Episode 144: TxRAMP or StateRAMP or AZRAMP or FedRAMP? What’s right for your company? With Mike Craig

October 18, 2024

In this episode of The Virtual CISO Podcast, your host, John Verry, is joined by Mike Craig to break down the complexities of RAMP frameworks, including FedRAMP, TxRAMP, AZRAMP, and StateRAMP. Together, they discuss key topics such as:

How decentralized trust is established within the RAMP frameworks.
The crucial differences between the RAMP frameworks and their impact on an organization’s path to Authorization to Operate (ATO).
The influence of Organizationally Defined Parameters (ODPs) on control implementation across various RAMPs.
The role of Federal Acquisition Regulations (FAR) in shaping FedRAMP’s technical architecture and cost recovery strategies.
Insights into why nearly 60% of FedRAMP projects fail and strategies for improving project success rates.

John Verry (00:00.0)
It was really good. So the only thing we can do, you know, now you got practice on it, right? All right, here we go. Hey there and welcome to another episode of the virtual see -saw podcast. Mike’s gonna be very good in this one because we did most of the podcast before I realized I did not record. With you today is your host and idiot, John Berry. And with me today is Mike Craig. Hey Mike.

Mike Craig (00:03.646)
Yeah.

Mike Craig (00:26.014)
Hello again.

John Verry (00:27.296)
You’re being very, hello again, you’re being very gracious and I appreciate it. Tell us a little bit about who you are and what is it that you do every day.

Mike Craig (00:38.174)
So I run a company called Vanaheim Security. What we do is advising companies through the strategy, technology consulting, implementation of federal cybersecurity compliance frameworks and authorizations and navigating the entire process. FedRAMP being the main one of those. However, as the SLED subsector has started,

mimicking the requirements of FedRAMP in their own implementations and versions of it. We’ve picked up a book of business working with those different frameworks as well. So incorporated kind of all of that into our strategy services of figuring out which is the right one to go for you and at what time.

John Verry (01:29.664)
And that is exactly why we’re here today is to talk about that exact issue, but before we do I always ask what’s your drink of choice?

Mike Craig (01:38.078)
It’s going to be straight bourbon.

John Verry (01:41.024)
All right, so what’s the most recent bottle of bourbon you bought?

Mike Craig (01:44.51)
well, that one’s a whole different story. Yeah, I think it was Elijah Craig.

John Verry (01:48.06)
Yeah.

John Verry (01:52.577)
very nice. I have a bottle of Elijah Craig 23 year old that I’ve been slowly working its way down because it’s kind of a special bottle, which I really enjoy. And then my last bottle that I bought was a very basic one, a Bullet bourbon 10 year. My daughter recently started drinking bourbon and that’s the one she likes. I thought I’d buy her one for the house.

Mike Craig (02:00.254)
Yeah.

Mike Craig (02:14.046)
Yeah, for sure.

John Verry (02:16.096)
So, historically, many of the conversations that we’ve had with clients interested in pursuing FedRAMP have been, I’m going to refer to them as more traditional conversations. Hey, we’re interested in selling our cloud service into the federal agencies, and it was a more, I’m going to call it a more conventional route. Increasingly, a lot of the conversations we’re having around FedRAMP are sort of being initiated, if you will.

by organizations that need to either comply with something like AsRAMP or TextRAMP or StateRAMP. And they’re saying, hey, maybe we should just go FedRAMP instead. So these are all highly similar standards, but there’s a lot of nuance and complexities to teasing this out. So that’s what I’m hoping that you’re going to be able to educate us on today. So I’m confident you can, because I’ve heard you do it once already. So.

Mike Craig (03:07.71)
You bet.

John Verry (03:15.616)
So let’s start with the basics. What are asramp and textramp?

Mike Craig (03:21.818)
So, AzRAMP and TextRAMP are a state -by -state spinoff of the state RAMP program, which is mimicking the FedRAMP program as sort of the standard of how to ensure that vendors, technology companies that are doing business in the sled sector with these states are meeting basic cybersecurity hygiene standards and holding on to

government data, right? So Texas and Arizona respectively have broken from the state grant program to create a different process around how you meet, I’m going to say roughly, the same controls as a matter of speed and process, which we can drain a little further.

John Verry (04:21.184)
So when we think about pursuing these comprehensive frameworks from the government, there’s really two differing components to it. One side is what are the security requirements? And then the other side is what is the process look like to actually go through and achieve this authorization to operate? So can you talk a little bit about what are the differences between AsRAMP and TextRAMP?

from both a requirements and process perspective.

Mike Craig (04:53.798)
Sure. So the technical requirements are all of these different frameworks. FedRAMP, state RAMP, ASRAMP, text RAMP. We’re all talking about, at its core, the National Institute of Science and Technology 800 -53 set of cybersecurity controls, NIST 853. It’s a large tome of a document. It’s difficult to go through.

