How to fund security and modernize at the same time

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By Gaurav "GP" Pal and Michael Garland

By Gaurav "GP" Pal and Michael Garland

|

FedRAMP's standards go a long way toward the security goals the White House just set -- but smaller firms must be able to afford the authorization process.

security in the cloud (ShutterStock image)
 

In our last article, we argued that the government's FedRAMP cybersecurity program was a reasonable and effective tool for reducing cybersecurity threats, but after 10 years, it remains under-funded and insufficiently scaled to address the universe of 18,000 cloud-based commercial products. We argued for increasing funding and setting up a robust FedRAMP shared service model that could serve the entire government. We believe relieving individual agencies of pursuing their own FedRAMP authorizations is an efficient approach to break the current authorizations bottleneck.

Two days after publication, Colonial Pipeline shut down its gas transport operations because of another criminal ransomware attack. Then on May 12, the White House released a long-awaited executive order designed to improve the "Nation's Cybersecurity." In the wake of the Office of Personnel Management, SolarWinds, and Colonial Pipeline breaches, it appears the government is ready to take a serious stand on enforcing cybersecurity through enhanced procurement regulations designed to block and purge unsafe software.

Fortuitously, the new executive order touches on some of our recommendations for FedRAMP by explicitly requiring its "modernization" and encouraging better security through increased cloud adoption. Importantly, most of the specific safety directives address implementing National Institute of Standards and Technology Special Publications 800-160 and 800-53, which already exist and have always been part of FedRAMP process. In other words, if agencies follow existing FedRAMP protocols, they will also be largely complying with the new executive order.

The Biden White House's new guidance, with some exceptions, puts significant teeth and enforcement into what already exists. There is a lot of important administrative work to be done and deadlines to be met, but largely the underlying security framework will likely remain the same, for the immediate future.

Unfortunately, even if the FedRAMP Project Management Office is modernized, there is still a need to address a staggering problem. The cost of pursuing a FedRAMP authorization for a software company range from $500,000 to $1 million for a single product. Obviously, this is especially burdensome for small companies -- the same firms that often drive the innovation and modernization the government seeks. Imagine asking a small company to expend $1 million before it sells a single product to the government. Imagine the cumulative money spent to ensure that every single cloud-based product used by the government has gone through this process.

There have always been two sides to the cybersecurity regulatory problem. The government hasn't properly resourced the security authorization side, thereby creating an approval bottleneck. And the cost to meet compliance on the industry side has been exorbitant, chasing away small players. The government wants to modernize, but with the high cost of security compliance, it may have effectively built a moat -- thwarting innovation and creating an oligarchy of software suppliers. Only well-established incumbents, with significant resources, are equipped to cope with the cost of security compliance.

What can be done?

In order to keep smaller software innovators engaged and to prevent the creation of a software oligarchy, the government should look at creative options to provide small businesses with access to FedRAMP. One approach might be for the government to fund authorizations by paying fully or partially for the third-party accreditation process. Currently, a collection of expert firms called Third Party Assessment Organizations (3PAO's) are critical to the undertaking. These are private firms, and their primary function is to closely examine the artifacts provided by software companies to demonstrate compliance with NIST standards. 3PAOs provide the government with the authoritative proof of compliance.

Perhaps the government could run competitions to select promising innovative software products and set aside funds for 3PAOs to be paid by the government. Alternatively, perhaps there can be a few 3PAOs fully funded by the government and dedicated to working with software companies of a certain size. In a sense, this could be a vertical integration, bringing a few 3PAOs "in-house," exclusively for the purpose of driving FedRAMP authorizations for promising products from smaller companies. Rigorous contracting competitions could be set up to control access to the government's 3PAOs, perhaps funded through the TMF program.

Additionally, the government could use the Small Business Innovation Research (SBIR) program for funding to allow software companies to apply for an incremental approach to FedRAMP. SBIR grants could be provided in tranches that match typical FedRAMP phases. A promising small business with a useful innovative product could be awarded a Phase I increment of funding to demonstrate it can meet FedRAMP "ready" status. Another block of funding could be awarded to complete the full Authority to Operate (ATO), once an agency has determined it would like to utilize the product.

Likewise, for the Department of Defense, Other Transaction Authorities are potentially a perfect fit to provide funding to secure promising software applications. OTAs are explicitly to be used by DoD to lower the entry barriers for commercial companies to develop prototypes that enhance mission effectiveness. It seems with the proper budget, OTAs could accelerate a significant volume of FedRAMP authorized products.

These are just a few options. The important thing is for the government to recognize that while it is obviously critical to secure the information technology estate, it must do so in a way that doesn't lock out modernization, innovation, and competition.

Modernization and security are not mutually exclusive. In fact, a modernized IT infrastructure would be beneficial for the enhancement of security -- but it is imperative for the government to appreciate its current dilemma. It needs to simultaneously expand its ability to provide FedRAMP authorizations and at the same time lower industry's cost of compliance. It is possible to achieve both of these, but it requires a plan.

NEXT STORY: Unfunded mandates in the cyber EO?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.