Navigating the Clouds: Decoding FedRAMP with LaunchDarkly and Schellman

Tim Winkler: 00:00:04

Welcome to The Pair Program from hatchpad, the podcast that gives you

2

: 00:00:07

a front row seat to candid conversations

with tech leaders from the startup world.

3

: 00:00:12

I'm your host, Tim Winkler,

the creator of hatchpad.

4

: 00:00:14

And I'm your other host, Mike Gruen.

5

: 00:00:16

Join us each episode as we bring

together two guests to dissect topics

6

: 00:00:20

at the intersection of technology,

startups, and career growth.

7

: 00:00:32

Hey everyone, welcome

back to The Pair Program.

8

: 00:00:34

Tim Winkler here with Mike Gruen.

9

: 00:00:36

Uh, Mike, my wife is a big fan of these

National Calendar Day, uh, items, so.

10

: 00:00:44

You know what I'm talking about with that?

11

: 00:00:45

I mean, I know that there are

12

: 00:00:46

Mike Gruen: national calendar

days, but National days.

13

: 00:00:49

Yeah, but I don't know.

14

: 00:00:50

So every day

15

: 00:00:50

Tim Winkler: is some

national day to celebrate.

16

: 00:00:52

Is every day something?

17

: 00:00:54

Yeah, they've come up with

something for every day.

18

: 00:00:56

So for example, today

is national avocado day.

19

: 00:00:59

And, um, so I'm gonna

ask you an avocado guy.

20

: 00:01:02

Are you big, big guacamole

21

: 00:01:04

Mike Gruen: guy?

22

: 00:01:04

So I like avocados, but I'm

not a big guacamole guy.

23

: 00:01:07

Um, usually got too much

garlic in it for me.

24

: 00:01:10

And, uh, the garlic just

doesn't sit well with me.

25

: 00:01:13

So.

26

: 00:01:14

Um, it's not that I don't like

the taste of garlic, it's just

27

: 00:01:16

that it does bad things to me.

28

: 00:01:18

Tim Winkler: Yeah, so, so, F.

29

: 00:01:21

Mary, kill, uh, guac,

queso, guac, queso, salsa.

30

: 00:01:25

Oh, it's

31

: 00:01:28

Mike Gruen: Mary salsa, FK, so kill,

uh, kill the guac, kill the guac.

32

: 00:01:37

Okay.

33

: 00:01:38

We're going to make a little

sound bite of that for you.

34

: 00:01:41

Not at

35

: 00:01:42

Tim Winkler: all.

36

: 00:01:42

The most awkward beginning,

just awkward, awkward start.

37

: 00:01:47

Um, all right, we'll

transition from, from there.

38

: 00:01:49

Uh, I'm excited for today's episode.

39

: 00:01:51

So today we are kind of diving

into the world of government

40

: 00:01:54

compliance and cloud technology.

41

: 00:01:57

A special focus on FedRAMP.

42

: 00:02:00

So FedRAMP is short for the Federal Risk

and Authorization Management Program.

43

: 00:02:05

And joining us are two experts who

are pretty deeply entrenched in the

44

: 00:02:09

FedRAMP ecosystem from, uh, a couple

of different unique vantage points.

45

: 00:02:13

So first we have Sarah Maser, the

federal CTO at LaunchDarkly, a software

46

: 00:02:19

company specializing in feature

management for development teams.

47

: 00:02:23

Uh, also note that Sarah is a co

founder of the Federal Cloud Advisory

48

: 00:02:28

Board, uh, which is a non profit

dedicated to making the FedRAMP

49

: 00:02:31

authorization process easier for all.

50

: 00:02:34

Uh, and accompanying her is Nick, uh,

Runog, a managing director at Shellman.

51

: 00:02:40

A company providing compliance

and attestation services globally.

52

: 00:02:44

Nick's also an expert FedRAMP assessor.

53

: 00:02:46

Uh, and so together we're going to

explore what FedRAMP really means

54

: 00:02:50

for companies, kind of that intricate

journey of getting certified and why

55

: 00:02:55

this is crucial for any software provider

that's working with the U S government.

56

: 00:02:59

So Sarah, Nick, thank you both for

joining us today on the pair program.

57

: 00:03:05

Sara Mazer: Yeah.

58

: 00:03:06

Thank you for having us.

59

: 00:03:06

Of

60

: 00:03:07

Tim Winkler: course.

61

: 00:03:07

All right.

62

: 00:03:08

Now, before we dive in, we're going to

kick off with our pair me up segment.

63

: 00:03:11

Uh, here's where we all kind of

go around the room and spitball a

64

: 00:03:13

complimentary pairing of our choice.

65

: 00:03:15

Mike, you lead us off what,

what's your pairing for today?

66

: 00:03:18

So.

67

: 00:03:19

Mike Gruen: Again, try

and go back to some food.

68

: 00:03:21

Uh, I'm going with, um, tuna salad with

a hard boiled egg, uh, mixed into it.

69

: 00:03:29

And it's, uh, my grandmother used

to make it for me when I was a kid.

70

: 00:03:32

It's just like, it's just a favorite.

71

: 00:03:34

Um, toasted rye if you have to, or pita.

72

: 00:03:39

But, uh, but yeah, the, um, egg

salad and a hard boiled egg.

73

: 00:03:44

That's my pairing.

74

: 00:03:46

Oh, what do you say?

75

: 00:03:46

Tuna salad.

76

: 00:03:47

Oh, sorry.

77

: 00:03:47

Tuna salad.

78

: 00:03:48

Yes.

79

: 00:03:48

Tuna salad.

80

: 00:03:49

Yeah.

81

: 00:03:49

Yeah.

82

: 00:03:50

I had chicken salad for lunch.

83

: 00:03:51

That's what made me think of it.

84

: 00:03:54

Tim Winkler: Uh, I'm

right there with you, man.

85

: 00:03:56

Tuna.

86

: 00:03:56

Tuna salad's one of my go tos, but if you

don't have that hard boiled egg in there,

87

: 00:04:00

I feel like it's not a complete salad.

88

: 00:04:02

There you go.

89

: 00:04:03

Yeah.

90

: 00:04:04

Yeah, big, big, uh, hard boiled egg fan.

91

: 00:04:06

Awesome.

92

: 00:04:06

Cool.

93

: 00:04:07

Um, all right, I'm going

to deviate from food.

94

: 00:04:10

Uh, and this is just going to be

probably a pairing for myself.

95

: 00:04:14

Not, not many people will understand,

but I'm going to go with solo

96

: 00:04:17

parenting and documentaries.

97

: 00:04:19

Um, so last night my wife went out to

dinner with some of her, her girlfriends.

98

: 00:04:25

So I, I played the single dad.

99

: 00:04:28

Uh, you know, watching my daughter,

uh, Alice and we always have a great

100

: 00:04:33

time when I'm, when I'm, we're just

kind of one on one with each other.

101

: 00:04:36

So we did, we did dinner

and read some books.

102

: 00:04:38

And then when I put her down for, for

bed and it's just me, I always find

103

: 00:04:42

like, that's like the perfect time for

me to get locked into a documentary.

104

: 00:04:47

Documentaries, I feel like

you just, you got to be really

105

: 00:04:49

tuned in with no distractions.

106

: 00:04:52

Uh, so this is kind of like

my time to do just that.

107

: 00:04:54

So that's, that's my parent.

108

: 00:04:57

I got locked into a pretty wild one

on political conspiracies last night.

109

: 00:05:02

Um, I won't go too, too into detail

on it, but, uh, I'll shout it out.

110

: 00:05:07

It was called everything

is a rich man's trick.

111

: 00:05:09

Uh, and you can.