But there are a selection of controls that are required to define different security baselines, so low, moderate, high, that all exist across all of these different programs. And so they all run off of that same basis. However, there are technical differences in the madlibs part.

in the control. So it’ll say, organization does x, y, or z as part of the control. But when it’s defining x, y, or z, there are these brackets that say organizationally defined. And that’s called the organizationally defined parameter, the ODP. The governing body can determine what the minimum standard of that ODP is. And so that madlibs part provides some nuance. And

sometimes quite a bit of difference in how, say, the encryption standards that you’re going to use or the CIS level one, level two, DISA STIG operating system baseline that you’re going to base your entire continuous monitoring strategy off of. And they can conflict with each other sometimes. So those ODPs, right?

can create technical differences between the different frameworks. And then from a process standpoint, there are some wild differences in how that works. Yep.

John Verry (07:01.888)
Can I ask you a quick question before we get to the process? Just because I don’t want to lose track of that ODP because it’s interesting to me. So I think what you’re saying is I pursue as RAMP and using that example of a set of controls, I’m aligned with CIS IG1 or IG2 or something of that nature. And that’s what I’m putting in into my documentation. I think what you’re saying is that I may go for a text RAM authorization.

Mike Craig (07:24.83)
Mm -hmm.

John Verry (07:30.176)
And they may accept that. They may say that’s a reasonable and appropriate. And I may go for AsRAMP and AsRAMP might say, no, no, no, CIS IG1 is not sufficient for moderate security categorization. You need to at least be at two. Right? That’s what you mean by it’s the same block of requirements, but how they interpret and how they authorize might be different.

Mike Craig (07:52.35)
Yes, that’s what I’m saying. Probably a better example to use would be between as ramp, where you say in your documentation, sometimes the organization, the company gets to decide. They get to self -define what the standard is. And then sometimes the governing body will define for you what the minimum is. So.

John Verry (08:12.928)
okay. So the org -define parameter is, I interpreted that as being the org that’s seeking the ATO. You’re saying that the org that is authorizing can also define the ODP? Okay. Okay.

Mike Craig (08:27.294)
They can, yeah, FedRAMP does. And so a better example would be between, like, say, as ramp and FedRAMP on sort of the opposite ends of the spectrum, where they will accept an organizationally self -defined, let’s use CIS benchmark level one for our standard that we’re going to map against for the configuration management controls to say, we meet

We meet CIS level one benchmark, and we do scanning against it, and then we fix stuff that’s deviant. On the FedRAMP side, revision five, the new standards, require disastigs. You have to use disastigs, and you don’t have an option anymore. You used to, now you don’t. And so that disastig requirement, if you’re trying to go for both at the same time and you’re using the same platform, now you have two different standards that you’re trying to meet that

directly conflict with one another. And that can be an issue when you’re trying to reuse the same platform across multiple of these. Now, as we.

John Verry (09:35.648)
Gotcha. Yeah, so at that point, you’re a forest architect to the high water.

Mike Craig (09:39.39)
Right. So the high watermark then being DISA Stig, there’s, I have yet to see any organization that reviews these risk packages say, you know, you have to use CIS, you know, level one, you can’t use DISA Stig. DISA Stig is always accepted. So the high watermark.

John Verry (10:01.056)
Okay, cool. So now let’s jump to that process.

Mike Craig (10:04.67)
Yeah. So the process side is when things get real nuts, right? So at the FedRAMP level, the original requirement was that you have to be assessed by what’s called a third party assessment organization, a 3PAO. 3PAOs go through their own testing and validation, and it’s a very involved process to become one. And there are regular ongoing validation requirements.

for training, blah, blah, a whole bunch of other stuff for 3PAO auditors. Because of all of that overhead and requirements, 3PAOs are expensive compared to, say, other cybersecurity auditors like a SOC 2 audit. Then, StateRAMP looked to FedRAMP and mimicked the same process. StateRAMP does not have at least…

as of today, does not yet have its own pipeline for defining and training and authorizing three PAOs who are able to perform these audits on behalf of the membership states. So they look to FedRAMP three PAO. There are about 40 companies, I think, that are three PAO authorized, but you have to choose one of them. In order to be state ramp authorized, you have to be assessed by a…

FedRAMP, three PAO authorized company. And that makes it an expensive proposition, right? Texas and Arizona have gone a different route in that process piece where they do it in -house. So their auditors look at a risk submission package, their state employees, not three PAOs, and they have a portal. They want to see, you know,

laid out sort of this way, and then they’re going to accept it or not. And that process is quite a bit faster than the 3PAO, but you can’t use it in nearly as many places. So that plays out in the numbers, right? If you look at TextRamp and the number of companies that are authorized in TextRamp, Arizona ramp, same thing. I mean, there are hundreds, thousands approaching, right?

