You need to know what FedRAMP is. Don't even bother clicking on the link until you do.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
It's a bland title for a key thing: It sets compliance standards for government use of cloud computing. Even companies like Google have had massive projects to get FedRAMP compliant so that the federal government can use their services.
I used to work on FedRamp and I’m fine with it. It’s just like SOC2 compliance, mostly dog and pony show for auditors who have conflict of interest and no clue what they are auditing.
> And this announcement is basically just that they're going to massively lower the bar
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5-
2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
Everyone in startups should be a fan of this. More competition in government space is a net benefit for everyone.
Its quite funny to see the comments complaining about "lowering the bar" when FedRAMP compliance is essentially a compliance regime that is so convoluted that most startups wouldn't be able to afford the entry barrier.
Now, there is a chance that a smaller vendor could feasibility compete with a massive consultancy like Accenture since the artificial barriers have been decreased.
FedRAMP compliance are also required for SaaS vendors. Datadog is famous for having it (and it took them awhile)
Updates of service that alter controls, change crypto libraries and some other stuff require assessment and approval.
For most of companies it's easier just to update it once a year of ever
FedRAMP High requires having separate operators (developers are not allowed to deploy directly to production). Being behind on features is considered a feature, not a bug.
I've been a Engineer, PM, and VC in the cybersecurity for more than a decade now, and most of us would need to spend $15-20M and 1.5-2 years just to get FedRAMP compliance.
In return, most vendors charge significantly higher than private sector rates despite selling the exact same product. And usually, an oligopoly forms per security feature.
Making it easier to have multiple vendors makes it easier for federal agencies to negotiate a competitive price.
If it's costing $15-$20M to get a FedRAMP ATO you are probably doing at least some things VERY wrong. A ton of the security controls you should already be implementing in ANY environment.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
So for ya'll who haven't been involved with DoD/secret/etc cloud projects, there's a bunch of jargon to learn, but suffice to say there's a lot legally-required standards that define the right way to run secure government IT. It's normal good practice, but cranked up, standardized, and verified.
There is a problem though. With so many companies moving projects to the cloud, the government would need to take time to verify everyone is as secure as they're supposed to be. But that would require a huge number of new employees (thus $$$) and it would still take a lot of time. So how does the government make sure they're all secure before they send them secret data? Here's a tip:
> The concept emphasizes security over compliance
Huh? How can you have security without compliance?
Afaik, "compliance" means "we make sure they're as secure as they say they are". And how do they do that? For the past few years at least, it's involved a process called self-attestation. The company fills out a bunch of forms, and sends them to the government, saying "we promise we are doing all these things like you told us to". And then the government... takes them at their word. As you can imagine, with millions/billions of dollars to earn, companies might be incentivized to fudge it a bit. And fudge it they do... (not just FedRAMP, but NIST 800-54, 800-171, CMMC v1/2/3, etc etc).
Now, with so many companies and use cases, there are obviously some things that won't apply to some companies, so it would be nice if they could avoid that red tape. With the old processes, if you were actually doing things the right way, it could take a company between 6 months and 1 year to set everything up securely / the way the govt wants it. There's a whole cottage industry dedicated to helping companies understand how the fuck to follow these regulations. But since that's expensive and time consuming.... a lot of companies just fudge it, or call a friend who knows a friend who knows a General.
That was the state of things before this "20x" version of FedRAMP was released. Personally I was not thrilled by the state of things before, but this seems to be both accelerating the process, and providing less oversight. Not great for the military, not great for national security, but really great for "industry" and any military branch getting a contract faster and cheaper than otherwise.
(disclaimer: i'm a noob in this area, but I dipped my toes in last year, and "shitshow" would be one way to put it...)
FedRAMP services, even FedRAMP High services, aren't authorized to host classified material. My understanding is that those agreements are still largely negotiated directly between the intelligence / defense services and the big providers, such as the Joint Warfighting Cloud Capability contract. FedRAMP is a program for vetting SaaS services for use by government agencies broadly. FedRAMP Moderate and High certified services are qualified to host Controlled Unclassified Information, which might be sensitive and held by either the government or private companies like defense contractors, but I wouldn't call them state secrets per se
This is a false dichotomy. There's a massive grand canyon sized gulf between "unvetted technology" and whatever the hell SAP/Oracle/Tyler-Technologies are.
The point here is to avoid the oracles of the world getting everything. Please trust me on this one: fedramp isn’t really about security. Compliance with it doesn’t ensure it and noncompliance doesn’t preclude it. It was okay when originally released but that’s not been the case for years now.
Oracle was already on the FedRAMP list I think. AFAIK this is about getting smaller cloud providers approved to host government projects so there’s more options available.
