How to fund security and modernize at the same time
FedRAMP's standards go a long way toward the security goals the White House just set -- but smaller firms must be able to afford the authorization process.
In our last article, we argued that the government's FedRAMP cybersecurity program was a reasonable and effective tool for reducing cybersecurity threats, but after 10 years, it remains under-funded and insufficiently scaled to address the universe of 18,000 cloud-based commercial products. We argued for increasing funding and setting up a robust FedRAMP shared service model that could serve the entire government. We believe relieving individual agencies of pursuing their own FedRAMP authorizations is an efficient approach to break the current authorizations bottleneck.
Two days after publication, Colonial Pipeline shut down its gas transport operations because of another criminal ransomware attack. Then on May 12, the White House released a long-awaited executive order designed to improve the "Nation's Cybersecurity." In the wake of the Office of Personnel Management, SolarWinds, and Colonial Pipeline breaches, it appears the government is ready to take a serious stand on enforcing cybersecurity through enhanced procurement regulations designed to block and purge unsafe software.
Fortuitously, the new executive order touches on some of our recommendations for FedRAMP by explicitly requiring its "modernization" and encouraging better security through increased cloud adoption. Importantly, most of the specific safety directives address implementing National Institute of Standards and Technology Special Publications 800-160 and 800-53, which already exist and have always been part of FedRAMP process. In other words, if agencies follow existing FedRAMP protocols, they will also be largely complying with the new executive order.
The Biden White House's new guidance, with some exceptions, puts significant teeth and enforcement into what already exists. There is a lot of important administrative work to be done and deadlines to be met, but largely the underlying security framework will likely remain the same, for the immediate future.
Unfortunately, even if the FedRAMP Project Management Office is modernized, there is still a need to address a staggering problem. The cost of pursuing a FedRAMP authorization for a software company range from $500,000 to $1 million for a single product. Obviously, this is especially burdensome for small companies -- the same firms that often drive the innovation and modernization the government seeks. Imagine asking a small company to expend $1 million before it sells a single product to the government. Imagine the cumulative money spent to ensure that every single cloud-based product used by the government has gone through this process.
There have always been two sides to the cybersecurity regulatory problem. The government hasn't properly resourced the security authorization side, thereby creating an approval bottleneck. And the cost to meet compliance on the industry side has been exorbitant, chasing away small players. The government wants to modernize, but with the high cost of security compliance, it may have effectively built a moat -- thwarting innovation and creating an oligarchy of software suppliers. Only well-established incumbents, with significant resources, are equipped to cope with the cost of security compliance.
What can be done?
In order to keep smaller software innovators engaged and to prevent the creation of a software oligarchy, the government should look at creative options to provide small businesses with access to FedRAMP. One approach might be for the government to fund authorizations by paying fully or partially for the third-party accreditation process. Currently, a collection of expert firms called Third Party Assessment Organizations (3PAO's) are critical to the undertaking. These are private firms, and their primary function is to closely examine the artifacts provided by software companies to demonstrate compliance with NIST standards. 3PAOs provide the government with the authoritative proof of compliance.
Perhaps the government could run competitions to select promising innovative software products and set aside funds for 3PAOs to be paid by the government. Alternatively, perhaps there can be a few 3PAOs fully funded by the government and dedicated to working with software companies of a certain size. In a sense, this could be a vertical integration, bringing a few 3PAOs "in-house," exclusively for the purpose of driving FedRAMP authorizations for promising products from smaller companies. Rigorous contracting competitions could be set up to control access to the government's 3PAOs, perhaps funded through the TMF program.
Additionally, the government could use the Small Business Innovation Research (SBIR) program for funding to allow software companies to apply for an incremental approach to FedRAMP. SBIR grants could be provided in tranches that match typical FedRAMP phases. A promising small business with a useful innovative product could be awarded a Phase I increment of funding to demonstrate it can meet FedRAMP "ready" status. Another block of funding could be awarded to complete the full Authority to Operate (ATO), once an agency has determined it would like to utilize the product.
Likewise, for the Department of Defense, Other Transaction Authorities are potentially a perfect fit to provide funding to secure promising software applications. OTAs are explicitly to be used by DoD to lower the entry barriers for commercial companies to develop prototypes that enhance mission effectiveness. It seems with the proper budget, OTAs could accelerate a significant volume of FedRAMP authorized products.
These are just a few options. The important thing is for the government to recognize that while it is obviously critical to secure the information technology estate, it must do so in a way that doesn't lock out modernization, innovation, and competition.
Modernization and security are not mutually exclusive. In fact, a modernized IT infrastructure would be beneficial for the enhancement of security -- but it is imperative for the government to appreciate its current dilemma. It needs to simultaneously expand its ability to provide FedRAMP authorizations and at the same time lower industry's cost of compliance. It is possible to achieve both of these, but it requires a plan.
NEXT STORY: Unfunded mandates in the cyber EO?