Mike Craig (12:29.278)
I was going to look up TextRamp here, but there are…

Just a real quick look. There are something on the order of, let’s see, I’m doing math in public, but that’s like close to 300 as ramp authorized companies. And it’s been around for two years, I guess. Whereas FedRAMP has been around for 10 years now.

has roughly the same number of companies authorized in that entire time frame and TextRamp looks very similar, right, because the throughput is so much faster. The problem being is that you can only use it in Arizona or in Texas. There’s no reciprocity with StateRamp because StateRamp has that 3PAO requirement, which as RAMP and TextRamp authorized companies have not done. So then,

John Verry (13:19.04)
There’s no reciprocity.

John Verry (13:32.8)
So I actually saw, but I did see a contract recently where they had the ability to select an as ramp or they had the ability to select state ramp. So it was an Arizona state contract. So it looked like they were going to allow a state ramp ATO as an alternative to as ramp.

Mike Craig (13:56.606)
Yeah, yeah, and that’s true. So there’s one way reciprocity. So if you think in terms of a hierarchy, right, FedRAMP authorized companies are being, you know, grandfathered into state ramp as state ramp authorized. So if you make it through FedRAMP, you’re gonna be state ramp authorized. If you’re state ramp authorized, then you’re likely overwhelming, gonna be accepted by those, but.

John Verry (14:01.952)
Okay.

John Verry (14:23.296)
As ramp and text ramp. Okay, you got you But obviously not upstream because yeah, because the requirements are different, you know Fed ramps requirements are a little bit different than state ramps. They’re a superset Really what you’re just doing is like a superset and working our way down Okay And then so that I guess they real I mean if you had a choice between pursuing state ramp To meet an as ramp or text ramp requirement

Mike Craig (14:27.102)
does not hold the government.

John Verry (14:51.712)
The advantage of not pursuing state ramp right away would be approximately $250 ,000 in savings because you’re not having to pay the C3PA out, correct?

Mike Craig (15:04.766)
Right, the state ramp can actually be a little bit lower than that. Again, so ending on how you’re set up. We’re going to talk about this whole complexity here in a minute, but when we start getting into the federal acquisition regulation and the requirements around how your platform has to be architected to meet the FedRAMP controls and also the federal acquisition regulation at the same time, it does introduce a whole series of additional

John Verry (15:09.632)
Okay.

Mike Craig (15:34.845)
sort of implied or secondary technical requirements that come out of those business requirements that create a higher cost for FedRAMP where the acquisition regulation is not a requirement implicitly in state RAMP. So while you have to pay the 3PAO auditor at the 3PAO auditor price, you don’t necessarily have to…

go through all of the technical implementation at the same degree of cost that you do at FedRAMP. So using the FedRAMP number for the state ramp number is, it can be that high. So let’s say up to, you know, $250 ,000 in savings.

John Verry (16:24.608)
So you’re saying, simplified, you’re saying that a state ramp 3PAO cost for the assessment might be a bit less in general than the FedRAMP ATO cost would be. So I was using that FedRAMP ATO cost. So you’re saying, OK. And that might be 10%, 20%, whatever that number is, a little bit less expensive. OK. OK. So if it’s so.

Mike Craig (16:27.646)
Right.

Mike Craig (16:43.654)
Right. Saying six figures in savings, yes. I think we’re probably still on the same page there.

John Verry (16:54.048)
Why would an org, so let’s, you know, talking about state ramp, so we kind of talked about as ramp and text ramp. So let’s talk a little bit about state ramp and why would you guide somebody to be thinking about state ramp, you know, to address text ramp and as ramp contractual requirements.

Mike Craig (17:11.742)
Right, that goes back to that hierarchy of reciprocity, right? So it depends on within the SLED sector, where are you looking to expand? Is your book of business in SLED in Texas or Arizona and solidly going to stay there? You have no plans of going anywhere else? Then yeah, you should just probably go as ramp or text ramp respectively. But if you have a market and you have a demand within,

Sled, and by sled here, I’m really meaning, you know, state and local contracts that would require that state ramp contractually. If you have, you know, plans, aspirations, or demand for that, then we should probably be thinking about going state ramp first to save on costs of doubling up. There’s a timing to it, you know, too. So this, you know, the strategy service that like we do at Vanaheim is,

Looking at those factors, right? There’s a there’s a cost associated with this and because there’s a cost then you’ve got a time period where your book of business then has to now either expand or Start in you know a linear trajectory of growth In order to repatriate these costs. So you’ve got a you’ve got a calculable

estimation of a return to equity point and that that Before that happens, right? You’re just gonna be eating these costs as capital outlays So that time period right in the amount Very much matter if you’re a brand new startup with five employees and you’re trying to go FedRAMP And it’s gonna cost you 1 .5 million and you haven’t been you know beyond your like series B

There’s no way that’s even going to be part of the conversation. Meanwhile, if you’ve got 10 million ARR and you’re continuing to grow, then yeah, let’s talk about state ramp. If there’s a demand for that, that you’re going to hit that return on equity point probably faster because you’ve got the brand recognition. And two, that you can survive that capital outlay.