This is about changing the way FedRAMP accreditation is done for any cloud service, like Box (or a new SaaS that you may create tomorrow). The FedRAMP process requires you go through a certain set of audits, meet a certain set of standards, etc., in order to be approved to host CUI (IL4/5) or SECRET (IL6) information.
Normally this can take a lot of time and monetary investment. On one hand, these processes encode cybersecurity best practices. On another hand, it keeps new companies out of the market.
It seems this effort is doing away with a lot of those processes. I hope the level of compliance stays the same.
But why would any agency chooses smaller cloud providers other than Oracle, AWS, Azure and Google? They are the lowest risk selection in terms of responsibility.
Edit: Another comments actually replied it is much more than hosting but cloud services like BOX. I assume even SaaS could fall into this category.
FedRAMP is a set of technologies vetted by a common standard by GSA. It assists in moving technologies from one-off authority to operate (ATO) with a specific CIO office in an agency or department to a shared standard.
It takes some investment, but it is cheaper than each company jumping through arbitrary hoops and opens most of the federal government as a client.
It was part of the brainchild of GSA's 18F, recently DOGE'd.
You need to know what FedRAMP is. Don't even bother clicking on the link until you do.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
[1]: https://en.wikipedia.org/wiki/FedRAMP
It's a bland title for a key thing: It sets compliance standards for government use of cloud computing. Even companies like Google have had massive projects to get FedRAMP compliant so that the federal government can use their services.
See for example: https://fedscoop.com/google-earns-fedramp-high-authorization...
And this announcement is basically just that they're going to massively lower the bar.
I used to work on FedRamp and I’m fine with it. It’s just like SOC2 compliance, mostly dog and pony show for auditors who have conflict of interest and no clue what they are auditing.
> And this announcement is basically just that they're going to massively lower the bar
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5- 2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
It feels like enforcing that everything must be written in Ada. And then relaxing the requirement... history always repeats itself, it seems.
Sounds like a good time to invest in Russian VPS hosts.
Well, it explains why all the SV billionaires were so hot to get Trump in office. Basically, a taxpayer funded payday for them.
Everyone in startups should be a fan of this. More competition in government space is a net benefit for everyone.
Its quite funny to see the comments complaining about "lowering the bar" when FedRAMP compliance is essentially a compliance regime that is so convoluted that most startups wouldn't be able to afford the entry barrier.
Now, there is a chance that a smaller vendor could feasibility compete with a massive consultancy like Accenture since the artificial barriers have been decreased.
FedRAMP compliance are also required for SaaS vendors. Datadog is famous for having it (and it took them awhile)
Every FedRAMP/GRC cloud service seems to be some funky version that's missing features or behind on releases
Updates of service that alter controls, change crypto libraries and some other stuff require assessment and approval. For most of companies it's easier just to update it once a year of ever
FedRAMP High requires having separate operators (developers are not allowed to deploy directly to production). Being behind on features is considered a feature, not a bug.
So, is there any evidence of actual improvement in anything that taxpayers care about?
Better procurement rates.
I've been a Engineer, PM, and VC in the cybersecurity for more than a decade now, and most of us would need to spend $15-20M and 1.5-2 years just to get FedRAMP compliance.
In return, most vendors charge significantly higher than private sector rates despite selling the exact same product. And usually, an oligopoly forms per security feature.
Making it easier to have multiple vendors makes it easier for federal agencies to negotiate a competitive price.
If it's costing $15-$20M to get a FedRAMP ATO you are probably doing at least some things VERY wrong. A ton of the security controls you should already be implementing in ANY environment.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
The .gov be able to host cloud products in their tenants, and get the ability to do so more quickly. Perhaps cheaper.
It’s probably a good thing.
[flagged]
Public discussions, https://github.com/FedRAMP/rfcs
RFC-0005: Minimum Assessment Scope Standard, https://github.com/FedRAMP/rfcs/discussions/17
RFC-0006: 20x Phase One Key Security Indicators, https://github.com/FedRAMP/rfcs/discussions/18
RFC-0007: Significant Change Notification Standard, https://github.com/FedRAMP/rfcs/discussions/19
RFC-0008: Continuous Reporting Standard, https://github.com/FedRAMP/rfcs/discussions/27
Fedramp 20x as of now is only for low impact services that are hosted on fedramp authorized cloud.
It's not suitable for more complicated services.
On the upside, pmo seems to stop reviewing packages. It should resolve certification delays
So for ya'll who haven't been involved with DoD/secret/etc cloud projects, there's a bunch of jargon to learn, but suffice to say there's a lot legally-required standards that define the right way to run secure government IT. It's normal good practice, but cranked up, standardized, and verified.