112

: 00:05:10

It was only finding on YouTube,

um, but, uh, went down this whole

113

: 00:05:15

Reddit rabbit hole to find, uh,

some interesting documentaries.

114

: 00:05:18

So Reddit's another one.

115

: 00:05:20

Reddit's another one.

116

: 00:05:20

You could probably pair Reddit with

some good conspiracy theories, but, uh,

117

: 00:05:25

that's my, that's my pairing for today.

118

: 00:05:27

Uh, let's kick it over to our

guest, uh, Sarah, about yourself,

119

: 00:05:32

quick intro and your pairing.

120

: 00:05:35

Sara Mazer: Yeah.

121

: 00:05:36

So, uh, you intro'd me just very well.

122

: 00:05:39

So I am the federal CTO of LaunchDarkly

and been with the company over four years.

123

: 00:05:44

I've taken the company through FedRAMP

authorization from the very beginning,

124

: 00:05:48

all the way through the end and continuous

monitoring and that sort of thing, uh,

125

: 00:05:52

looking at maybe doing it all over again.

126

: 00:05:55

So a lot of this is

really fresh in my mind.

127

: 00:05:57

Um, and then I would like

to say my pairing is.

128

: 00:06:02

A dog and another dog.

129

: 00:06:05

So I am an animal lover.

130

: 00:06:08

I rescued dogs.

131

: 00:06:10

I think that they're like potato chips.

132

: 00:06:12

You can't have one.

133

: 00:06:14

If you have one, it's not that

big of a deal to get another one.

134

: 00:06:17

So consider adoption

and their pack animals.

135

: 00:06:21

They love to just hang out in packs

and makes you feel less guilty

136

: 00:06:25

if you leave them at home alone.

137

: 00:06:27

So I think, uh, I'd like to just

shout out having multiple dogs.

138

: 00:06:31

Mike Gruen: We, uh, I grew up with

dogs, our dogs were outside dogs, uh,

139

: 00:06:36

and having, we always had at least

two, usually three, sometimes four,

140

: 00:06:41

uh, cause they're a pack animal and,

uh, they want to hang out together.

141

: 00:06:44

Awesome pairing.

142

: 00:06:47

Tim Winkler: I like the analogy of

the like potato chips can't have

143

: 00:06:50

just one that's that was creative.

144

: 00:06:52

We, we had two dogs, um,

for, for a few years.

145

: 00:06:56

We lost one, this guy, Griffin, uh,

behind me here, we had a little, little

146

: 00:07:00

painting, but we, we got, um, a puppy

when Griffin was about seven years old.

147

: 00:07:07

And I, I always found it really

helpful to have a, you know, a puppy

148

: 00:07:12

with a more mature dogs, it kind

of, they follow suit helps with

149

: 00:07:15

like training and stuff like that.

150

: 00:07:17

So, um, Well said, I think great

pairing, uh, all right, let's pack

151

: 00:07:22

it, pass it over to, uh, Nick, but

quick intro and, uh, your pairing.

152

: 00:07:26

Nick Rundaug: Yeah, thanks Tim.

153

: 00:07:27

Um, and like Sarah, uh, good, good

intro already, but, uh, Necronomic

154

: 00:07:31

Managing Director at Shulman.

155

: 00:07:32

Now our federal service line leader,

um, amongst others here, uh, for

156

: 00:07:37

pairings, um, as you can tell behind

me, I do enjoy some retro video games,

157

: 00:07:43

uh, video games with my daughter.

158

: 00:07:45

Um, she's 13 and of that, uh,

age and generation where they

159

: 00:07:51

like phones, they like games.

160

: 00:07:52

So it's a perfect way to connect.

161

: 00:07:54

Um, recently, uh, within the past

year or so she was playing Fortnite.

162

: 00:08:00

And I've never won a game.

163

: 00:08:02

Um, I pride myself on a lot of, uh, the

battle royales that I've won a game.

164

: 00:08:07

Number one, and she got

me my first win on there.

165

: 00:08:10

I think I killed, got one kill.

166

: 00:08:12

She had like eight, but I'll take it.

167

: 00:08:14

A win's a win's a win.

168

: 00:08:16

Uh, so yeah, video games and my daughter.

169

: 00:08:18

It's a good pairing.

170

: 00:08:19

Mike Gruen: Awesome.

171

: 00:08:19

That's a good pairing.

172

: 00:08:21

Tim Winkler: That's solid.

173

: 00:08:21

Does she play some of your

old school retro games?

174

: 00:08:25

And it's like, what, what am

I, what are we doing here?

175

: 00:08:28

Nick Rundaug: Absolutely.

176

: 00:08:28

Yeah.

177

: 00:08:28

She appreciates all of them.

178

: 00:08:30

Uh, and, and they've been good about

porting a lot of those to Switch.

179

: 00:08:33

So we do, we probably

play Switch more than.

180

: 00:08:35

More than PC games, but, um, yeah,

she, she does appreciate some of the

181

: 00:08:39

old ones at Mario's classic and time.

182

: 00:08:41

Yeah.

183

: 00:08:42

Tim Winkler: Yeah.

184

: 00:08:42

Nice.

185

: 00:08:43

Yeah.

186

: 00:08:43

Love the switch.

187

: 00:08:45

All right.

188

: 00:08:46

Uh, that's a, that's a wrap

on the pair me up segment.

189

: 00:08:50

So, um, let's go ahead and,

uh, transition into the, the

190

: 00:08:54

heart of our discussion here.

191

: 00:08:56

So, as I mentioned, we're going to be

talking about fed ramp, uh, and covering,

192

: 00:09:00

you know, like the definition of, of

fed ramp, the certification process.

193

: 00:09:04

Um, some of the associated cost

challenges and advice for companies

194

: 00:09:10

that are considering the process.

195

: 00:09:12

Uh, so in true pair program form,

we're going to be able to approach

196

: 00:09:16

this from both sides of the coin.

197

: 00:09:17

Sarah, taking the perspective

of a company getting certified.

198

: 00:09:21

Uh, Nick, with the perspective of,

uh, a three PAO or a third party

199

: 00:09:25

assessment organization, uh, working

with a company getting certified.

200

: 00:09:30

So let's, let's dive into it.

201

: 00:09:31

Sarah, how about you maybe kick us off

with an explanation more on what FedRAMP

202

: 00:09:36

is and its significance to companies?

203

: 00:09:40

Sara Mazer: Sure.

204

: 00:09:40

So FedRAMP is an authorization

program that is managed out of the

205

: 00:09:46

GSA's program management office.

206

: 00:09:49

So GSA for short.

207

: 00:09:52

And it is a way that companies such

as LaunchDarkly or other providers

208

: 00:09:58

that have something to do with the

cloud are able to get authorization

209

: 00:10:03

to work with government agencies.

210

: 00:10:05

Theoretically, it makes it

easier for government agencies

211

: 00:10:08

to purchase your software.

212

: 00:10:10

It means that your software has

been vetted as More secure than

213

: 00:10:16

it otherwise would have been.

214

: 00:10:18

So it means that you're compliant

with certain government regulations.

215

: 00:10:22

And the goal on the government

side is really to share that work.

216

: 00:10:25

So instead of every single agency

going through and vetting, A CSP or

217

: 00:10:30

cloud service provider, which we are,

um, and making sure that it's secure

218

: 00:10:35

and it means certain regulations.

219

: 00:10:37

Now you have one organization that

standardizes that practice and all

220

: 00:10:42

the government agencies can kind

of take advantage of the work of

221

: 00:10:47

maybe your sponsor or the job in the

past, there was a job and, and then.

222

: 00:10:52

That work can be shared amongst all

agencies and it makes it easier and cause

223

: 00:10:57

it saves costs for the agencies as well.