Mike Craig (19:37.662)
and wait out that return on equity point. For this very high barrier to entry, you know, market position, but the other side of that is you got to survive it to get there.

John Verry (19:49.632)
Gotcha. So we know that the technical requirements are largely the same with regards to, with the exception of the ODP concept that we talked about. On the process side, state RAM versus ASRA’s text RAM, you know, we talked about that three PAO assessment. Anything else markedly different about that process, the business process side of becoming ATO in state RAM?

Mike Craig (20:13.502)
In state ramp, what we’re looking at is a little bit different in the way agency sponsorship works, right? Between FedRamp and state ramp, if we’re using that as our point of comparison. TextRamp, AsRamp, state ramp, from the perspective we’re about to talk about, all sort of fall into the same category.

There’s a centralized body of application that there’s the 3PAO piece, unique to state ramp, but you’re submitting a package together. It’s going to get approved. It goes through this sort of centralized body. On the FedRAMP side, that’s where things get kind of a lot different because you have to have an agency sponsor. That agency sponsor, if…

They have to decide that they’re going to approve you or that they want you into their business for their agency. You go through that, you go through the whole FedRAMP process, you get FedRAMP authorized. That contract comes up for renewal and you lose it. You get outbid and you don’t have any other federal business.

the way it was set up before, you would lose FedRAMP authorization at that point through an agency sponsorship. And that has not been the case in state ramp, as ramp, text ramp. That’s a unique to FedRAMP thing.

They’re changing that, but we’ll see.

John Verry (22:00.832)
So let’s get into that FedRAMP conversation a little bit, right? Because that’s really where this started is people calling up and saying, hey, we want to get FedRAMP. And you drill in and it’s like, OK, we just want to contract with the state of Arizona. And they’re following that chain. So maybe briefly define exactly what FedRAMP is. I think most people probably know that. But then why might someone choose to use FedRAMP to address a text ramp or as ramp or state ramp contractual requirements?

Mike Craig (22:28.126)
Sure. So FedRAMP is the Federal Risk Assessment Management Program, is what it’s called. It’s been around for about 10 years now. As of last year, I think, the National Defense Authorization Act, I believe it was 2023, December, signed by President Biden, there was a writer inside of that called the FedRAMP Authorization Act that made FedRAMP authorization a requirement inside of federal acquisition. If you have a…

a cloud -based service that is going to process and hold government data outside of a system developed for an agency internally, then it has to be FedRAMP authorized. That used to be an option. Now it is required. So by going FedRAMP, why might you choose to do that? Well, it’s going to depend on your federal book of business. Your service,

MSP, you know, SaaS, whatever it is inside of the cloud, it has to be sellable and you have to have demand inside of a federal agency for this to work because of that sponsorship requirement. But if you have that, right, and there’s demand across even multiple federal agencies, then you have demand for that at the federal level and also states want it.

then you might want to consider going FedRAMP first because of the reciprocity and downstream reciprocity all the way down into AsRAMP in your hypothetical. But if you don’t have that, right, and you’re only in Arizona and you’re only going to stay in Arizona and you’re not even going to planning on really having a federal book of business, then we probably want to be having a very different conversation.

John Verry (24:10.24)
So.

John Verry (24:23.264)
Yeah, I’ve heard you talk about there’s another component to this though that complicates it, right? And that’s the difference between federal acquisition regulations versus state acquisition regulations. Can we talk a little bit about that and how that would influence this decision?

Mike Craig (24:36.606)
Okay.

Mike Craig (24:42.526)
Sure. So now we’re talking about kind of technical architecture and platform delivery. The requirements for FedRAMP, you have to have an agency sponsor, you have to have a federal book of business. But any company that is doing business with the federal government at all is subject to the federal acquisition regulation. That’s a completely different tome and its own 30 years of study to master it.

separate from the NIST 853 we were talking about before of technical requirements. It has its own requirements around cost segregation and around charging to multiple agencies. So if you have an agency sponsor and you have a second agency wants to pick you up and use your FedRAMP service, you have to be able to separate out the cost and segregate the data.

for each of those different agencies. But at the same time, you have an overhead cost for the scalable overhead of your management plane of the platform that you’re performing services within both of these agencies. So it creates sort of a technical requirement implicitly that’s not written down anywhere that you have kind of a hub and spoke technical architecture of clients.

where you can have a cloud account that’s direct billable to that customer. You have a second cloud account that’s direct billable to that customer. And then you have a management plane that services both. But that management plane has to be declared as commercial pricing because it’s serving multiple federal agencies. And so you can’t direct bill to those costs. Or you just eat the management plane costs entirely. Those are your two options though. Otherwise you’re in violation of the FAR.

