StartUps, FedRAMP, Federal Contracts & More

First, lets remove the myths around early organizations gaining access to contracts with Federal, State or Local Agencies.

  1. You do NOT need to enter and compete in an RFP process to win a contract.
  2. You CAN solicit and cold propose your solution
  3. You do NOT need be on the GSA schedule or sell via a reseller/channel partner
  4. You do NOT need to have audited financials / extensive business history
  5. You do NOT need your employees to be US Citizens (depending on security requirements you may need a principal person or representative to be a US Citizen)
  6. You do NOT need to fork your code or deploy on AWS GovCloud (unless you are a high security application)
  7. You do NOT need to spend millions on compliance (FedRAMP & ConMon)

Starting The US Government Journey

If you believe your product could be of service to the US Government, even if you do not have the capacity to explore this opportunity today, there are a few critical steps you can start doing which will accelerate your journey exponentially. Small technical and operational steps which (you probably should be doing anyway) but ensure that the cost of refactoring down the line is not to high.

Some of the steps to explore:

  1. How you deploy / deployment pipeline. You don’t have it all today, but a roadmap of where you want to get to
  2. How you manage tenant data The ability to single tenant deploy
  3. How to you release features The ability to turn off functions / services at runtime level
  4. How your services communicate The ability to isolate certain services or remove dependencies
  5. Your 3rd Party Vendors Are the vendors / stack you are choosing already FedRAMP certified

The big item around FedRAMP and selling into the US Government is that based on the agency-sponsorship, you do not need 100% compliance, maybe you use a 3rd party service that is not compliant, but the value ia accepted by the agency, or your product needs to communicate to a shared micro-service – if the value of the architecture makes sense, the requirement can be waived by the agency.

Concurrent to all this, you should be building your company in relative alignment to SOC2 (how employees are onboarded, how data is managed, at some point MDM/JAMF controls, some general protocols should be in writing) which also includes your SLA around patch management, source code analysis etc. Again, not all of this is happening today, but if you know what you are working towards, it makes it easier to design the path and at least ensure compliance has a seat at the table during decision making.

If you are ready to sell into the US Government, or are at least willing to explore what this could look like, the best place to start is with a potential customer, and an even better place to start us a customer that has previously or currently explored a similar solution. Best scenario is you find an active opportunity – head to GovTribe.com and search for your product value (i.e. what you do / what you bring) and see what comes up. (For example if you are a learning platform, don’t search for LMS, search for education, training etc)

You WILL likely have to gain FedRAMP approval at some level, however, most agencies will assist in the funding for this exercise. The cost is wholly dependent on where you stand today but there are three costs you have to carry outside your internal engineering/product teams.

  1. SSP Document Creation: This is the package provided to the auditor and the FedRAMP office that details how your application works and its compliance (or non-compliance) to the controls.
  2. Auditor (3PAO) that conducts the audit of your readiness and compliance with the FedRAMP controls.
  3. RMF Consultant: Someone very familiar with NIST 800:53 (which is FedRAMP) and usually ex-DoD who can help guide your journey.

The biggest question around delivery will be what do you need to change in your product architecture and can you do it without forking your product. Unless you are going for FedRAMP High, the view should be to not fork, not create a separate product as that will likely make the opportunity less viable.

If you are 3+ years in business and want to enter the marketplace, or prepare to enter the marketplace, without a contract or opportunity, then there is no reason not to be listed on the GSA Schedule / Marketplace so agencies can find your solution and you can do this without any compliance requirements in place.

If this piques your interest, I look forward to talking about how this might apply to you and your organization.