224

: 00:11:01

Tim Winkler: Awesome.

225

: 00:11:01

Can, um, so before we pass it over

to Nick, can you tell us a little bit

226

: 00:11:05

more about your launch dark, please?

227

: 00:11:08

Like evaluation and

initiation into FedRAMP.

228

: 00:11:14

Sara Mazer: Yeah.

229

: 00:11:14

So it took us some time to

actually go through that process.

230

: 00:11:19

There's a lot that happens

upfront, even before we start

231

: 00:11:23

working with somebody like a 3PAO.

232

: 00:11:26

And that is, do we even

want to make that effort?

233

: 00:11:31

And so there's analysis of looking

at your pipeline, looking at your

234

: 00:11:34

product, trying to figure out how much

change would need to happen and putting

235

: 00:11:40

together a proposal for the board.

236

: 00:11:42

And so there's a lot of work that

goes into it before you even start

237

: 00:11:47

talking to 3PALS or the GSA on whether

or not you're going to go through it.

238

: 00:11:52

And then once you start talking.

239

: 00:11:55

To the PMO, they expect you to pretty

much do everything in about a year.

240

: 00:12:01

So start to finish for LaunchDarkly,

it was about three years.

241

: 00:12:05

Uh, but starting from the point of

working with the GSA on forward,

242

: 00:12:10

that was just over a year.

243

: 00:12:13

Tim Winkler: And maybe for some

helpful context, what's the size of

244

: 00:12:17

LaunchDarkly or what was the size

of it to like when you all first

245

: 00:12:20

started going down the process?

246

: 00:12:23

Sara Mazer: So we were

about 500 employees.

247

: 00:12:26

And we are fully SAS.

248

: 00:12:28

We run in the cloud and

require cloud components.

249

: 00:12:32

We did have a on prem version, which

means that we're actually running at

250

: 00:12:37

another government agency's cloud.

251

: 00:12:40

So we started.

252

: 00:12:42

We started with a little bit

of an advantage and that we, we

253

: 00:12:46

knew what kind of regulations

we had to comply with already.

254

: 00:12:51

So we had an idea of the level of work

for creating a federal instance that

255

: 00:12:56

some companies may not be able to take

advantage of, but, uh, yeah, so we already

256

: 00:13:02

had a couple of different versions of

lunch darkly running in different places.

257

: 00:13:06

And the decision was, do we want to

migrate over to a federal instance?

258

: 00:13:11

Where we can then bring on other

government agencies at that time.

259

: 00:13:16

Tim Winkler: And your background

specifically, maybe it's, it's helpful

260

: 00:13:19

to paint the picture of where you kind

of came from and where you specifically

261

: 00:13:23

brought on, uh, to the team at

LaunchDarkly with this initiative in

262

: 00:13:28

mind, or was there other areas that

you were satisfying and then this kind

263

: 00:13:32

of came onto the, onto your plate?

264

: 00:13:36

Sara Mazer: So we were a small team

at the time and I came in as the

265

: 00:13:40

first, uh, Technical, uh, expert for

the federal team at lunch darkly.

266

: 00:13:46

And at the time we were

not considering FedRAMP.

267

: 00:13:49

So I had worked with the

accounting executive to start

268

: 00:13:53

building a case for FedRAMP.

269

: 00:13:55

So it wasn't a done deal.

270

: 00:13:56

We had to go and convince the board.

271

: 00:13:58

We had to look at the pipeline.

272

: 00:13:59

We had to look at all the companies

that have approached us in the past

273

: 00:14:03

and look at the deals lost because

we weren't FedRAMP authorized.

274

: 00:14:07

And so I started with that AE

from day one to build a case

275

: 00:14:13

and it, it did take some time.

276

: 00:14:17

Tim Winkler: And then when you were going

through selecting these different vendors,

277

: 00:14:21

you know, what is it, what was it that

you were kind of looking into, or maybe

278

: 00:14:27

some of these challenges that you ran into

when you were kind of deciding or vetting

279

: 00:14:33

through some of these three PAO firms?

280

: 00:14:38

Sara Mazer: Yeah, I, I have a

whole bunch to say on lessons

281

: 00:14:42

learned and best practices that

I'm sure we're gonna get into.

282

: 00:14:45

I think at the time though, our

company was so new to FedRAMP

283

: 00:14:50

in general, I was new to it.

284

: 00:14:51

It was a learning

experience for everybody.

285

: 00:14:54

So I think, you know, we, we knew the

process, we knew about the timeline.

286

: 00:14:59

We knew a little bit about the product.

287

: 00:15:01

We didn't know much about the three PAOs.

288

: 00:15:04

Um, and so vetting them was at the time

just talking to them and getting prices

289

: 00:15:11

and figuring out how long it will take

and their expertise on, you know, taking

290

: 00:15:16

companies through that and um, and now

looking back and trying to decide if we're

291

: 00:15:23

going to go through this all over again.

292

: 00:15:25

There's, there's so many

lessons learned there.

293

: 00:15:27

Um, I think we did a decent job, but

there's always room for improvement

294

: 00:15:31

and that's what I wanted to do when

a few of us got together in industry

295

: 00:15:37

to start the federal plant advisory

board, because there's really wasn't

296

: 00:15:41

anybody to go call up and say,

Hey, you went through this before.

297

: 00:15:45

Who should we hire?

298

: 00:15:46

Why?

299

: 00:15:47

You know, tell me some horror

stories or give me invite.

300

: 00:15:50

There wasn't any of that for

like the smaller and size CSPs.

301

: 00:15:55

So a bunch of us through LinkedIn

met and got together, and there

302

: 00:15:59

were four co founders at the time

to kind of help each other out.

303

: 00:16:04

We were all in different stages of going

through federal authorization, but it

304

: 00:16:08

was such a painful procedure that we all

just want to help each other out now.

305

: 00:16:13

And so we have that nonprofit that

we started to kind of hold other

306

: 00:16:18

people's hands and give them advice.

307

: 00:16:19

And And, um, we're very blunt internally

about, you know, who's, who's a

308

: 00:16:24

good three PAO and who's not, and

here's why, and, and talking about

309

: 00:16:28

all the issues and change that are

going on at the GSA office right now.

310

: 00:16:34

Tim Winkler: That's great.

311

: 00:16:34

It's what, this seems like a very

helpful, uh, organization to.

312

: 00:16:39

To, to identify with when you're going

through the process and we'll be sure

313

: 00:16:43

to, uh, shout out all the, the terrible

three PAs on this podcast as well,

314

: 00:16:48

uh, but no, it's, it's, it's sound.

315

: 00:16:51

Let's talk about a good one.

316

: 00:16:52

So you had a good experience here

with, with Shaman and Nick, let's

317

: 00:16:56

pass it over to you at this point.

318

: 00:16:57

Um, maybe start with, you

know, a little bit more of.

319

: 00:17:00

Overview on like, you know, Shelman, how

you all operate as as an organization,

320

: 00:17:04

and then, um, uh, maybe a little bit

more detail into, you know, coming to

321

: 00:17:09

three PAO and, and then how you all kind

of got intertwined with LaunchDarkly.

322

: 00:17:15

Nick Rundaug: Yeah, no, absolutely.

323

: 00:17:16

Um, one of the terms that, that you

hear a lot is three three PAO three pal,

324

: 00:17:20

uh, third party assessment organization

and, you know, a critical piece of

325

: 00:17:24

the FedRAMP process because the third

party portion of that, um, prior.

326

: 00:17:29

It'd be FISMA reports, and we just go

right to the federal agency using it.

327

: 00:17:34

Um, that's, that's good.

328

: 00:17:35

It works on a small scale.