The state requirements don’t have that. And they don’t have that same direct bill requirements. They are dependent on state by state, but there’s no unifying one to say that’s the case for everybody all the time within state acquisitions. So you can have something more akin to like a commercial containerized architecture that’s not

Mike Craig (27:09.374)
separated client data. They’re separated in containers, but your infrastructure is still held in like a single VPC and cloud account and direct billable that way, where you can charge that service to a state without having to separate out into that distinct infrastructure requirement of hub and spoke that is implicit inside of the FAR. And so you end up having.

less confusing technical architecture more akin to a commercial offering and kind of the modern trends in commercial offering architecture and scalability versus the Sort of weird way that FedRAMP requires you to do it because you have these overlapping requirements of NIST 853 FedRAMP’s view of data and of

system boundaries that sort of artificial political line gets drawn around your federal offering an enclave and Being able to make it actually profitable when you’re repatriating costs

John Verry (28:20.864)
Is that data segregation an explicit requirement, or does the data segregation happen as a component of the segregation necessary to deal with the FAR issue that you were talking about?

Mike Craig (28:37.022)
So it’s often an explicit requirement inside of the contract itself. But it’s not an explicit requirement found inside of the NIST 853 controls themselves. It’s a requirement inside of the direct billable rules of the FAR and the requirements by the agencies to separate out their data. And so then we get

John Verry (28:44.832)
Gotcha.

Mike Craig (29:06.686)
Like, let’s a good example here is how DoD views kind of all of their stuff. DoD generally doesn’t, while they’re one of the main players inside of the FedRank program, they have their own separate thing, DoD Impact Level. And at DoD Impact Level 5, you have to separate all DoD data and infrastructure from everyone else. You cannot mix it even with other federal agencies inside of a government cloud environment. And that’s kind of how the…

government treats commercial offerings versus how DOD treats all other federal agencies.

John Verry (29:43.648)
Gotcha. And could you touch on briefly the, you know, in the old days, right, if you were pursuing FedRAMP, there were, you know, left fork and right fork. Left fork was the, you know, the conventional JAB, GSA route. Right fork was agency ATO. My understanding now is they’ve effectively closed the left fork, like the JABB that doesn’t exist, where the JAB has been re -architected, is doing some other things. Just talk briefly about that.

Mike Craig (30:10.942)
Yeah, so the the JAB stood for the Joint Authorization Board. It was GSA, DoD, and DHS. Those were sort of the founding agencies, it’s not really the right word, but it makes a good analogy here, of the FedRAMP program itself. Remember, it used to be optional. So the goal was if one agency that’s governed by the three main

cybersecurity players that cared the most. If those three sign off on it, then other agencies could trust it, and it was voluntary programming. Now it’s required. So there used to be two different routes where an agency could sponsor you and pick you up, but you had to have a contract in that agency and a reason for them to do so. It comes with an overhead cost on the agency’s part. There’s some skin in the game for them because there are

companies that will take that FedRAMP in process designation and use it as a marketing tool, but without any real intention of fixing the stuff required to get all the way through FedRAMP authorized and making those investments. And so the agency ends up wasting a lot of their time. I very much get it from their perspective as well. The act of sponsorship is an act of trust on the part of the agency.

Then there was the Joint Authorization Board. That’s the three main players. And that did not have any single agency sponsor. Say four years ago, I would have been advising clients, like try and go jab if you can, because when you lose that contract of that one agency that sponsored you due to rebid, all the other…

wild card stuff that can happen inside of federal acquisition, then you also would lose your FedRAMP authorization. Now that process has changed. The JAB no longer exists. As of the FedRAMP Authorization Act, there is the Technical Advisory Group. And the JAB used to operate sort of separately from the FedRAMP PMO. And so you would ask the FedRAMP PMO questions and the left hand would tell you one thing and you would spend a bunch of money fixing

Mike Craig (32:36.126)
the stuff or implementing it the way that the left hand told you to do it. And then you would go through the jab authorization and they have a completely different set of unwritten rules and requirements. And you spent a bunch of money and now have to redo it. It’s a very frustrating process. The tag is seeking to consolidate those two organizations into a single entity that acts more as a governance and oversight.

for agency sponsorship in the way that agency sponsorship has been working kind of all along. Agency sponsorship has always been the easier of the two, but it came with the most risk. So to de -risk that, what they’re changing it to is they’ve released that requirement. Right now it’s just a little bit of breathing room, just the cave has come down like just to your nose and you can stick it up like that, that if you were to lose,

your agency sponsor, you now sit in the FedRAMP ready status for a year, as it stands today. You sit there for a year to find another one without automatically losing it, like used to be the case. So they’re working on streamlining the throughput of, and the bottlenecks in that agency sponsorship and meeting kind of all the different parties and stakeholders that,

have major issues with this, trying to work it all out at once. There’s another sort of simultaneous effort to automate the testing and compliance. Google has done their first one using OSCAL. That’s an automated way of validating the control requirements, technically, in a giant report. They get reviewed, and then the ATO moves faster. So both of these things are happening concurrently. And…

the world’s going to change a little bit. But as it stands today, and probably for the next, I would say, year, year and a half, at a minimum, the agency sponsorship is the only way to go. But you do have that breathing room on the back end. They’ve also made it easier to apply without having the agency sponsor first. And that has also helped out quite a bit in throughput.

