Max Aulakh and Michael Rasmussen, GRC analyst and CEO of GRC Report, discuss the recent FedRAMP Equivalency Memo released by the DoD in January 2024. They go into depth about the memo, what is involved, the requirements, as well as how this directly effects the CSP.
Topics we discuss:
Max Aulakh Bio:
Max is the CEO of Ignyte Assurance Platform and a Data Security and Compliance leader delivering DoD-tested security strategies and compliance that safeguard mission-critical IT operations. He has trained and excelled while working for the United States Air Force. He maintained and tested the InfoSec and ComSec functions of network hardware, software, and IT infrastructure for global unclassified and classified networks.
Max Aulakh on LinkedIn
Ignyte Assurance Platform Website
Resources:
FedRAMP Equivalency Memo
Max and Michael Rasmussen
[00:00:00] Max Aulakh: Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance brought to you by ignyteplatform.com. If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or, if you’re a security pro within the federal space looking for a community, join us. We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA Stigs, SAAB SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMs, we’ll break it down all one by one. And now, here’s the show.
Hi everyone, thank you for tuning in to Reckless Compliance. This podcast is about FedRAMP Equivalency, and I know there’s a lot of buzz going on about FedRAMP Equivalency, what is FedRAMP Equivalency. I wanted to do something a little bit different today. I brought on the show one of the key members in the GRC community, Michael Rasmussen.
I’ll let him introduce himself in a little bit, but I wanted to get the take of FedRAMP equivalency. We’ll cover what it is and those kinds of things, but what’s the perception of the government and FedRAMP equivalency when it comes to commercial GRC operations? Because as you’ll learn, Michael covers a whole breadth of different types of GRC operations, but FedRAMP has its own nuances and things like that.
So let’s get right into it. So Michael, welcome to the show. How are you doing today?
[00:01:33] Michael Rasmussen: I’m doing great. It’s a pleasure to be here with you.
[00:01:35] Max Aulakh: Michael, for those who are not familiar with your background, a lot of our listeners are in the public sector and those kinds of things, Do you mind sharing a little bit about the areas that you cover, different GRC topics, just tell us a little bit about yourself.
[00:01:51] Michael Rasmussen: Certainly. Well I’m Michael Rasmussen. I’m an analyst. I’ve got 31 years total experience and 24 of them as an analyst. Gosh, in the 90s, I was focused completely on IT risk and compliance and security. Started off in manufacturing and leading an IT department. And then was a senior network security administrator for a life sciences slash healthcare type firm.
And then moved into the consulting world and led a security and risk consulting practice in the Chicago Milwaukee market. I started the ISSA, the information system security association, Milwaukee chapter was their first chapter president. And got on the international board of the ISSA. And so with my role and I was the vice president of standards and public policy.
I represented the ISSA members to DC. So I sat on Congressman, I was the co-chair of Congressman Putman’s corporate information security working group, wrote a paper on information security for the joint economic committee of Congress years ago. And, but during that time, Steve Hunt was the Chicago chapter president of the ISSA chapter.
And I kept answering some of his questions on I. T. compliance and policies and things. And he said, why don’t you come work here? Cause he worked for Giga information group. So Gideon Gartner had left Gartner group to start Giga. And Steve worked for him. And so, I got hired by Giga, which a year later got acquired by Forrester research and spent seven years at Forrester as one of their top analysts.
I got their award regularly. And My claim to fame is in February, 2002. I defined a model to market for software and labeled A GRC, governance Risk and Compliance I left Forrester after seven years and have been competing against Gartner and Forrester as a boutique for the last 17 years. I just like to think that I’m easier and cheaper to work with, but in that context I define my job as research.
I research what are the challenges companies face in the context of governance, risk management and compliance, and how do they go about solving that with strategy, process and
[00:03:45] Max Aulakh: technology. That’s awesome, Michael. You definitely have been around the industry and, that’s interesting that, you know, you’re, you’re competing with Forrester.
I know you prefer them over, over others, because you’ve referred me to them, which is, which is kind of cool. That’s awesome. So let’s get into this FedRAMP thing. So Michael, in your cross, in your world, right, which is very broad GRC, but you’ve got some depth. When it comes to information security side of GRC.
Have you heard about FedRAMP? Who do you think it’s for? Some of your folks, are they, are they reaching out to you or is this a pretty nascent new topic?