329

: 00:17:37

So, FedRAMP is leverageable, so

it's scalable, meaning you get that

330

: 00:17:41

one report, and it can go to as

many authorizations as, um, federal

331

: 00:17:45

agencies want to use their product.

332

: 00:17:46

So, LaunchDarkly, They can have multiple

authorizations now, one report, so it

333

: 00:17:51

saved time and money on everyone's side.

334

: 00:17:54

Um, the third party part comes

into play because now someone

335

: 00:17:57

else who's independent comes in.

336

: 00:17:58

It's not a self assessment, um, by

the cloud service provider, so by and

337

: 00:18:02

large, it's not the federal agency

that might not have the expertise.

338

: 00:18:06

So third party, that's us, um, uh, for

FedRAMP, three PAOs are accredited.

339

: 00:18:13

So there's a short list and shockingly

over the years, it's only gotten shorter.

340

: 00:18:18

So, um, that list, if you really go on

there and it's all, it's all public, go

341

: 00:18:22

on the marketplace and take a look, that

list has gotten shorter over the years.

342

: 00:18:26

Um, because there's an

accreditation process to it.

343

: 00:18:28

So A2LA is an organization

that comes through and kind of

344

: 00:18:31

audits the auditor, so to speak.

345

: 00:18:33

So on a yearly basis, they check

us, check our work and all that.

346

: 00:18:36

Um, that's how one becomes a 3PAO.

347

: 00:18:39

So Shellman, um, starting as a, an

accounting firm, uh, doing non finance,

348

: 00:18:44

we focus on security assessments.

349

: 00:18:47

Uh, saw this as a, as a, you know, a

market that is developing and we got

350

: 00:18:51

our, um, accreditation and have been

one of the first, uh, to, to do that.

351

: 00:18:55

So we've grown over the years.

352

: 00:18:57

Um, We, you have a choice and

you can be, um, have consulting

353

: 00:19:02

advising services as well, or you

could be pure play assessment.

354

: 00:19:06

We are pretty much the only one on that

list that's pure play assessment only.

355

: 00:19:10

We don't offer consulting advising.

356

: 00:19:12

Um, that's helped us expand quite a bit in

that, um, FedRAMP prohibits you from ever.

357

: 00:19:18

Doing work and assessing your own work.

358

: 00:19:21

Um, so that's one of those things that

when folks are looking, looking at

359

: 00:19:26

those that they have to kind of make

that decision to want one or the other.

360

: 00:19:28

Um, it's made us have that expertise

specifically on assessing and so

361

: 00:19:33

our assessors get very good at

particularly FedRAMP assessing.

362

: 00:19:36

So that's why you've seen the,

uh, the growth in those numbers

363

: 00:19:39

or anyone that has seen that.

364

: 00:19:41

Um, That comes through on

the on the marketplace.

365

: 00:19:43

So that's how we kind

of got in that business.

366

: 00:19:46

And, um, we've expanded that quite a bit.

367

: 00:19:48

And now we're the one in the marketplace,

probably for one of those reasons, there

368

: 00:19:52

is a pen test portion of that as well.

369

: 00:19:55

So we also not only do we have

assessors part of our assessment team.

370

: 00:19:58

Are penetration testers as well

as FedRAMP does require that.

371

: 00:20:02

So it's kind of an all encompassing thing.

372

: 00:20:04

Um, that's what every three

PAO that you're hearing does.

373

: 00:20:07

Um, and that that's what we do.

374

: 00:20:09

We got introduced, um, launch darkly.

375

: 00:20:12

I believe I remember correctly was

kind of looking around at assessors.

376

: 00:20:15

We did not do their initial assessment,

but they were looking at, um, changing.

377

: 00:20:19

So we spoke with them, um, kind of

talked through how we would do things.

378

: 00:20:24

Um, any, any, uh, Thing that they want

to see differently how we would address

379

: 00:20:28

that and see if there's a right fit.

380

: 00:20:30

It was, and we've continued

to do their annual assessment.

381

: 00:20:33

From then on out and with fed ramp.

382

: 00:20:37

That's kind of the other piece

that was put into place when

383

: 00:20:40

the program is developed is.

384

: 00:20:41

It wasn't a 1 time report.

385

: 00:20:43

There's a continuous monitoring aspect.

386

: 00:20:45

Part of that umbrella

continuous monitoring.

387

: 00:20:48

Is an annual report that has to be done

by a 3rd party assessment organization.

388

: 00:20:52

So we come in and check

them on an annual basis.

389

: 00:20:54

Thanks.

390

: 00:20:55

Um, and look at all sorts of stuff,

but we basically look at a subset

391

: 00:20:58

of controls every single year.

392

: 00:21:00

Mike Gruen: I think 1 of the things

that you touched on it, but I think it's

393

: 00:21:03

important to point out is the fact that

there's that separation between doing

394

: 00:21:06

the work and assessing the work, having

gone through any number of assessments

395

: 00:21:09

for various things over the years.

396

: 00:21:12

There was always there were there's

plenty of certifications you can get where

397

: 00:21:17

the company that's doing the assessment

is also the one that's helping you and

398

: 00:21:20

miraculously they have a 100 percent

success rate if you just pay them.

399

: 00:21:24

Um, so, um, so I like that about FedRAMP.

400

: 00:21:28

I, um, Like from my perspective,

I at one of the companies I

401

: 00:21:31

started the process, I left that

company before we sort of did it.

402

: 00:21:35

But we went, we started going

through the whole FedRAMP, um, like

403

: 00:21:38

looking at it and assessing it.

404

: 00:21:40

And we didn't get to the point where I

got to pick an assessor, but, um, did get

405

: 00:21:44

through like, so there is a lot of tools.

406

: 00:21:46

I think, um, Sarah, back to your point

of like, there's a lot of tools you can

407

: 00:21:49

use To do pre assessment and early stuff

to sort of get an idea of how much work

408

: 00:21:54

this is going to be, because that's when

you're talking about, you know, like going

409

: 00:21:58

to the board and getting approval, not

only do you need to know what the pipeline

410

: 00:22:01

is, but you also have to have some

concept of what the cost is going to be.

411

: 00:22:04

Um, so, um, so I've gone through a little

bit of it, but not the whole thing,

412

: 00:22:09

but, uh, I did, I was, I'll wrap it up.

413

: 00:22:12

I was, uh, happy to see that the, the,

they keep it separated, that you can't

414

: 00:22:16

do the work and assess your own work.

415

: 00:22:18

Oh, that's cool.

416

: 00:22:21

Tim Winkler: Let's, let's dive

deeper into the cost of it.

417

: 00:22:23

Um, I'd love to, you know, try to get as

transparent as possible for some of those.

418

: 00:22:28

Folks out there that

might be considering this.

419

: 00:22:30

So, um, yeah, Nick, what, what are some

of the typical assessment calls for

420

: 00:22:35

companies wanting to become certified?

421

: 00:22:37

Nick Rundaug: Yeah.

422

: 00:22:37

And we can kind of break it down

really into there's everything

423

: 00:22:40

before the assessment, um, Sarah's

probably gonna come in on that.

424

: 00:22:44

Uh, so there's architecting, right.

425

: 00:22:46

Standing it up.

426

: 00:22:47

Um, and all of that is, uh, possibly

consulting, advising work that goes

427

: 00:22:51

into that, getting someone's expert

expertise as to, Hey, what is fits

428

: 00:22:55

140 dash two or dash three mean?

429

: 00:22:56

And what are the current

modules that do that?

430

: 00:22:58

That's all that pre work, right?

431

: 00:23:00

Then there's the assessment

piece, that's us.

432

: 00:23:02

There is an ongoing piece after that

that's worth mentioning, we have a

433

: 00:23:06

part of that, but, um, it's, it's

always good to, to recognize that a

434

: 00:23:11

CSP is going to have regular costs

probably as part of that, right?