John Verry (35:01.792)
Well, they obviously have to solve this problem. If you’re now at a point where it’s no longer optional, I can use somebody else that’s not FedRAMP ATO, you’ve got to find a way to get more people into the ATO because if there’s a particular product that you need and it doesn’t exist yet as a FedRAMP ATO product, that’s going to cause some problems.

Mike Craig (35:19.422)
Right. So I was just going to say, my sort of read of federal CISOs and the ones that I have talked to about this is that what they want to see is that you’re putting skin in the game and that you’ve separated off a federal enclave. You’ve put real money and investment behind this.

John Verry (35:21.472)
Quick question. Go ahead.

Mike Craig (35:47.262)
and then they’re a lot more willing to sponsor you. So that’s the opposite approach from two years ago and what I was advising clients on is, you know, find an agency sponsor first and then take the risk to, you know, attempt applying for FedRAMP. And now you have to do it the opposite way, right? You’ve got to go all in first and then get your agency sponsor. Now, if you’ve already got a federal book of business and you’ve already got a sales pipeline,

then that’s going to be exponentially easier for you to pick that sponsorship up versus just going into it completely cold. But that option does exist now, but you do have that one year counter starting once you get through the process that you still have to find a sponsor. I think that’ll relax a little bit too as time moves on.

John Verry (36:38.272)
And one quick question here. So OSCAL is effectively machine readable information with regards to the security posture associated with an environment.

Mike Craig (36:51.486)
Correct, yeah. It’s an attempt to create a standardized compliance language that vendors can support in their logs so that we’ve got a single standard that we can all comply to across an industry to read all of this machine data and then…

we can test against standards and then validate in a machine readout versus having an expensive 3PAO do it. That’s the dream.

John Verry (37:27.328)
In a weird way, that’s yeah, but you know, in a weird way, it makes sense. I mean, that’s effectively what CSPM and CNAP and those tools are, right? Is, you know, they have, they’re just reading it, you know, whether it’s infrastructure as code, whether it’s, you know, whether it’s logs coming out of, out of cloud systems, it’s okay. I know exactly what we are and we can apply, you know, we can apply policy and we can identify deficiencies, right? OSCAL is going to give us kind of that same idea, but in a…

in an even more normalized way because we don’t have that consistency across clouds and across apps and components within clouds, that Ascal is going to kind of cross that all together or normalize all that, I guess is the best way to say it.

Mike Craig (38:09.918)
Right. I have actually been on a government initiative before to try and create a logging standard across an industry. It’s really, really hard. And every vendor wants it to be their thing, right? And so finding the agreement is nearly impossible. Finding the right level of technical requirements so that you’re not excluding vendors and showing favoritism.

John Verry (38:25.76)
Of course.

Mike Craig (38:37.566)
also a massive undertaking of a lot of brain juice to come up with. OSCAL is like effectively just like rich XML at its core, but it’s moving toward that standard of log standardization without, in an open source way, without favoring any particular proprietary vendor that already does this in the commercial sector.

John Verry (39:04.928)
Right. So given that you said that there’s only, over the last 10 years, 325 -ish FedRAMP ATOs, I don’t think I’d be far off saying that there’s probably been more failed FedRAMP or aborted FedRAMP initiatives than there are successful ones. I know we’ve been involved in some. I know you’ve been involved in a few. So that speaks to one of the things that…

Full disclosure, Mike works as an extension of our team sometimes on our FedRAMP projects. We’ve got great technical expertise, but as you’ve probably already become aware, Mike understands the business side and the government regulatory side of these at a level that very few people do. So we’ll leverage him in our engagements with our clients on this as well. So we’ve been starting those projects with what we call a strategy engagement. And…

Recently, it’s very interesting, and the value prop I think of the strategy engagement is we had a client that had a as ramp requirements. They had aspirations to work, and they already worked in other states, and they had aspirations to work more federally. So they came to us and said, hey, we want to get FedRAMP ATO. And we said, let’s start with the strategy engagement instead of just jumping right into the implementation. And interestingly, they came back and said, you know what? We’re not going to do FedRAMP. We’re not going to state ramp.

We’re just gonna do AsRAM for now. So I think it actually speaks to the value prop of doing that. Can you talk a little bit about these strategy engagements and why you feel so strongly that that’s really the best starting point for somebody going through this thought process?

Mike Craig (40:49.214)
Yeah, yeah. I mean, the two of the main takeaways that you get from starting with a well -informed strategist is the education component of what all this is going to take. And then you can put a roadmap to paper of when you should be realistically trying for these things in order to dramatically increase your chance of success. So.

