
0:28:18 the product. So you decided you’re like flipping the switch and you’re going to go for it. Did
0:28:23 you have a team of 10? Like how many people have to do all of this checkboxing and process
0:28:30 documentation and conmon stuff? So when we started, it was just myself on the security team.
0:28:36 We had our engineers that were involved in sort of scoping and looking at how much work we thought
0:28:41 it would be. And then over time, we brought on a DevOps person. We hired a couple of people onto
0:28:47 my team. But again, none of us have been doing it full-time. So it’s been probably a core group
0:28:53 of five people working on various elements of it. And then when we were doing the push to
0:28:57 complete a lot of the technical and engineering work, we brought in other engineers.
0:29:01 And this is an interesting point because of the way you chose to do it. But you overlaid
0:29:07 like SOC2 and GDPR and other privacy work sort of all at the same time, which sounds overwhelming,
0:29:11 but it’s also closely related. Was it more efficient to do it that way?
0:29:17 Doing a lot of these broader things like GDPR and FedRAMP, you know, there is overlap. So
0:29:23 it certainly helps. I don’t know that I would wish that all those things on anyone, but certainly
0:29:28 you’re doing a lot of the same things. And, you know, for folks that do SOC2, you probably know
0:29:34 the COSO standards were added, I think last year. Okay. So one last thing, which is you go through
0:29:40 all of this, you’re given the label like in-process, authorized, like what is the specifics of that?
0:29:44 Because that’s something that salespeople often do get confused because of the FedRAMP lingo,
0:29:50 so to speak. The lingo can be slightly confusing. So in order to be listed in the FedRAMP marketplace
0:29:54 on the website, a marketplace, which is literally like these are the cloud things you can go buy
0:30:01 as a federal agency. Yeah, exactly. So there’s FedRAMP ready and FedRAMP in-process. And I think
0:30:07 people swap those around a lot. So FedRAMP ready means that you’ve gone through sort of a high
0:30:14 level of valuation. And if you get that ready stamp, it means that they think that you’re capable to
0:30:19 meet the FedRAMP requirements. And it’s just intended to help agencies look out there and say,
0:30:24 oh, well, you know, there’s an independent assessment that these folks are ready and can
0:30:31 probably do it. Whereas in-process is a designation where you have to have the authorizing official
0:30:36 add an agency, tell the FedRAMP office that we are working with this cloud service provider on
0:30:41 an authorization. You’re not authorized yet, but you’re affirmatively working on that authorization.
0:30:45 And don’t play fast and loose with those terms with your salespeople. Like,
0:30:50 don’t make up what they mean and don’t say what you aren’t. Because they like branding guidelines
0:30:54 and stuff. Yeah, the FedRAMP office has branding guidelines. And, you know, for a good reason,
0:30:59 they don’t want companies out there saying that, you know, they have a FedRAMP authorization if
0:31:04 they don’t. They’ve worked hard on creating this process and creating this framework. And
0:31:09 they don’t want companies misrepresenting. And so ultimately with security things, the reason,
0:31:13 you know, nobody wants anything to happen, like a breach or anything like that. But
0:31:17 if you’re operating in this environment where you’ve committed to a customer, in this case,
0:31:24 a federal agency that you do all this stuff, and then something happens, does FedRAMP have say in,
0:31:28 like, are they part of like adjudicating the failure? Or do they have remediation duties?
0:31:32 Like, or is they’re not involved in that? Like, where does the government come in
0:31:38 in terms of a security issue? Well, fortunately, I don’t have direct experience with that. But
0:31:45 the Kanban guide on continuous monitoring does cover various types of escalations like incidents.
0:31:51 And so I think if a company had an authorization and they had some kind of security incident or
0:31:57 breach occur, it would go through that escalation process in the Kanban. And certainly they contemplate
0:32:03 revocation of your authorization. But I imagine it would be a conversation with the folks at the
0:32:07 agency, you know, talking about your plan for remediation. Did you catch it? Did you limit the
0:32:12 damage? So I don’t have sort of a black and white answer on what would happen there, but
0:32:16 I know that they’ve put a framework in place to address those kinds of things.
0:32:20 All right. So in your role in Everlaw, you’ve gone through quite a few certifications. Like,
0:32:26 you’ve gone through GPR, you’ve gone through SOC2, you’re working on FedRAMP. Like, where does this
0:32:31 fall in the spectrum of effort and time and complexity compared to you’ve done some health
0:32:36 care, even though HIPAA is not a certification? Yeah, we’ve done the privacy SOC2, but we’ve
0:32:41 also done an independent sort of HIPAA compliance assessment as well. And FedRAMP has definitely
0:32:47 been the most work because it involves, you know, from an architectural standpoint, you know,
0:32:53 we’re creating a federal environment and there’s a lot of work that we’ve done to improve on the
0:32:59 back end. But I’m trying to think because GDPR is also a ton of work. It’s actually a good time
0:33:02 to mention too. One of the things that I found particularly interesting as I dove into this
0:33:10 with you is that at every step, the OMB has really worked to make this like attractive and easy.
0:33:15 That sounds weird, but their goal is not to stop you from getting authorized. It’s actually to
0:33:21 find ways to get you authorized. And for what it’s worth, the FedRAMP.gov website is one of the best
0:33:26 federal websites out there. They have a person who’s the customer success manager. So they really
0:33:32 are trying to make it easier for cloud companies to go through this process to understand. And,
0:33:37 you know, EverLaw, we met with those folks and they helped us. They helped guide us. And so
0:33:41 we found that to be really helpful. Yeah. So unlike what you’d normally think of in terms of
0:33:45 regulation or certification, they don’t come across as like, we’re here to prevent you from
0:33:50 getting this. No, not at all. It’s not even like the DMV in that regard. They actually just want
0:33:55 to help you. Yeah. I mean, their mandate is to help carry out the cloud first or, you know,
0:34:00 the policy that the government has to push IT modernization and cloud adoption in the federal
0:34:05 government. Well, this was super fun. So thanks so much. This has been Stephen Sinoski and
0:34:07 Lisa Hawk. Thank you. Thank you very much.
with @ldhawke and @stevesi
The government wants to get onto the cloud! But how do they assess the levels of risk in adopting specific cloud products, and which ”cloud service providers” (aka ”CSPs”) to work with? That’s where FedRAMP — the Federal Risk and Authorization Management Program — comes in. And enterprise SaaS companies need to pay attention, since it will be a requirement for selling to the U.S. government, which is one of the biggest buyers of tech. Not just that, but even state governments and private/public companies may seek FedRAMP certification because they either work with the federal government or are just seeking standards.
How similar or different is FedRAMP to other types of certification, authorization, and compliance (such as ISO, SOC-2, GDPR, even HIPAA); and what does it mean for a startup to go through organizationally, culturally? Is it like a check-the-box policy thing, is it like getting a driver’s license… or what? One thing’s for sure: It’s an opportunity for enterprise SaaS startups, and the government is trying to help companies through the process.
What are the steps to certification? What are some acronyms and terms to be aware of? When and how should you bring a consultant, advisor, or third-party auditor into the process? How long does it take, really? And how does it affect your sales team? Most importantly, what is the best strategy for moving forward? (Hint: start with a customer). Lisa Hawke, VP of Security and Compliance at Everlaw, an a16z company, shares her expertise and their experience in navigating all this, as well as the resources below, in this episode of the a16z Podcast hosted by board partner Steven Sinofsky. (The two were also previously on another episode sharing everything startups need to know about GDPR.)
For links mentioned in this episode and other resources, see: https://a16z.com/2019/08/28/fedramp-why-what-how-for-startups/