435

: 00:23:15

Like, there's, there's increased scanning

requirements, there's certain logging and

436

: 00:23:19

instance response, and all that does come

with a cost, um, that Sarah will probably

437

: 00:23:24

be able to answer better than I can.

438

: 00:23:25

As for actual assessment costs,

um, it's it's fairly transparent.

439

: 00:23:30

It's a level of effort thing.

440

: 00:23:32

Um, it is The, uh, as an assessment

firm, it is the most expensive, most

441

: 00:23:39

expansive, uh, most, uh, technically,

um, you know, uh, complicated assessment.

442

: 00:23:46

We do most of the time.

443

: 00:23:47

That means we, um, have a pre period

where, um, there's some deliverables

444

: 00:23:51

federal requires like a SAP security

assessment plan, and then the actual

445

: 00:23:55

SAR package security assessment report.

446

: 00:23:57

All of that kind of gets bundled in as

well as with a pen test, penetration test.

447

: 00:24:02

Uh, up to six vectors that includes

everything inside that bubble of a

448

: 00:24:06

boundary and, and, uh, any mobile apps

and other type of things they want to

449

: 00:24:09

authorize all that means we know the

number of weeks and a lot of times

450

: 00:24:14

just comes out to number of weeks as

well as that kind of review afterwards,

451

: 00:24:18

a standard, um, as of 2024, a, uh,

moderate initial assessment, 260,

452

: 00:24:24

000 is about what it costs a quarter

mail ballpark right on in there.

453

: 00:24:29

That's just that assessment

piece on an annual basis.

454

: 00:24:32

Think around 200.

455

: 00:24:33

Um, other costs that can come into

play from an assessor is if you have

456

: 00:24:38

changes that are ad hoc throughout

the year, those have to be tested.

457

: 00:24:42

So, once again, level of effort on

number of weeks and if a pen test,

458

: 00:24:46

but those are some ballpark pricing

just on the assessment piece.

459

: 00:24:49

But then you take that and add it to, uh,

throw it over to Sarah on probably what

460

: 00:24:53

a lot of that cost is rolling up to that.

461

: 00:24:55

Um, and it goes up quite a bit.

462

: 00:24:59

Tim Winkler: Yeah, Sarah, what

kind of additional cost, uh, kind

463

: 00:25:01

of came into play on, on your end?

464

: 00:25:06

Sara Mazer: It's interesting because I was

just looking at the numbers because we're

465

: 00:25:10

trying to figure out where we go next.

466

: 00:25:12

And we look back at the ROI of

the better at moderate instance.

467

: 00:25:17

And I looked at how we were doing

accounting for that federal instance.

468

: 00:25:22

And, um, it was, it was pretty interesting

cause that's not necessarily my world.

469

: 00:25:29

Um, I would say, you know, it

really depends on your product

470

: 00:25:34

and the company and Where you're

at in the process, how much it's

471

: 00:25:39

going to be, um, for lunch darkly.

472

: 00:25:42

I, I think it's safe to say that, you

know, it's over seven figures to do

473

: 00:25:47

the whole thing that includes a lot of,

you know, infrastructure costs because

474

: 00:25:51

you're standing up a completely new

instance and some other region of Amazon.

475

: 00:25:57

And.

476

: 00:25:57

It also includes product changes, so

there's going to be engineering effort to

477

: 00:26:03

swap out components of your architecture

with things that are FedRAMPable.

478

: 00:26:09

So there are, and so that's going

to differ from company to company.

479

: 00:26:13

Not everything is bedrampable, so

you have to then figure out, like

480

: 00:26:17

CDNs are a good example, right?

481

: 00:26:19

There's, you know, our commercial instance

uses Fastly and they're not bedramped.

482

: 00:26:24

So then what do we do, right?

483

: 00:26:26

And so there's all these

decisions that you have to make.

484

: 00:26:28

And so there's the engineering hours just

to change the architecture, which then

485

: 00:26:33

are people hours, plus you're buying new

software, new components, potentially.

486

: 00:26:39

Right.

487

: 00:26:39

And then there's compliance costs.

488

: 00:26:42

So there's all the way down to the

operating system level where we

489

: 00:26:47

switch to like canonicals, BIPs.

490

: 00:26:50

Um, bunch of pro, which is, you know,

fed rampable because it has got the

491

: 00:26:54

encryption in a, um, all the way up

to like higher level, um, types of

492

: 00:26:59

services that we take advantage of.

493

: 00:27:01

So, you know, that, that whole across

the board from really low level to higher

494

: 00:27:06

level components that may need to be

replaced and then on the flip side, it's

495

: 00:27:11

not really cost, but you could lose.

496

: 00:27:14

Capabilities in your product, and does

that hurt your market share because

497

: 00:27:18

you don't have all the capabilities

your commercial version does because

498

: 00:27:22

things just can't be compliant

with FedRAMP as things stand today.

499

: 00:27:27

And so there's kind of that

loss that doesn't show up on,

500

: 00:27:31

you know, the P& L sheets.

501

: 00:27:33

For it, but it certainly plays a factor

in the decision of whether somebody

502

: 00:27:36

would want to go through FedRAMP or not.

503

: 00:27:39

So, and then just the general, as Nick

mentioned, you know, the Kanban meetings,

504

: 00:27:44

all the paperwork that you have to go

through all the time, a significant change

505

: 00:27:48

or class that all takes time and eats

up engineering and security team hours.

506

: 00:27:52

So it does end up being pretty

significant for all of the CSPs.

507

: 00:27:57

Mike Gruen: I'm curious, did you, um,

have like a separate team that was sort

508

: 00:28:01

of responsible for this or was it just

part of broad engineering responsibility

509

: 00:28:06

to maintain essentially both versions?

510

: 00:28:09

I'm just sort of curious.

511

: 00:28:09

And did you experiment with both?

512

: 00:28:11

What was sort of your experience?

513

: 00:28:15

Sara Mazer: We kind of had a

tiger team that did the migration.

514

: 00:28:18

So we did take it, our instance that was

posted at a federal agency and move it.

515

: 00:28:24

And so the tiger team were the

experts in the migration effort.

516

: 00:28:27

But right now, all of engineering is

expected to be able to understand the

517

: 00:28:31

federal instance and go in and, uh, and

deal with incidents and all of that.

518

: 00:28:36

There's another component, which we

made the decision at the time not

519

: 00:28:40

to do, but it's whether you should

run in a GovCloud region or not.

520

: 00:28:45

That's independent of FedRAMP and

you have to look at your pipeline

521

: 00:28:49

and your potential customers

to be able to make that call.

522

: 00:28:52

Um, but that is another change where

then maybe you do have to start isolating

523

: 00:28:57

out who's going to work on the federal

instance because they have to be U.

524

: 00:29:00

S.

525

: 00:29:00

citizens and so all the way from support

personnel to, uh, security to developers.

526

: 00:29:08

And so That's another organizational

change that you might have to

527

: 00:29:11

think about if you're going to go

through and install in GovCloud.

528

: 00:29:18

Tim Winkler: Yeah.

529

: 00:29:18

I mean, I think you were saying in the,

in those early stages, when you're kind

530

: 00:29:21

of got getting the key stakeholders

and onboard with this, you know,

531

: 00:29:25

you're probably really looking at that

opportunity pipeline, you know, some

532

: 00:29:30

of those opportunities that you lost

out on, uh, yeah, one or two of those.

533

: 00:29:34

It's an easy justify the cost of.

534

: 00:29:37

You know, this type of implementation

and the value add there.

