Earlier this year, we held our inaugural CTO Summit, where we virtually gathered CTOs from our portfolio companies to discuss trends, challenges, wins, and opportunities. It was a fantastic day full of thoughtful discussions and networking opportunities.
Below is a recap of a session hosted by Ruston Vickers, Vice President of Engineering at Vyopta. During this session, he discussed the process of pursuing FedRAMP certification and some of the complexities this often entails for SaaS companies.
The world of privacy regulations and compliance audits is vast and varied. Between SOC 2, GDPR, and HIPAA, among others, no one is immune to the requirements of various data protection regulations within certain industries or for customers located in different regions around the world.
The Federal Risk and Authorization Management Program (FedRAMP), specifically, offers a standardized approach to security authorizations for cloud service providers who work with customers in the federal government.
Though FedRAMP offers a significant opportunity for SaaS providers with potential to grow their business through the government vertical, it can be a long and arduous process to achieve FedRAMP certification. Perhaps the biggest challenge is that many of the controls included within FedRAMP are counter to the agile development process and the “move fast and break things” culture that growing SaaS companies rely on (for example, auditors hate containers!). Diving into the FedRAMP process could therefore completely change the way your business must operate — and how your employees get their jobs done.
There’s no use fighting it; after all, FedRAMP certification is essential for any business hoping to work with government entities. But there are a few ways you can make the process a bit easier for yourself and your business.
Achieving FedRAMP certification is an expensive process. The more you understand about potential expenses you may incur — and plan ahead for those expenses — the better. First, you’ll need to consider consulting fees. FedRAMP consultants are third-party providers who guide you through the preparation and compliance audit process. These experts and FedRAMP assessors are essential to ensure your business meets all of the requirements (“controls”) included within FedRAMP.
Additionally, as you undergo the preparation and audit process, you will likely uncover processes and systems that need to be updated and reconfigured to meet FedRAMP requirements. In some cases, it might even make sense to create a second cloud environment specifically for your government customers. Naturally, all of these new systems and tools will require additional expenses.
Speaking of expenses, it might be time to add additional personnel to your team. There is a lot of reporting and auditing involved in the FedRAMP certification process — both before and after you achieve your first certification — and part of the FedRAMP controls include guidelines around continuously monitoring your cloud service offering to ensure ongoing compliance.
It’s helpful to hire someone who is familiar with the process and can handle the administrative support to ensure you are prepared for subsequent audits when your certification window expires. Bonus points if your new hire has experience working with the third-party consultants we mentioned above.
There are three different levels of FedRAMP certification you can achieve based on the type of data you store, process, and transmit. The Federal Information Processing Standard (FIPS) 199 determines which “impact level” your organization falls into, which then determines which level of certification will be required for your business. The higher the level, the more controls your business will need to adhere to. The impact level relevant to your business can be a bit of a moving target as your organization grows and evolves.
To that point, it’s helpful to go into the FedRAMP certification process knowing that the goal post may move. For example, you may need to update your target compliance level in the middle of an audit or a recertification. FedRAMP controls are also updated regularly to accommodate the changing technology landscape — another thing that may require you to switch gears on the way to certification.
Though being flexible can be challenging in it’s own right, there is a silver lining to all of this: Undergoing a rigorous certification process, like FedRAMP, sets you up for success with other security and compliance standards. These standards frequently include overlapping control elements, so the work you do to achieve FedRAMP certification could save you time and money later when you seek other certifications.
Adhering to FedRAMP guidelines is going to change the way you do business, and that can be jarring for some employees. If your team of engineers is all-in on startup life, they may not be happy to hear they need to jump through extra hoops to develop in a new way.
For example, FedRAMP requires things like encrypted communication between microservices and limiting access to production environments. This can slow down development timelines and frustrate employees who are accustomed to working at smaller shops where everyone has unrestricted access to everything. A lot of processes you take for granted at a smaller company won’t pass muster for a FedRAMP-certified business.
To ease employee concerns, consider getting them involved in the audit process. Clue them into changes from the start so they understand why they are necessary. They might even have valuable feedback about how your business can meet certain control requirements in a way that is more efficient for employees who work on the ground floor day in and day out.
In the end, don’t be alarmed if some employees who are dedicated to startup life still choose to jump ship; if it’s no longer a fit, it’s no longer a fit.
While it may seem like there are many hoops to jump through, the mere fact that you are even thinking about FedRAMP compliance is likely a good sign for your business. You’ve identified a new market opportunity with government organizations and are preparing your business to meet that opportunity.
Once you achieve FedRAMP compliance, it unlocks a variety of new benefits and opportunities. For example, FedRAMP certification gives your company a reputation boost, leading customers and investors alike to view your company as a business that prioritizes security, and offers peace of mind in return.
Prepare for the road ahead, but make time to celebrate your success and what this means for your business on the way.
Preparing for a FedRAMP certification? Contact us with your questions and connect with our community of Operating Advisors, who always have great advice to share!