You know, John, like you were saying, I’ve been putting together sort of anecdotal evidence around this. I’ve not seen any official study. I don’t have the records from PMO and it’s also very difficult because not all of them end up actually going to PMO. But it seems to be something on the order of like 40 to 60 % of companies that start out on this FedRAMP journey, abandon it halfway through or sometimes even, you know, further down the road than that.

after all of this capital expenditure and all of this time and sometimes they hire a 3PAO as an advisory and then find out like they’re not getting the profitability out of this and this doesn’t make business sense and then they leave or it’s way more costly than they thought it was going to be and the decision maker of the purse strings wasn’t set up for success with that executive communication at the outset.

that we’re looking at a timeframe of three to five years of capital outlay and then federal business contract start and then profitability from those contracts to where we’re actually getting to like a return on equity point for this FedRAMP investment is like five years down the road. And that’s great because it’s such a high barrier to entry. Maybe that does work for you.

Because if you’re offering a unique service that the federal government doesn’t have and you make it all the way through, you’re the only one who’s gonna make it through for a while, right? Because it’s so hard. If you do punch through to the other side, there’s a lot of money to be made there, but you gotta set the expectations up front and that doesn’t really exist inside of the ecosystem to help anybody figure that out, which is why I formed my company in the first place, because I have a real passion for this.

Mike Craig (43:10.686)
I don’t want to see people abandon it. I want to see people go all the way through. I want to see the government have access to better services and more competition in the cloud space. So let’s talk about the education piece, right? All of the parts that this touches, it’s been historically a technical problem. And at the board and C -suite level, it tends to be thought of as something as just a SOC 2 .0.

think throw 30 grand at it, we’ll write some policies, we’ll go through, you know, a $10 ,000, $20 ,000 audit, and then we’ll come out FedRAMP authorized. And that is not the way this works at all. Couldn’t be more different, right? And I tell my clients like, this is much more aligned with the level of effort and thought and brain juice and investment of a product launch.

a dedicated subset of your existing commercial product in the federal space to a unique customer with its own, in a unique market with its own unique requirements and preferences. And thinking of it more like a product launch, you are already way ahead of the curve and probably going to dramatically increase your chance of success from that alone. But to talk about all the different pieces that this is going to touch.

and start planning out the time, the resources of this entire process, sort of from end to end, and mapping out what that would look like so that you go through it with eyes wide open. I’m all for turning clients away and saying, you shouldn’t go FedRAMP. It doesn’t make any sense for you. Yeah, you could, but should you? And those that it does make sense for, I can help you get all the way through the process. I’ve done it a bunch of times, right? But it doesn’t make sense if it doesn’t make sense.

So we talk about, right, that historically, like it’s become like a, it’s a technical implementation problem and it’s something that’s thought of at like the engineer level. But really this is something to be thinking about from the C -suite level from the beginning. This is gonna be finance and the capital outlay that’s gonna be required probably across multiple fiscal years. Maybe you can fit it in one, but I’ve rarely ever seen that.

Mike Craig (45:37.246)
even under the smallest companies that are already like federalized, right, still take more than a fiscal year. So at least two, and you got to be thinking about those obligations in your liabilities going into year two, right? And thinking about what that’s going to look like in your projections. Then we got to think about the technical implementation of your product as it exists today. Remember that, that.

Third party, FedRAMP requires that you have any external company or service that you’re using that has any effect on security controls at all. And remember, this is very comprehensive across the board. If it has an impact on security controls, that external service also must be FedRAMP authorized. So that means that…

If you’re using a CRM tool, and you use some, say, Zoho or HubSpot right now as your CRM, your options inside of FedRAMP really are like Salesforce. Do you have Salesforce expertise or do you need to hire people? Do you have Azure expertise or are you gonna have to hire people? So there’s an HR component to it. There’s a…

So we map out like your organic skill sets from a technical perspective and what you have for delivery. But we also have to look at, you know, the O costs of building out a platform that is compliant with the FAR if you aren’t already. And the way the FAR requires it really is not intuitive. So very rarely have I seen a company who is unless your book of business is already mostly in the federal government.

And so we end up kind of looking at all of these different things, organic skillset, timeline. What is your ARR now? What do you project it to be in the future? What does your book of business look like now? What does your sales pipeline look like? How confident are you in those sales in order to reach that return on equity point? You know, it requires a continuous successful pipeline of federal sales in order to justify this investment in the first place.

Mike Craig (48:06.302)
We look at all that stuff, right? And then we look at, if you don’t have a federal business, looking at target agencies that are more likely to pick you up as a sponsor. So one of the examples that I use is like in the health care space. I have a lot of clients that come through that, come from that direction, right? Health care inside of the federal government is a subset of federal agencies.

And so the demand for healthcare related services isn’t going to be broadly expansive to, you know, FBI and DOD and, you know, all the Intel agencies, you know, all of those other sort of cat ones in national security space. You’re going to be focusing on like VA, you know, CMS, CDC, HHS, and it’s just a smaller subset, right?

