×

The Cyber Compliance Market

20-Jan 2023 Raj Raghavan

Recently, someone asked me to quantify the federal cyber market. 

FedRAMP is now a law that underlines the Government’s Cloud first mandate. After years of ambiguity and excessive costs to become FedRAMP certified to demonstrate data protection controls based on agency’s needs, the law now sets a level playing field for mid-size service enterprises who want to tap into the Federal market. The new law puts a system of reciprocity which allows federal agencies to certify vendors and have the same level of data protection more easily. 

While this law is appealing, the certification rules have not changed. Readiness is still a mountain to climb even with an understanding of the intent of NIST 800-53 controls and the applicability to the service provider’s environment. While the NIST requirements are complex, the cloud security architects and DevOps ability to design and implement the service within an approved boundary with appropriate data controls is no small feat. The demand for these cloud security professionals is very high.

Once you are FedRAMP certified, the burden to provide continuous monitoring reports that include reporting on incidents, security events, and scan for vulnerabilities while ensuring the new product features don’t cause “significant change” is an ongoing program.  

“Let us do the numbers” from my favorite NPR show Marketplace by Kai Ryssdal.

  • While 2022 saw the federal government spend over $11B in cloud technologies, the new bill signed in Dec. 2022 increases the spending
  • The Federal market is a long-term revenue stream with a market of 440 agencies          
  • Government agencies in 10 states have adopted FedRAMP and renamed it StateRAMP
  • FedRAMP is the security gate that will open the gates to these agencies
  • FedRAMP requires validation from a pool of 40 3PAOs
  • The lack of cloud security and application security professionals will further strain service providers ability to get certified quickly

The numbers are interesting but, where do you start?

  • Does your compliance team or security team understand NIST security framework?
  • Is your commercial cloud deployment aligned to security benchmarks or regulations?
  • Don’t let 1000 controls of NIST intimidate you. These are common sense cyber hygiene controls that are broken into domains that your information security probably has implemented
  • 3PAOs can offer guidance, but your FedRAMP readiness team should have cloud security engineers who can map current security tools and processes to NIST requirements
  • While AWS, GCP and Azure offer “FedRAMP Ready” GovCloud, see if it makes sense to implement your cloud software in the GovCloud and continuously monitor it
  • This is not a security tool game or FedRAMP ready “blueprint” but an assessment of your security controls and process to meet a slightly higher security requirement

There is a small battalion of certified assessors who can provide guidance and certification. The shortage of certified auditors is increasing timelines as many of us are now getting ready for CMMC, a DoD mandate, that impacts 300,000+ DoD subcontractors in 2023.