[00:04:18] Michael Rasmussen: No, this topic’s been around for 13 years now because it started in 2011, if I remember correctly. But, you know, and so FedRAMP’s got a lot of interest within government, of course, itself, but particularly with the different cloud service providers for GRC software and other software to be able to do business with the federal government.
You know, FedRAMP itself stands for the Federal Risk and Authorization Management Program. Basically, you know, it’s an initiative led by our U. S. federal government to promote the adoption of secure cloud technologies. Or federal agencies. It provides that standardized approach for security assessment, authorization, and continuous monitoring for the cloud services that are engaged by the federal government.
You know, so the target audience for FedRAMP. Includes those cloud service providers, whether that’s federal agencies to ensure that services meet the various stringent require requirements. Cause there’s different levels of, of requirements. So the most focused on that moderate level that align with us, federal
[00:05:15] Max Aulakh: cybersecurity standards, that’s awesome.
Yeah. I think you know, right now when I look at this, Michael, 10 years. There’s like only three to four hundred products, roughly speaking, that are credentialed to do this. It’s not
[00:05:28] Michael Rasmussen: an easy
[00:05:29] Max Aulakh: process. It’s not easy, right? It’s not easy. But some of the larger cloud players, Amazon and AWS, and they’ve gone through this, right?
So now, there’s all of these platform providers and SaaS companies, innovative products that are building on top of the existing. Man, they find it very, very challenging, really expensive to kind of get through, you know, get through the process, get through the hurdles, those kinds of things. So a lot of complexity, there is, there is, I guess, even though it’s been around, when we look at this, there’s a catch 22.
It’s like, In order for you to be FedRAMP certified or accredited, you need a government sponsor. In order for the government to sponsor you, you have to have a contract. And then in order to get a contract, they always point back to, you gotta get certified. Right? So it’s kind of a catch 22. Or a chicken and egg.
A chicken and egg. Right? You can’t get here until you get there. So with that, right, and then the other, the other challenge is the FedRAMP program office, it’s only about 20-30 people. So imagine trying to, trying to regulate the cloud, the entire cloud of the U. S. government government. With like 20, 30 people.
They’re, they’re severely understaffed and those kinds of things, right? So along comes the FedRAMP Equivalency Memo, which is not a new directive, it’s just a clarification. Michael, have you had a chance to kind of take a look at the memo and what it, what it says? Because I think it’s really helpful for a lot of companies.
[00:06:58] Michael Rasmussen: Oh, most definitely. Yeah, I’ve looked at it. And I mean, as I mentioned, FedRAMP has been around since 2011 the General Services Administration, 2011, it would have been the Obama Administration. You know, the program, you know, is really aimed to support the cloud first policy to promote cloud adoption while maintaining, you know, particularly the high security standards across federal governments, you know, IT landscape.
But, you know, as you mentioned, you know, FedRAMP authorization. The process is quite stringent, and it’s very, very resource intensive. Cloud service providers, you know, face challenges such as lengthy assessment processes, and the need for significant upfront investment in both time and money. You know, small businesses, in particular in this cloud space, you know, struggle with that financial burden because costs for achieving certification are often can exceed a hundred thousand dollars.
And that’s not including the ongoing compliance and recertification costs. And so there’s a lot there. And as you mentioned, there’s a lot of bureaucratic hurdles. You know, securing a sponsorship letter that’s a prerequisite of the FedRAMP certification process is very challenging. You know, that requirement can create a significant barrier for new entrants and innovators in the cloud service market.
We’re back to that chicken and egg. You know, you need it, but what comes first? And so now we have this you know, the FedRAMP equivalency that you brought up in that whole memo. So FedRAMP equivalency is that concept that allows cloud service providers to demonstrate compliance with FedRAMP requirements through alternative methods, such as third party assessments, instead of undergoing the full traditional FedRAMP process.
Although this can be quite challenging, particularly in the areas of Department of Defense, in my understanding. In those areas, there’s some that require that the, the full FedRAMP like moderate authorization, the moderate authorization is like 300 some controls in it back to state 153. And so the, the, that moderate authorization is a very rigorous process.
And so FedRAMP equivalency is sort of, I don’t want to say light, cause it’s still the same controls, but it’s the same level of assurance. As the, the actual full authorization in some of the DOD areas, it’s actually requires that full authorization and Dean. So the equivalency might not get you every, in every door that you want to knock on.
So by, but the approach for federative equivalency can. involve leveraging existing documentation and security practices around those 300 some controls for that moderate level potentially bypassing some of the more onerous and costly elements of the standard certification path.
