❄️

7/24 FAB Community Call

Attendees
Corey Brunkow
Julie Davila in WeWork
Sara in WeWork
Lucas Hogue
Tariq Alvi
Dan Shepherd
Drew Marmo
Nathan Case
Nick Miller
Rob Brown
Mike Lyons-
 
Julie:
GitHub repository-
Federal CAB OpenRAMP
Template is: Guidance Received
All markdown driven
Schema:
Approximate Date, CSP, ATO Status, Guidance Provider, 3PAO, Description
  1. can we create a beta test version of this?
  1. We will keep it private for now, just prefix with “test” or something
what does it feel like
We discussed recent challenges for CSPs using FedRAMP Ready applications, even those “approved” by ISSOs at agencies. The community basically agreed it is mainly for a CSP GTM strategy and difficult to use those within our own FedRAMP boundaries until ATO’d. Orca was the use case. We recommended Mike talk to the FedRAMP office at CMS: Shawnte Singletary or Robert Weiland. Mike is currently looking at an on-prem version.
Rob Brown: waivers were used in the past but times have changed. He has seen some gated for non-prod until ATO.
Julie mentioned a dinner with DEA CISO last week: agencies don’t have a lot of transparency around 3PAO quality with regard to accepting pre-existing packages. Lucid’s 3PAO lost 3PAO status after given ATO by different agency, Moss Adams was the 3PAO we think.
Mike Lyons hopes the database will show things made it through but now are not. We think history is there in GitHub so there must be a Git history.
PagerDuty-can’t use the term federal in PagerDuty pages, must obfuscate out most info other than “something is broken go look”. Sara said this was acceptable, with PagerDuty outside LaunchDarkly’s FedRAMP boundary. LaunchDarkly was authorized while using PagerDuty with obfuscated info. Also similar issues around vulnerability scans and tying back to other assets.
Community discussion around password managers. You can’t use LastPass or OnePass. PMO said the fact that the passwords can be stored overseas, in China, is a blocker. PMO knew for almost a year LaunchDarkly was going to use 1Password and didn’t let us know this was a dealbreaker until very late stages. Julie mentioned using an AWS secrets manager open source tool, she will post if she finds it. Someone suggested Keeper: https://marketplace.fedramp.gov/products/FR2116544598
Someone (Mike?) commented that FedRAMP program rewards the wealthy. It reduces diversity with only wealthy vendors who can quickly add in FedRAMPed components like Cisco, AWS and IBM but not smaller vendors. Community agreed.
Corey asked about general 3PAO market research- how best to make a choice and learn about the actual track record of success. This has been discussed in previous meetings and right now is word of mouth until we get the database up and running.
Recommended 3PAOs currently are: Fortreum, 38North (advisory work only?) or Schellman.
Julie to touch base with (Tim?) on recommended language/clauses to get out of contracts with 3PAOs.
Also, AWS FedRAMP “accelerator” has caused significant delays. https://aws.amazon.com/marketplace/features/vendor-insights They can underestimate by over a year. Other ones with mixed feedback Coalfire, Kratos.
Going from “In-process” back to “Ready”? Has anyone seen this?
From a PR standpoint, it’s not a good look to get ‘downgraded’ from In Process or temporarily lose your Ready status. No actual penalty that I’m aware of. Tends to drive your marketing and sales teams nuts, too, since they’ll need to change their narrative and marketing collateral. The 12 month countdown is mainly meant to hold agencies feet to the fire and not meant to penalize CSPs. PMO office has granted extentions.
Marketplace is stored on GitHub, site generator, there might be Git history
Julie hopes for-CSP to federal agency matchmaking service with this new org.
Nick Miller-wants to help with the matchmaking side, less on the technical side, more on procurement and fix the sponsorship issue. Possible speaker for a community meeting, he will reach out to Julie.
Â