There is a problem though. With so many companies moving projects to the cloud, the government would need to take time to verify everyone is as secure as they're supposed to be. But that would require a huge number of new employees (thus $$$) and it would still take a lot of time. So how does the government make sure they're all secure before they send them secret data? Here's a tip:
> The concept emphasizes security over compliance
Huh? How can you have security without compliance?
Afaik, "compliance" means "we make sure they're as secure as they say they are". And how do they do that? For the past few years at least, it's involved a process called self-attestation. The company fills out a bunch of forms, and sends them to the government, saying "we promise we are doing all these things like you told us to". And then the government... takes them at their word. As you can imagine, with millions/billions of dollars to earn, companies might be incentivized to fudge it a bit. And fudge it they do... (not just FedRAMP, but NIST 800-54, 800-171, CMMC v1/2/3, etc etc).
Now, with so many companies and use cases, there are obviously some things that won't apply to some companies, so it would be nice if they could avoid that red tape. With the old processes, if you were actually doing things the right way, it could take a company between 6 months and 1 year to set everything up securely / the way the govt wants it. There's a whole cottage industry dedicated to helping companies understand how the fuck to follow these regulations. But since that's expensive and time consuming.... a lot of companies just fudge it, or call a friend who knows a friend who knows a General.
That was the state of things before this "20x" version of FedRAMP was released. Personally I was not thrilled by the state of things before, but this seems to be both accelerating the process, and providing less oversight. Not great for the military, not great for national security, but really great for "industry" and any military branch getting a contract faster and cheaper than otherwise.
(disclaimer: i'm a noob in this area, but I dipped my toes in last year, and "shitshow" would be one way to put it...)
Most people in the security space realize there are two things you do: (1) things for security (2) things for compliance.
And the Venn diagram has less overlap than you might think.
If there’s one thing I don’t really want to see “accelerated” it’s the pace at which our state secrets add new, unvetted technology.
“Move fast and break things” is absolutely insane for the things that let us all sleep soundly at night…
FedRAMP services, even FedRAMP High services, aren't authorized to host classified material. My understanding is that those agreements are still largely negotiated directly between the intelligence / defense services and the big providers, such as the Joint Warfighting Cloud Capability contract. FedRAMP is a program for vetting SaaS services for use by government agencies broadly. FedRAMP Moderate and High certified services are qualified to host Controlled Unclassified Information, which might be sensitive and held by either the government or private companies like defense contractors, but I wouldn't call them state secrets per se
This is a false dichotomy. There's a massive grand canyon sized gulf between "unvetted technology" and whatever the hell SAP/Oracle/Tyler-Technologies are.
FedRAMP can’t have classified data.
This is for a lot of very benign government tools that that are expensive, stodgy, with very little competition.
What is this, exactly?
Is this Oracle (or whomever) getting government cloud contracts without a bidding / RFP process?
Is there adequate security review being done?
The point here is to avoid the oracles of the world getting everything. Please trust me on this one: fedramp isn’t really about security. Compliance with it doesn’t ensure it and noncompliance doesn’t preclude it. It was okay when originally released but that’s not been the case for years now.
Oracle was already on the FedRAMP list I think. AFAIK this is about getting smaller cloud providers approved to host government projects so there’s more options available.
This is about changing the way FedRAMP accreditation is done for any cloud service, like Box (or a new SaaS that you may create tomorrow). The FedRAMP process requires you go through a certain set of audits, meet a certain set of standards, etc., in order to be approved to host CUI (IL4/5) or SECRET (IL6) information.
Normally this can take a lot of time and monetary investment. On one hand, these processes encode cybersecurity best practices. On another hand, it keeps new companies out of the market.
It seems this effort is doing away with a lot of those processes. I hope the level of compliance stays the same.
But why would any agency chooses smaller cloud providers other than Oracle, AWS, Azure and Google? They are the lowest risk selection in terms of responsibility.
Edit: Another comments actually replied it is much more than hosting but cloud services like BOX. I assume even SaaS could fall into this category.
Serious question: Why don't you spend a few minutes learning about it, rather than throwing negative comments out?
Do you think vomiting a negative talking point without understanding it is considered "smart"?
FedRAMP is a set of technologies vetted by a common standard by GSA. It assists in moving technologies from one-off authority to operate (ATO) with a specific CIO office in an agency or department to a shared standard.
It takes some investment, but it is cheaper than each company jumping through arbitrary hoops and opens most of the federal government as a client.
It was part of the brainchild of GSA's 18F, recently DOGE'd.
[flagged]