In the system where EverLaw tracks the features and whatever the engineers were working on, there were over 100 tickets in there — or feature ideas and functionality that we were going to implement that all required Dev resources. They range from simple things like adding a banner that you’re entering a federal environment to very complicated things.
That was Lisa Hawk on the a16z podcast, “What to Know About FedRAMP.” Listen to the whole thing. FedRAMP, of course, is the set of regulations surrounding government security when it accesses cloud computing. For EverLaw, it required more than a hundred DevOps requirements to reach compliance, and required about 9 months to a year of work. To put that in context, it is estimated that EverLaw brings in about $15 million a year with a staff approaching 145. Here’s more on the burden to a small business:
When we started, it was just myself on the security team, and we had our engineers involved in scoping and looking at how much work we thought it was going to be, and then over time we brought on a DevOps person, we hired a couple people onto my team, but again none of us have been doing it full time. So it’s probably been a core group of five people working on various elements of it and then when we were doing the push to complete a lot of the technical and engineering work we brought in other engineers.
Lisa described how her team tackled FedRAMP and GDPR at the same time — and though she wouldn’t wish that upon anyone else, there were some synergies to be had. But that core group of 5 people represents perhaps 3-4 percent of total personnel, and then we can only speculate what the peak staff was during the crucial DevOps phase. But it’s not just internal personnel, there was also the cost of hiring consultant:
Even with all of the program documentation we had at EverLaw… we still needed to engage a consulting adviser to put together the system security package [SSP] — it’s of course a template that you can pull down from FedRAMP.gov, and since we’re an AWS customer, and we inherit a lot of the cloud infrastructure controls from AWS…
Our full SSP without the attachments, with the implementations described, is around 500 pages, but the template itself even without those is 30 or 40 pages with all our info. It’s a big lift to do that, so we found we could spend some time talking with a consulting adviser and they would write it up and we would QA it. So instead of us doing that big lift, they would do it for us.
That 500 page system security package is in fact a living document to be updated with the system. Luckily they inherited many controls from Amazon’s cloud service. One question is whether FedRAMP helps lock in an oligopoly of cloud providers like Amazon, Microsoft, and Oracle. Presumably, it would be very difficult for a competitor to break in at that level. Moreover, once companies get FedRAMP certified on one platform (e.g., AWS), it would be very costly for them to migrate if only because of updating their system security package.
Here is another important point:
The first thing is that if you have a motivated federal agency, that’s going to be the biggest factor that pushes you ahead or slows you down. If you’re in a place where a federal agency has already expressed interest in your product or you’ve been in conversations, and they’re motivated to be your partner in the process and give you the confidence you need to make that financial commitment — because it’s going to take internal resources which has a cost.
From the sounds of the podcast, the cost of complying with FedRAMP isn’t prohibitive. But the biggest barrier seems to be finding an agency partner who already wants to get the company on contract and is willing to put time into the process. That is no small task. It implies that the company looking to access the federal market is already quite mature, with a well defined product or service that also meets government needs. Getting to that point seems to be most of the hard part.
Leave a Reply