So the FedRAMP website now allows you to look up the number of packages that an agency has sponsored. And you can see what those packages are. So you can look and sort of count out, right, how many have they sponsored before and thus how likely are they to pick you up versus another agency. DoD and the VA have done like three FedRAMP.

authorization packages that they have sponsored so far in all, all 10 years of FedRAMP’s history, mostly because they, they focus on DoD impact level because they’re sort of DoD affiliated, right? So like HHS and CMS are sort of your way to go and it’s a better entry market into the federal space. And so we map all that out for you too, as well as like, what is the roadmap and plan for sales pipeline and penetration and what’s the roadmap and plan for technical implementation.

What’s the roadmap and plan for architecture and FAR compliance in addition to FedRAMP compliance? And what are your organic skill sets? What do you have to hire? What’s the inroad, you know, going to end up costing you an O Then we can map all that stuff out, come up with a trajectory of what your sales pipeline would need to look like in order to get the ROI here. And we can give all of that information to you and then say, Hey,

Mike Craig (50:33.406)
This doesn’t make sense. Or it does.

John Verry (50:37.856)
So it’s interesting. I think you referred to it as a new product launch. I think you’d almost referred to it as launching a new business unit, even more so, right? Because there’s such a significant HR component, finance component, business operations, legal and compliance. It explains why so many organizations end up abandoning this, because they start with it as a technical issue, like SOC 2 and ISO 27 ,00010.

give it to the IT, give it to the IS, throw some money at it, and six months to a year from now we’ll have the certificate, and they don’t understand all of these issues, and IT and IS are not good at vetting and fetting out those issues. So we get to the point where it’s like, how long have you guys been doing this, or they’re even ready, and it’s like, well, wait a second, we don’t understand the business side of this, right? Or we haven’t architected this right to understand the business implications from a FAR perspective.

Mike Craig (51:34.526)
Right, yeah, getting the right players involved from the beginning dramatically increases your chance of success. But that education piece, like you were saying, of thinking of it like SoC 2, chuck it at a mid -level PM in your organization without C -suite involvement and championship across functions, it’s doomed to fail. Right?

John Verry (51:59.456)
Yep, which explains why so many have. This has been awesome. Thank you. We beat it up pretty good. Is there anything you think we missed?

Mike Craig (52:10.43)
No, I think we got it all this time.

John Verry (52:15.648)
I just I thought you needed I thought you needed practice. I’ll be honest with you Mike your first take was so bad I actually was recording it I just told you it wasn’t because I thought maybe you could do a better job the second time and you did so you justified my you justified my line to you

Mike Craig (52:29.182)
That’s, that’s, that’s, yeah, that’s, that’s fair. I’m clearly very camera shy.

John Verry (52:34.912)
Well, listen, man, thank you. I appreciate it. If somebody wanted to get in contact with you, it’s easiest way to do that.

Mike Craig (52:39.326)
Super.

Mike Craig (52:45.214)
Mike .craig at vanaheimesecurity .com or go to the website at vanaheimesecurity .com Also linkedin profile has a link to direct book with me Love to chat with anybody about it anytime the one

John Verry (53:02.688)
Sounds good, man. Thank you and have a great weekend.

Mike Craig (53:05.726)
Alright, you too.

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 144: TxRAMP or StateRAMP or AZRAMP or FedRAMP? What’s right for your company? With Mike Craig

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What are the New CMMC 2.0 Flowdown Requirements to Manage Defense Supply Chain Cyber Risk?

What is Swarm AI and How Can It Advance Cybersecurity?

How CMMC Enhances Defense Supply Chain Security

Is Decentralized Cybersecurity Mesh the Future of Cybersecurity?

What is a Post-Quantum Strategy and Does Our Business Need One?

What is Kubernetes Security Posture Management (KSPM) and Why Should We (as Cloud-Native Developers) Care?

Registered Practitioners Versus Certified CMMC Professionals: What’s the Difference for DIB Orgs Seeking CMMC Compliance?

What is a Cloud Native Application Protection Platform (CNAPP) and What Can It Do for My Business?

What is Cloud Infrastructure Entitlement Management (CIEM) and Why Is It Becoming So Important?

What is the CMMC Assessment Process (CAP) Handbook and Why Should DIB Orgs Care?

ISO 27001 vs NIST 800-53: All You Need to Know

ISO 27001 vs NIST Cybersecurity Framework: What’s the Difference?

The Primary Importance of CUI Scoping for CMMC Certification

Know the Difference between ISO 27001 vs 27002 vs 27003

What is Content Disarm and Reconstruction and Why Should I (as a Recipient of Digital Documents) Care?

The Role of Leadership in ISO 27001 Compliance

Why File-Based Malware Dominates Cyberattacks

Data Detection and Response for Privacy and Compliance

DIB SMBs Rate Their Cybersecurity as Much Better than It Actually Is – Why?

Top 5 Insights from Radicl’s DIB Cybersecurity Maturity Report 2024

How can we help you?

Services

Compliance

Insights

Pivot Point Security