535

: 00:29:41

So, um, yeah, it's, it's, you know,

it's not a drop in the bucket and, and

536

: 00:29:46

I, this is kind of leads me to another

question too, is, you know, um, you know,

537

: 00:29:52

there's this list of assessors, these,

these three pals that you all reference.

538

: 00:29:58

Um, is it pretty standard

pricing across the board or is

539

: 00:30:02

there, you know, uh, I guess you

mentioned level of effort, right?

540

: 00:30:06

So if it's a smaller organization,

do you find that the cost is

541

: 00:30:10

going to fluctuate, um, you know,

based on the size of that org?

542

: 00:30:17

Nick Rundaug: I can

answer, I can answer first.

543

: 00:30:18

Um, a lot of times we don't entirely

know, um, you know, what, what, uh,

544

: 00:30:23

our competitors are charging, but, but

we do hear quite a bit, you know, um,

545

: 00:30:27

We'll be higher than than quite a few.

546

: 00:30:29

But once again, um, a decision we

made on on talent retention, focusing

547

: 00:30:34

on that and hoping that that that

comes through, um, it's also several

548

: 00:30:38

different models that folks have.

549

: 00:30:39

I know we we approach things and try

and provide value that way going.

550

: 00:30:43

It's not going over that.

551

: 00:30:46

And others will kind of take a different

approach and go, well, we'll charge you

552

: 00:30:48

for support meetings and things like that.

553

: 00:30:50

Whereas, um, we'd rather, um, folks kind

of know that going in, but prices, I,

554

: 00:30:56

I would be, um, surprised, especially

because when I said that shrunk, a lot

555

: 00:31:00

of them could not find a model at work.

556

: 00:31:03

So, you know, we've been doing this a

years, um, really came out: 2011

557

: 00:31:08

I think.

558

: 00:31:08

You know, we're doing it close

to the beginning of that.

559

: 00:31:09

So, um, that list that was

well over 100 or maybe approach

560

: 00:31:14

100, but it's quite a bit.

561

: 00:31:15

Um, it's down to really, in my opinion,

about 30 active, of which, um, only

562

: 00:31:19

about 10 of those have double digits.

563

: 00:31:21

So, um, some of those

pricing models that were.

564

: 00:31:24

Very low.

565

: 00:31:25

Uh, I think to try and get the

foot in the door have gone away.

566

: 00:31:27

So, um, they're probably all within

about the same, um, certain percentage,

567

: 00:31:32

maybe 20%, I know that's a pretty

big percentage, but, um, yeah.

568

: 00:31:36

And then I'm not sure Sarah

has any insight there as well.

569

: 00:31:39

Sara Mazer: I do.

570

: 00:31:40

Since I talked to quite a few of them

and we got quotes from a bunch, maybe

571

: 00:31:45

this is a good time where I could go

over, um, my list of tips for vetting.

572

: 00:31:52

Tim Winkler: Yeah.

573

: 00:31:53

Sara Mazer: But for, uh, so.

574

: 00:31:55

I'll start out with saying that

price should be really on the

575

: 00:31:58

bottom of your list, right?

576

: 00:32:01

So they're all somewhat in

the same ballpark and it

577

: 00:32:06

really matters who you choose.

578

: 00:32:08

The first thing that you should do

is ask other people, their experience

579

: 00:32:14

of working with companies and there

are now organizations such as my

580

: 00:32:18

nonprofit, but there are others.

581

: 00:32:20

But it's really, really important to

get feedback on which are good and which

582

: 00:32:25

aren't, because there are some that are

pretty well known to be not so good.

583

: 00:32:29

And some that are.

584

: 00:32:30

You know, there's, there's about

four of them in my mind that I've

585

: 00:32:33

heard nothing but positive things.

586

: 00:32:35

And you know, another tricky

thing is people move around too.

587

: 00:32:38

So it doesn't matter.

588

: 00:32:40

It's like, who is the

person doing the work?

589

: 00:32:42

It's not just the sales guy

that's giving you the quote.

590

: 00:32:45

Um, you really need to make sure

that they have a good team of people

591

: 00:32:48

that know what they're doing and

retention is really important.

592

: 00:32:51

Some of them have a lot more turnover,

and so you don't know that unless you

593

: 00:32:55

talk to others in the industry that

have potentially gone through this, but

594

: 00:32:59

that's the first thing is really just

do background checks on them and reach

595

: 00:33:04

out to people that have gone through it.

596

: 00:33:06

I think almost everybody that has gone

through the process, if you even find them

597

: 00:33:10

on LinkedIn and say, Hey, I just have a

few questions, they'd be more than happy.

598

: 00:33:15

To tell you their experience because

it's, it's such a painful procedure,

599

: 00:33:21

but there's other things that you

might want to consider, um, related

600

: 00:33:24

to, uh, whether they've got experience

with companies in your space.

601

: 00:33:29

So they may not have experience with a

company that does exactly what you do.

602

: 00:33:34

It may be on the database side, or it

may be on, you know, the, the higher

603

: 00:33:37

level, uh, software as a service side

that's, you know, fully application based.

604

: 00:33:42

And so somebody that has a little

bit of an experience and, and what

605

: 00:33:46

you do or understands your industry

and our space is really important.

606

: 00:33:50

Um, and I would say also they understand

the agency that you've worked with and

607

: 00:33:57

they've got authorizations with the, uh,

sponsoring agency because, for example,

608

: 00:34:02

CMS is our sponsoring agency and on top

of the FedRAMP regulations, they've got

609

: 00:34:07

something called ARS, A R S, um, that are

additional compliance regulations that

610

: 00:34:12

we have to adhere to to get that ATO.

611

: 00:34:14

So if your assessor knows that

and is familiar with that, then it

612

: 00:34:18

just makes it a little bit easier.

613

: 00:34:20

Thanks.

614

: 00:34:21

And then there's the

contracting side as well.

615

: 00:34:24

So you want to make sure that if you

contract with one, that you want to

616

: 00:34:29

ask for some way to do weekly status

updates or monitor their progress.

617

: 00:34:35

Um, because we've seen issues with other

three POs where they're, they could just

618

: 00:34:41

go radio silent or things get delayed

and you want to stay on top of it and you

619

: 00:34:44

want to put that right in your contract.

620

: 00:34:46

Another one, I was like an

early termination class.

621

: 00:34:49

Um, sad to say that that does happen

sometimes is that, uh, for whatever reason

622

: 00:34:56

you want to get out of your contract

and work with a different 3PO, um, you

623

: 00:35:00

want to make sure that you have the

right clauses in, you know, up front and

624

: 00:35:04

you've thought of that ahead of time.

625

: 00:35:06

And then I also think in terms of going

back to pricing, there are companies

626

: 00:35:11

out there that offer FedRAMP in a box.

627

: 00:35:14

And And they do a similar thing, right?

628

: 00:35:18

And they, they kind of promise that

you'll go through a FedRAMP authorization

629

: 00:35:22

and some of them help you do 3PO work.

630

: 00:35:26

Um, but then it kind of limits

the architecture and limits the

631

: 00:35:29

control that you have in making

changes to your architecture.

632

: 00:35:33

So there are a lot of trade offs there.

633

: 00:35:35

So the prices on those are not apples

to oranges and those, but you want to

634

: 00:35:40

be very wary of the FedRAMP in the box.

635

: 00:35:43

Type of, um, services out there.

636

: 00:35:46

And my experience, uh, some of them are,

you know, have had really good positive

637

: 00:35:51

customer, um, outcomes, but other ones

that I've heard frustration from as well.

638

: 00:36:00

Nick Rundaug: Yeah.

639

: 00:36:00

Uh, well said Tara on all those points.

640

: 00:36:03

I, uh, the one key thing that she

said, I think is very important.

641

: 00:36:07

I always say, if, if, you

know, You get on a sales call,

642

: 00:36:10

people can tell you anything.