[00:09:31] Max Aulakh: Yep. I think the main key is what type of things that it reduces, right?
Because the process is so onerous. And you’re absolutely right, because, especially with the DOD, so, we have civilian agencies that may not need a higher level classification. But the DOD, especially if you’re a cyber company, or do anything with the military, with the different conflicts that are ongoing, you’re gonna need to get into the classified space.
And this is just the beginning. But a lot of people, they don’t even know where to start, because they don’t have a sponsorship. So, in my view, what I took out of this, Michael, is that Get all this stuff done, don’t worry about the sponsorship, do the right things, and then when you’re ready, get it checked out by your third party assessment organization, your 3PAO, package it up, and then bring it to us, instead of
[00:10:20] Michael Rasmussen: So are you saying it’s like a field of dreams?
You build it and they’ll come?
[00:10:24] Max Aulakh: Well, not, not a build it and they will come. It’s just the excuse that I always hear is, well, I’m not going to do it until they tell me to do it. It’s like, well, you know, they’ve already told you they’re like, well, no, I need to not, I need a sponsorship letter. And the government is saying, we’re too busy.
We don’t understand the sponsorship process. Everybody keeps pointing to each other. Like the contracting officer says you need to be authorized. The security officer says, well, you need to have a contract. So this is not, I don’t see it as a new directive. It’s just a clarification to say, get this stuff done and get it approved by a 3PAO so you can actually bring it to us.
[00:11:02] Michael Rasmussen: Yeah, and one of those goals of all this is, you know, the, and the importance of this equivalency memo is the flexibility and accessibility. You know, the equivalency mechanisms are absolutely crucial for providing a more adaptable, accessible, I would say agile framework. For cloud service providers, enabling them to meet the, you know, federal requirements again at that moderate level where most of these are, there’s 300 some controls without the full burden of that traditional FedRAMP process.
And this really enables these cloud service providers, particularly, you know, the smaller ones or those with limited, you know, federal market experience that is trying to get into it to participate in federal procurements. Programs and expanding the government’s access to really what might be innovative and new cloud solutions out there.
But you know that that challenge of it all is maintaining those security standards while offering a lot of agility and flexibility that the equivalency still upholds critical security standards, ensuring that all cloud service providers servicing federal government agencies maintain robust protections and controls.
For sensitive government data. So I think an important thing is, is you just don’t do this once, get by and, and forget about it. There’s a lot of maintenance that’s also involved too. Cause as your business evolves and grows and things. These all need to be in place.
[00:12:18] Max Aulakh: Yep. Yeah. I, and I think as part of that agility, right?
A lot of smaller organizations, they’re already doing something. They’ve got SOC 2, they’ve got ISO. They’ve got other standards and equivalency kind of allows you to take some of those. And say, okay, where can we have a little bit of flex because the 3PAO can kind of create that flex getting to the actual material risk, not just the paperwork.
That’s how I kind of see it. It’s like, okay, the whole FedRAMP package is probably 2 to 5, 000 pages long. Whereas a, you know, an ISO package might be a hundred pages. All right. So what, what is the actual material risk when it comes to cyber let’s create paperwork around that versus by default, you got to have 5, 000 pages.
You know, cause it’s hard to document everything that is actually happening on the cyber front. And that, that’s really what the most difficult thing about FedRAMP is the normal FedRAMP process is extremely arduous because of just the documentation rules. Some of
[00:13:19] Michael Rasmussen: the pros for, you know, the equivalency process as sort of summarizing, we were just going through.
The pros, I mean, it increases the number of, you know, compliant cloud service providers and encourages, you know, the technological innovation within the federal government by reducing those barriers of entry, the equivalency lowers the cost for cloud service providers and government agencies, the, the cons, you know, risks include possible variations in the amount of rigor of compliance assessments as you mentioned, something like ISO 27, 000 versus, you know, the full authorization process.
challenges in maintaining uniform security standards and in their interpretation of that and with that potential ambiguities and what constitutes sufficient equivalence.
[00:14:02] Max Aulakh: Yeah. If they don’t have a security officer, somebody with, with knowledge on how to interpret controls with the right level of fidelity, right level of depth, and they come from a commercial background, they’re going to have a very hard time because the government, you know, is a very dense vocabulary.
They will say one thing and it means a lot of different things. Whereas, whereas a commercial standard might be pretty lightweight and interpreted to basically minimal standards and the government is exact opposite of that. So those are some of the things I think organizations need to, you know, watch out for when they’re applying for this equivalency.
