Some of the best policy implementation ideas come from the trenches.
In the case of FedRAMP — the standardized approach to federal cloud security — I think the federal government would benefit from hearing from software vendors that have recently gone through (or are currently going through) the FedRAMP authorization process.
That’s why I’ve worked with a number of current and alumni Insight Partners portfolio companies to co-author a whitepaper, with concrete ideas about how to make FedRAMP better.
I’ll admit to having mixed feelings on FedRAMP. The idea of a single authorization is appealing — if it can truly obviate the need for long security approval processes in multiple agencies. In other words, accredit once, and re-use everywhere. If adopted at scale and speed, FedRAMP could truly empower agencies to accelerate the adoption of secure, cloud solutions.
But the reality is more complicated. The FedRAMP PMO is a small program office inside GSA without a lot of resources. Every FedRAMP certification requires a federal agency sponsor (or several, in the case of the Joint Authorization Board) and requires the FedRAMP office to sign-off — creating a single-threaded process. The DoD Cloud Authorization processes have additional complexity and opacity due to the uniqueness of the DoD network and specific DoD security requirements. From my informal poll, it takes Insight companies, on average, a year to get FedRAMP authorized — and for some, it has taken much longer.
As I’ve testified previously, from my perspective the federal government is failing to adopt Software as a Service (SaaS) fast enough to meet mission needs. There are approximately 120,000 U.S. software companies in a business in 2021, but the FedRAMP marketplace has only 231 authorizations (including SaaS, PaaS, and IaaS) listed, and DISA lists merely 27 unclassified cloud offerings.
The U.S. government is not adopting private-sector innovation — especially commercial software delivered as SaaS — fast enough to meet enterprise and mission needs.
Despite the dedicated work of talented and smart people, FedRAMP and the DoD Cloud Authorization processes aren’t scaling fast enough.
The good news is that the Biden Administration has made FedRAMP modernization a priority — emphasizing FedRAMP training, communication, automation, streamlining, and reuse of other relevant compliance frameworks — in the May 12, 2021 “Executive Order on Improving the Nation’s Cybersecurity.”
While the intent of the FedRAMP and DoD Cloud Authorization processes is laudable, their approval processes are costly and burdensome to growing software companies. From experience with Insight-backed companies, I know that many SaaS companies delay entry into the federal marketplace, to the detriment of competition, innovation, and mission capabilities. The current lack of FedRAMP and DoD-approved SaaS applications is a lose-lose for both government and industry.
As part of the new EO’s efforts to modernize FedRAMP, we are putting forth these recommendations — grounded in actual experience from software vendors — to improve government cloud software adoption. Accelerating adoption does not need to come at the expense of sacrificing security; in fact, we believe it is a critical precondition to achieving it. Our recommendations aim to expedite approvals while simultaneously improving the security of mission-critical IT systems.
As background, Insight Partners is a leading global venture capital and private equity firm investing in high-growth technology and software ScaleUp companies that are driving transformative change in their industries. Insight has invested in more than 400 companies worldwide and has raised, through a series of funds, more than $30B in capital commitments.
The recommendations in this paper were developed by security professionals from across Insight’s current and former portfolio who have gone through FedRAMP and DoD security certification. Furthermore, these individuals have a significant amount of government experience, including having served in senior cybersecurity roles in the Federal government and DoD.
A special thanks to USAF Lt Col (ret.) John Allison, with industry experience at Devo, Armis, and Cisco, who spearheaded this whitepaper and has been working with a number of Insight-backed companies to help them with their FedRAMP authorization efforts.
We can improve security and reduce the burden on both industry and government if we modernize FedRAMP. I’m hopeful the Biden Administration considers these recommendations — and other industry input — to make sure that security is working at the speed of commercial innovation. Let’s get to work.