First, lets remove the myths around early organizations gaining access to contracts with Federal, State or Local Agencies.
If you believe your product could be of service to the US Government, even if you do not have the capacity to explore this opportunity today, there are a few critical steps you can start doing which will accelerate your journey exponentially. Small technical and operational steps which (you probably should be doing anyway) but ensure that the cost of refactoring down the line is not to high.
Some of the steps to explore:
The big item around FedRAMP and selling into the US Government is that based on the agency-sponsorship, you do not need 100% compliance, maybe you use a 3rd party service that is not compliant, but the value ia accepted by the agency, or your product needs to communicate to a shared micro-service – if the value of the architecture makes sense, the requirement can be waived by the agency.
Concurrent to all this, you should be building your company in relative alignment to SOC2 (how employees are onboarded, how data is managed, at some point MDM/JAMF controls, some general protocols should be in writing) which also includes your SLA around patch management, source code analysis etc. Again, not all of this is happening today, but if you know what you are working towards, it makes it easier to design the path and at least ensure compliance has a seat at the table during decision making.
If you are ready to sell into the US Government, or are at least willing to explore what this could look like, the best place to start is with a potential customer, and an even better place to start us a customer that has previously or currently explored a similar solution. Best scenario is you find an active opportunity – head to GovTribe.com and search for your product value (i.e. what you do / what you bring) and see what comes up. (For example if you are a learning platform, don’t search for LMS, search for education, training etc)
You WILL likely have to gain FedRAMP approval at some level, however, most agencies will assist in the funding for this exercise. The cost is wholly dependent on where you stand today but there are three costs you have to carry outside your internal engineering/product teams.
The biggest question around delivery will be what do you need to change in your product architecture and can you do it without forking your product. Unless you are going for FedRAMP High, the view should be to not fork, not create a separate product as that will likely make the opportunity less viable.
If you are 3+ years in business and want to enter the marketplace, or prepare to enter the marketplace, without a contract or opportunity, then there is no reason not to be listed on the GSA Schedule / Marketplace so agencies can find your solution and you can do this without any compliance requirements in place.
If this piques your interest, I look forward to talking about how this might apply to you and your organization.