But overall, Michael, you know, when I look at the opportunity for businesses, a small business award in the government is like 5 million or less. Whereas a small business award, and you know this as a, as a CEO. You know, that could be a couple thousand dollars, so there’s a big difference in the opportunity for those that are looking to invest into this kind of thing.
[00:15:00] Michael Rasmussen: Very true. And so basically, I mean, this whole target audience for equivalency is those smaller to medium sized businesses in the cloud sector, you know, that can, might find the cost and complexity of the full traditional FedRAMP prohibitive to them. They can’t break in. So, and this really enables, you know, innovative, newer technology companies that can, to be able to really meet the security standards, but lack the traditional pathways and relationships for securing FedRAMP’s full certification, as that complex process, as you outlined a bit ago you know, highly specialized cloud service providers, you know, often focus on niche services or emerging technologies like cloud services.
We’ve seen this last year with AI and things that rapidly evolving, it may not immediately align with existing FedRAMP guidelines. And so equivalency basically allows this more agile framework to enable those small to mid sized businesses to be able to leverage and introduce those new technologies to federal government while maintaining some semblance, or I shouldn’t say semblance, that sounds a little negative, but maintain security controls and standards.
[00:16:05] Max Aulakh: Yeah, I think Michael, the smaller businesses are going to win. Out on this because If you’re an Amazon or an AWS at Microsoft, any of those, you’ve already invested millions, you have, you have a big team but most small businesses, let’s say even under a billion dollar enterprise, that’s solely focused on commercial business.
You’re going to have a hard time justifying why should I even spend 5 million or 10 million if you have no federal revenue whatsoever. So I, I think the small businesses, the smaller, more innovative cloud security provider or, or cloud services providers. Are really the ones that are going to primarily benefit from this, and there’s a lot going on in that space, right?
Like, our warfighters, they need the best of the best technology, so how is it that the commercial side can have access to open AI and, you know, some of the best drones out there for racing and recreational purposes? So how do we get that in the hands of the, in the military, when you have a very crazy, rigorous process like this, you know, that can delay it by years that can delay innovation by, by years.
[00:17:12] Michael Rasmussen: I mean, we need agility and that’s what is important to one aspect of this. We need resilience, that ability to find issues, contain them, recover from them. And we have a security hiccup or issue that it’s remains small and gets addressed because we’re monitoring those controls. And getting that validation and assurance on controls through the FedRAMP process.
So there’s the resilience aspect. We also need that agility. How can we leverage technology? How can we make it, the federal government agile in leveraging technology while still maintaining security? That’s a hard
[00:17:42] Max Aulakh: one. That’s really, it’s really difficult, but I think FedRAMP equivalency is the way, right?
It’s there, the, the government wrote this memo with that sort of intent. The other thing, Michael, I found interesting in that memo is around information that the government is interested in sharing. So if you are building some sort of a platform where, where you need access to CUI controlled unclassified information or covered defense information, by the way, this is all unclassified type of information.
So if I, if I needed Raytheon or somebody else to build me a jet, I need to give them specifications. Right now, drones, particularly, and, and similar types of things are being commoditized. Hardware is becoming cheaper and cheaper. So, how can government share, That type of controlled information. That’s why this equivalency came out.
That’s my belief and it’s actually listed on there as one of the information types they care for because the government cannot provide requirements without you Wanting to secure them or without you providing an assurance that they are secure so they don’t end up in the adversary’s hand or overseas So, I think for smaller players that are trying to get not just access to the market, but also trying to receive information, because government most often will give you a contract, but then you don’t have full information, because you can’t really build things without a complete requirement analysis.
So this FedRAMP equivalency really allows the government to kind of openly share unclassified information with industry. That was one of the big takeaways from their perspective in terms of, you know, what’s the benefit to the government in terms of them using this equivalency rule. So with that, Michael, I want to kind of summarize, you know, as an analyst from your side, right?
There’s people that are listening in for, from the public sector. They’re familiar with the normal FedRAMP side of the house. What do you think are like the top key takeaways? Then I’ll summarize my key takeaways. When it comes to like, why should the government leverage this and what’s the benefit for, you know, for, for somebody looking at FedRAMP, how should they leverage this as a cloud provider?
[00:19:53] Michael Rasmussen: Certainly, I mean, to me, it is about balance and providing balance to the force here because you want to enable the federal government agility to adopt new technologies and be innovative. Particularly in this, you know, very complex world we’re living in right now. We want to equip and enable the federal government, but at the same time, we want some level of security.