643

: 00:36:11

How do you know they're lying?

644

: 00:36:12

Go on that marketplace.

645

: 00:36:13

The cool thing FedRAMP did, they

made all that information public.

646

: 00:36:17

Reach out to one of those

that is a client, pick

647

: 00:36:20

randomly, pick randomly, right?

648

: 00:36:22

And see what they say.

649

: 00:36:23

Like, that's a true test right there.

650

: 00:36:25

Uh, and say, Hey, how was your experience?

651

: 00:36:26

I put a lot of stock behind that and

think that, um, everyone should do that.

652

: 00:36:30

Mike Gruen: Yeah, that's

awesome advice in 20.

653

: 00:36:32

So I, when I was going

through it, it was: 2012

654

: 00:36:34

Uh, it wasn't a lot of people to talk to.

655

: 00:36:37

There were a lot of companies offering

that there are a lot of, and it was the

656

: 00:36:40

way we got hooked up with the company

that I think we ultimately ended up using.

657

: 00:36:44

Um, it was, it was all just

connections, people knew people

658

: 00:36:49

and they're, and they really pushed

hard on how well connected they were

659

: 00:36:54

with the agency we were going with.

660

: 00:36:56

And I don't know, I never

really felt great about them.

661

: 00:36:58

I'm not going to throw any shade, but

I'd be surprised if they're still around,

662

: 00:37:04

but it is, it's nice to hear

though, that, I mean, that is

663

: 00:37:07

part of it is that relationship

is important that they understand.

664

: 00:37:12

Um, so maybe, maybe my read on that

situation was, was a little off.

665

: 00:37:15

Maybe that was an important aspect

that I, uh, didn't pick up on.

666

: 00:37:19

Um, but yeah, those are

really helpful tips.

667

: 00:37:21

Tim Winkler: Yeah.

668

: 00:37:22

Super helpful on the, on

the three PAO vetting.

669

: 00:37:24

And I guess to kind of put a bow on the,

on the discussion at large, any advice

670

: 00:37:30

for just companies considering FedRAMP at

large, like the when and the why that you

671

: 00:37:35

would, Just want to point out and closing.

672

: 00:37:40

Nick Rundaug: Yeah, I can, I can start.

673

: 00:37:42

Um, we, we get a surprisingly large

amount of CSPs, cloud service providers

674

: 00:37:47

that come to us, find us first.

675

: 00:37:49

They're actually probably looking

for consultants, advisors.

676

: 00:37:52

Um, and then we also see through

that and those initial kind of steps

677

: 00:37:56

of as well as the actual assessment

and we see a lot of items that stop.

678

: 00:38:01

You know, kind of a

showstopper or cause issues.

679

: 00:38:04

Um, one is just kind of what Sarah is

saying is just get familiar with it.

680

: 00:38:09

You know, a lot, a lot of that, that stuff

is out there, um, on the FedRAMP website.

681

: 00:38:12

There's a lot that's not right.

682

: 00:38:14

A lot of the guidance that's, that's

missing and you have to kind of learn

683

: 00:38:16

it, but there's a lot that's out

there that shockingly, Folks just

684

: 00:38:20

don't know even though it's ready.

685

: 00:38:22

It's ready there.

686

: 00:38:23

So, um, there's a thing called a

readiness assessment report and it's,

687

: 00:38:28

uh, the templates are out there.

688

: 00:38:30

So is the system security

plan template within that is

689

: 00:38:33

essentially an open book test.

690

: 00:38:35

Everything you need to do is out there.

691

: 00:38:38

There's items that they've even

designated mandates, right?

692

: 00:38:41

So encryption, it's 140 2, 140 3,

as well as scanning requirements.

693

: 00:38:47

Those are the two biggest issues that

we run into as far as the technical

694

: 00:38:51

implementations that cause a delay.

695

: 00:38:54

And time is money, right?

696

: 00:38:55

Because you want those federal

contracts, the quicker you can get

697

: 00:38:58

them, the quicker this pays off and

your return investment comes through.

698

: 00:39:01

So, focusing on that early and building

it and architecting it into the

699

: 00:39:06

system early is absolutely critical.

700

: 00:39:09

So, being familiar with those

requirements and distilling them down

701

: 00:39:12

to the technical requirements and

the mechanisms you can do to employ.

702

: 00:39:16

Um, Huge pride, pride.

703

: 00:39:17

Number one thing.

704

: 00:39:18

I think that, um, I think, uh,

CSPs could do early with their

705

: 00:39:22

engineers is just plan for that.

706

: 00:39:24

No, they have to do it and

get familiar with those.

707

: 00:39:27

Mike Gruen: It's funny that

sorry, just to jump in.

708

: 00:39:29

It's funny that you mentioned the

encryption 1 because that was 1

709

: 00:39:31

that when we were doing our self

assessment, we're doing all of the

710

: 00:39:33

readiness and bubble on all the scans.

711

: 00:39:36

Our, it came back that our, well, we

were using one that wasn't compliant,

712

: 00:39:40

but it was actually higher that like

we were doing more than what was in

713

: 00:39:43

the standard and that tripped us up

a lot because it was like, how do,

714

: 00:39:46

how are we going to navigate this?

715

: 00:39:48

We weren't really sure.

716

: 00:39:49

And, uh, eventually we figured it

all out, but it's, it's these weird

717

: 00:39:52

things that you don't even, you

think, Oh yeah, we're, we're great.

718

: 00:39:55

We're fine.

719

: 00:39:56

And then it's like, Oh

no, actually you're not.

720

: 00:39:58

And

721

: 00:39:59

Nick Rundaug: the

722

: 00:40:00

Tim Winkler: scanning, I mean,

723

: 00:40:02

Nick Rundaug: there's requirements on,

you know, CVS is three Oh scoring and

724

: 00:40:08

a high has to be remedied in 30 days.

725

: 00:40:09

That's hard to do on a re

you know, and repeat that.

726

: 00:40:13

So knowing that ahead of time, get your

teams ready, having a few practice months.

727

: 00:40:17

Looking at your DNSSEC, making sure it

has all those parameters in there that

728

: 00:40:19

you don't wait till the last minute

because sometimes that can take months to

729

: 00:40:23

deploy and that's an item that you have

to have in place in order to proceed.

730

: 00:40:26

So there's these gates in place.

731

: 00:40:28

So, yeah.

732

: 00:40:30

Tim Winkler: Yeah, really helpful.

733

: 00:40:31

Sarah, anything that

you would add to that?

734

: 00:40:33

Sara Mazer: Oh, absolutely.

735

: 00:40:35

I have a lot of advice is the first

thing I'd advise on is finding an

736

: 00:40:39

advisor, somebody who has before maybe

a fractional CTO, somebody out there

737

: 00:40:45

that's just a mentor, somebody that

you can ask questions to, there's

738

: 00:40:49

a lot of changes that are going on

right now in the FedRAMP office.

739

: 00:40:52

The OMB wrote a draft memo on October

23 and they just updated it for,

740

: 00:40:59

um, I think on the 26th of July for

changes to the FedRAMP program, one

741

: 00:41:04

of which is removing the JAB, which

is the DOD side of authorization.

742

: 00:41:09

So, what that means is, The FedRAMP office

is a little bit overwhelmed right now.

743

: 00:41:15

So it is possible to get

FedRAMP authorized, but it's

744

: 00:41:18

going to take even longer.

745

: 00:41:20

So just finding somebody who's kind of

connected to that world to be able to

746

: 00:41:24

figure out how to take advantage of the

situation or get to the front of the line

747

: 00:41:31

or get advice on how to work with the

PMO is really critical, but then there's

748

: 00:41:37

like internal advice that I have as well.

