The government wants to get onto the cloud! But how do they assess the levels of risk in adopting specific cloud products, and which “cloud service providers” (aka “CSPs”) to work with? That’s where FedRAMP — the Federal Risk and Authorization Management Program — comes in. And enterprise SaaS companies need to pay attention, since it will be a requirement for selling to the U.S. government, which is one of the biggest buyers of tech. Not just that, but even state governments and private/public companies may seek FedRAMP certification because they either work with the federal government or are just seeking standards.
How similar or different is FedRAMP to other types of certification, authorization, and compliance (such as ISO, SOC-2, GDPR, even HIPAA); and what does it mean for a startup to go through organizationally, culturally? Is it like a check-the-box policy thing, is it like getting a driver’s license… or what? One thing’s for sure: It’s an opportunity for enterprise SaaS startups, and the government is trying to help companies through the process.
What are the steps to certification? What are some acronyms and terms to be aware of? When and how should you bring a consultant, advisor, or third-party auditor into the process? How long does it take, really? And how does it affect your sales team? Most importantly, what is the best strategy for moving forward? (Hint: start with a customer). Lisa Hawke, VP of Security and Compliance at Everlaw, an a16z company, shares her expertise and their experience in navigating all this, as well as the resources below, in this episode of the a16z Podcast hosted by board partner Steven Sinofsky. (The two were also previously on another episode sharing everything startups need to know about GDPR.)
links mentioned in this episode (and other resources):
- context: Federal cloud computing strategy
- acronyms involved in FedRAMP: master glossary
- FedRAMP marketplace: designations for cloud service providers
- FedRAMP marketplace: of products and impact levels (and more)
- getting started with FedRAMP: CSP (cloud service provider) Authorization Playbook
- authorization paths:
- security categorization of cloud services: baselines and “impact levels”
- the human side of FedRAMP: customer success
- configuration guidelines: CIS (Center for Internet Security) benchmarks
- CIS benchmarks: GSA IT Schedule 70
- learning and training resources: online courses, webinars, and in-person training