So a FedRAMP equivalency memo tries to balance that. But there are certain aspects of federal government that definitely need that deeper authorization out there and I think part of the theme is understanding that there are nuances between full FedRAP moderate authorization and the moderate equivalency.
You know that they are not the same into the equivalency leverages stuff from the from the authorization, but it is not the same process. And so for those that want to be able to work across the range of federal government, maybe the equivalency is a stepping stone to be able to get them into and through the deeper authorization process for the more sensitive areas.
That will require that, you know, there’s some distinctions also with FedRAMP and CMMC, the Cybersecurity Maturity Model Certification. That, where they both serve to enhance cybersecurity, their scopes and applications differ. You know, CMMC focuses more broadly on cybersecurity maturity across all DoD contractors.
While FedRAMP specifically targets cloud services used by federal agencies across them, beyond just the DoD, Department of Fence. Some other things to be aware of is, you know, recent policy changes seek to harmonize frameworks where possible, you know, to acknowledge, you know, that overlapping security concerns and compliance requirements controls, especially for D.
Upcoming, you know, consultations in this area will likely address industry concerns and refine the equivalency process to ensure it meets the needs of both security and innovation. That agility that I was talking about. Within the federal contracting ecosystem.
[00:22:04] Max Aulakh: That’s awesome. Thank you, Michael. I really appreciate it.
And I so wish you did not bring up the CMMC because that is a whole different can of worm that I’d love to dive deeper into considering that is quite a bit of work that we received for, you know, from the market, just, you know, how do we get through the CMMC side of the house, but you’re absolutely 100 percent right.
That whole issue around ability to share information, the type of information that the government wants to share DFAR or CUI type of information covered defense information. CMMC actually started all of that. And I think the FedRAMP equivalency, it’s coming out of the Department of Defense. That’s their way of getting ahead.
you know, getting ahead of the same problem. So my big takeaway from this is that this, the FedRAMP equivalency clarifies Kind of the lack of when, when you don’t know what to do when there’s no sponsor, when you don’t know who to call what agency to call it explicitly lists out the activities, the documentation and who you should have involved and kind of sets the parameters of what the expectation is.
In a two page document or less, which is very rare from the government to do anything within two pages.
[00:23:20] Michael Rasmussen: You know, I, I know it’s, it’s not federal government specific. I mean, out of the government from the regulators, but you print out the U S code of federal regulations. Oh, man, you stack it. It’s longer than a marathon.
It’s like 28 miles.
[00:23:35] Max Aulakh: Yeah. Yeah. That’s a lot of trees, right? So I love that aspect of it, Michael, is that, you know, people that are interested in learning about this, they’re not going on a hunt in, in the CFRs, in the code of federal regulations. Because when you go out to the FedRAMP website, it’s thousands of pages.
Alright, give me a summary. What do I need to do? So for what I really loved about this is that it simply lists out line items. You can create a neat, really neat, nice project plan. At a senior leadership level to say these are the things that I should be doing verbatim. That’s what they’re written out.
I know that is such a simple thing, but that’s a that’s a really important thing when it comes to dealing with the government because of gobs of information. So that’s that’s one thing I took away. The second is that it allows you to work without sponsorship, so not a build it and they will come, but more of.
Get to work and if you have the intentions of going into the public sector, if you are investing, you have a sales team, you have a marketing team, you have people at the hill talking, you’re already investing in the public sector. Here are some of the things you should be doing in parallel because you’re going to run into these.
Sooner or later. And I love it, Michael, that you said, this is a stepping stone. Right? It’s a very excruciating, painful journey. I think everybody that works with the government knows that. But at the same time, everybody is looking for their first win. And, and right sizing the level of investment and effort.
So this is that first stepping stone. It makes it easy, you might even get through it so fast, and then be able to work with the government to get on contract, to convey to them that there’s enough assurance in place to do some sort of a rapid contract with you. Government does that all the time. So that’s, that’s kind of my, my key takeaway from this particular memo.
Yep. Yep. Oh, go ahead, Michael. And I said, yes, I’m green. Awesome. Awesome. Well, Michael, I wanted to thank you for coming on. This is a very short knowledge nugget based kind of a webinar or, or a podcast. So for those that are listening, we thank you guys for tuning in. If you got any questions, drop comments, connect with Michael and myself on LinkedIn.
And until next time, thank you so much. Thank you for tuning in. If you enjoyed the podcast, head over to igniteplatform. com slash reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.