749

: 00:41:40

Which just you need to learn how

to set the appropriate expectations

750

: 00:41:44

with your own executive leadership

and board that can cause a lot of

751

: 00:41:48

friction if everybody's not aligned.

752

: 00:41:52

And there's always friction between

sales and engineering or security, but

753

: 00:41:56

it just seems to increase when you're

talking FedRAMP and there's a lot

754

: 00:42:00

of money that's been invested and at

stake and you've got customers waiting.

755

: 00:42:05

So learning how to set those

expectations and that's where an

756

: 00:42:09

advisor could potentially help.

757

: 00:42:10

Um, that's really going to get you

going like out of the gate really

758

: 00:42:15

well, uh, in a good position.

759

: 00:42:17

But then also looking at the market

fit of your product, like, do

760

: 00:42:21

you even really want to do that?

761

: 00:42:23

Do you want to target

civilian agencies over DOD?

762

: 00:42:27

Maybe FedRAMP isn't the way to go.

763

: 00:42:29

Maybe you want to go right to DOD

and do something that's more on prem

764

: 00:42:34

and focus on their impact level, uh,

accreditations instead of FedRAMP.

765

: 00:42:40

There's a lot of pros and cons, and that's

what we talk a lot about internally, as

766

: 00:42:44

well as the Federal Cloud Advisory Board.

767

: 00:42:47

Um, not everybody is, uh, seeing

ROI on FedRAMP, to be honest.

768

: 00:42:53

Don't assume that if you

build it, people will come.

769

: 00:42:56

There are people, if you go on the

marketplace and you see they're

770

: 00:42:59

in FedRAMP ready stage, they've

been there a while and they have

771

: 00:43:02

not found a sponsoring agency.

772

: 00:43:05

And with the removal of the jab, now

you really do need an agency sponsor.

773

: 00:43:10

And a lot of agencies are being

asked to sponsor and they're

774

: 00:43:13

kind of overwhelmed as well.

775

: 00:43:15

And it's much harder to find a sponsor.

776

: 00:43:18

So you need to make sure that

you've really got that down.

777

: 00:43:21

And you found a sponsor.

778

: 00:43:22

You're pretty sure you're going to get a

sponsor before you think about investing

779

: 00:43:26

such a huge amount of money into.

780

: 00:43:28

Yeah,

781

: 00:43:30

Tim Winkler: it's really sound feedback.

782

: 00:43:31

And I love the, like the fractional, you

know, CTO concept, you know, a lot of

783

: 00:43:36

the listeners from our community are.

784

: 00:43:39

Startups are, you know, very

small businesses, right?

785

: 00:43:42

Where, you know, it costs is

everything in a lot of ways.

786

: 00:43:44

And the idea of biting off more than

you can chew before, uh, really getting

787

: 00:43:50

a good picture and make it a little

bit more of an investment up front

788

: 00:43:52

with a fractional CTO to give you

some, some guidance and advisor or

789

: 00:43:57

some sort of a mentor in that space.

790

: 00:43:59

I think that's, that's fantastic.

791

: 00:44:01

Uh, fantastic idea and great feedback

for a company that's either short on a

792

: 00:44:05

runway or what have you, when it comes to.

793

: 00:44:08

You know, expenses.

794

: 00:44:09

So, um, Yeah, really, really great Intel.

795

: 00:44:13

All right.

796

: 00:44:14

Well, I think, uh, that kind of, uh,

puts a wrap on, on the main discussion.

797

: 00:44:18

So we're going to pivot to our final

segment, uh, the five second scramble.

798

: 00:44:21

Uh, we're just going to do a little

bit of a rapid fire Q and a, um, some

799

: 00:44:26

business, some, some personal, not,

we're not getting too personal here.

800

: 00:44:30

Uh, Mikey, why don't you lead us off with

Nick and then I will, uh, get to Sarah.

801

: 00:44:37

Sounds good.

802

: 00:44:37

Mike Gruen: All right.

803

: 00:44:38

And also, these questions are going

to be different for both of you.

804

: 00:44:40

So, Sarah, don't bother.

805

: 00:44:41

I mean, some of them might might repeat,

but no, no, no need to take notes.

806

: 00:44:46

All right, so here we go.

807

: 00:44:49

What's the most common

misconception about FedRAMP?

808

: 00:44:56

Nick Rundaug: Common

misconception about FedRAMP?

809

: 00:44:58

Um, I think It would probably be on,

uh, sponsors and, uh, kind of a lot to

810

: 00:45:08

what Sarah just said, but, um, that if

you build it, that you'll, they'll come.

811

: 00:45:14

Um, finding a sponsor is

one of the hardest things

812

: 00:45:17

that, that CSP seem to have.

813

: 00:45:20

And, um, luckily there has been a little

bit of traction of FedRAMP is coming

814

: 00:45:25

up with, uh, kind of a job replacement

as well as DOD on their own, and, uh,

815

: 00:45:30

Issued a memo where there's a FedRAMP

equivalency for contractors, um, so

816

: 00:45:34

that they can, uh, go that route if

they don't have a sponsor, but their,

817

: 00:45:38

their products being used by actual,

you know, contractor to subcontractor.

818

: 00:45:42

So, we just, we've been hearing a lot,

really: 2023

819

: 00:45:48

sponsors, like Sarah was saying,

I think a lot of the sponsors out

820

: 00:45:51

there, they're kind of at the limit.

821

: 00:45:53

And bedroom kind of needs to address

that because you have a bunch of kind of

822

: 00:45:57

a top five, in my opinion, of sponsors,

and they got a lot that they sponsor.

823

: 00:46:01

So that's a lot of check

ins they have to do.

824

: 00:46:03

And I think they're a little overwhelmed.

825

: 00:46:04

So I think the 1 of big misconceptions

is that it is easy to find it

826

: 00:46:07

if your product is that good.

827

: 00:46:08

And that's not always the case.

828

: 00:46:09

Sometimes it's first to market.

829

: 00:46:12

Mike Gruen: Uh, what's your favorite

type of, uh, CSP to work with?

830

: 00:46:17

Ooh,

831

: 00:46:18

Nick Rundaug: man.

832

: 00:46:18

Um, I've actually worked with

quite a bit of, yeah, the, the

833

: 00:46:24

ones that upload evidence early.

834

: 00:46:26

How about that?

835

: 00:46:27

Tim Winkler: I

836

: 00:46:28

Nick Rundaug: love it.

837

: 00:46:29

But, but, but yeah, but yeah, Sarah,

they, um, if we can get onsite and, uh,

838

: 00:46:35

or onsite, uh, we start our interview

portion, which is like the, kind of

839

: 00:46:38

the main, main portion we're going

through all those 18 control families.

840

: 00:46:41

And we have, I mean, I'll

say even approach it 70%.

841

: 00:46:45

I'd love a hundred percent centers.

842

: 00:46:47

Those are my favorite ones.

843

: 00:46:48

Cause we will finish likely on time

and, uh, everyone will be happy.

844

: 00:46:52

So, uh,

845

: 00:46:54

Mike Gruen: what's the best piece

of advice you've ever been given?

846

: 00:46:59

Nick Rundaug: Oh, man.

847

: 00:46:59

Um, Uh, a quote from Bruce Lee and, and

it was, uh, to hell with opportunity.

848

: 00:47:05

I create my own opportunity, um,

to, to just essentially to just

849

: 00:47:09

go in and do it yourself, right?

850

: 00:47:11

Like go in, like open a NIST

special pub, read the whole thing,

851

: 00:47:15

go and figure it out yourself.

852

: 00:47:17

Don't, you don't have to rely on

Share Episode

Shownotes

Transcripts

Follow

Links

Chapters

Video

More from YouTube