This call largely centered around what folks hope to do with the group.
Julie’s kickoff prompt
- Our core purpose is to help make FedRAMP better for everyone. This comes in the form of knowledge sharing (internally/externally) and some innovation (like the DB we've started working on).
- As of right now, we have
- Published one paper covering big challenges with FedRAMP
- Consistently held bi-monthly meetings that have been quite rich in terms of interaction
- Hosted FedRAMP's Director, Brian Conrad
- Host CISO for CMS Robert Wood
- However, a part of me feels we could perhaps do more (or differently) to provide more value to our group and perhaps to the broader community
Some open questions for the group:
- What do you wish we could do that we currently do not?
- When you first signed up to be a member, you probably had an idea for what you'd like get from the group.
- How has that differed from reality?
- What constraints exist for you that limit your ability to participate in meetings/discord/etc?
- Anything else?
Alfed - Curious on DB
- Nick V: Painful process and not wanting to do it again. Knows will do it again and keeping up to date on how people are experiencing this on how he might be able help
- Alfredo Hickman: CISO Appidian security. Been in market for a few years. Considering FedRAMP moderate ATO interest. Team is tasked with FedRAMP strategy development. When started digging, it seems so complex. Lots of delta between advisors. There should be a better way for innovative CSPs to enter the the federal market.
- Brad S: Having provided guidance 100s of vendors. Thinks we should make ourselves more visible to the community. Try to get the JAB and PMO to know us better. Start talking to some private equity groups that work with many software startups about portico’s.
- Alfredo H: Can help with VC intros
- Brad S. Decode folks about fed ramp; we should chat
- Brad: likes the idea of office hours
- Distro list to help VC/PE porticos
- Alfredo: Could put together a roundtable greylock/etc bring in various advisory board members ciso/CTOs to discuss FedRAMP challenges.
- Julie: Potential revenue stream
- Nick V: Interesting => LinkedIn blast, divested interested other than wanting to help. It’s hard to get unbiased advice.
- Alfredo wished this existed 18 months ago
- Nick: huge community need
- Lucas H: Document common questions
- Tariq A: Has known julie for many years. Deals with FedRAMP a lot. The same question gets different answers. Info sharing + improving the process itself. A2LA has made it more difficult to get smaller companies as 3PAOs. Limited pool. Charge a lot, poor info of success. How do we help FedRAMP PMO improve that process.
- Simply making difficult. Cost and process explosion. Before you apply, you need to be in their program for a year (no commitment on their end) then they decide.
- FSCAC potential collaboration point
- A2LA has a single source contract, no other accreditation agency for 3PAOs
- Brad: Do not necessarily need a 3PAO
- FedRAMP might not implement cATO
- Richard: Leads a 3PAO FedRAMP practice.
- Sr Assessors need CISSP
- Rev 5, each assessment needs to document that you have a qualified team
- Baltimore Cyber Range is a requirement
- A2LA process is comparable to CMMC 3PAOs which also requires DibCAC. Tough from a staffing perspective.
- Timeline: All annual assessments in 2024 have to go through Rev 5, new assessments now are Rev 5.
- Migration is mandatory
- Recognizes there are competitive barriers to become a 3PAO
- Richard:
- Came because he is crop compliance officer. Groups that are related to that topic are of interest to him. Sat in on FedRAMP office hours. Meets with A2LA regularly..
- Highlight individual experiences via written/audio
- Reach out to Hyperscalaers that we exist
- Nathan: Nick M (AWS) might be out
- Minh: Curious if they’ll respond because of CSP-AB. Complained with them about their ATO requirement.
- Joining reasons: Wants to contribute and help the community. Bounce ideas around. Sanity check on stuff
- Julie: Moving to Slack. Starting with free version is viable.
- Non profit update.
- Lucas: Used otter.ai security concerns.
- Lucas on why joined group: Nice to not be alone in FedRAMP land; cool to be a part of. Fundamentally believes in FedRAMP mission. But there are a lot of problems. Believes we can make it better fundamentally. Everything that we’re doing is +1. A big problem is that FedRAMP is pay-to-play. StateRAMP is another story and a worse version. “Do once. Do many” is slogan but it’s currently broken.
- Tariq: When looking at package for re-use, every package is usually different, makes it hard for agencies.
- Nathan: How do we make that not true?
- Tariq: Training would be important. Standardize process to create guidance on optimizing for re-use. When you write SSP, optimize it. Big cloud have more info available because they have more resources. But if assessors/advisors don’t have that info, then they’re not going to write it properly.
- Alfredo: Recently, spoke to palantir on ATO environment. Marketing looks slick. Somewhat early stage some customers and investing. Cost is more a shift versus savings. Lose some of the freedom.
- Wrench: Dance around sponsorship, commitment, etc.
- Sponsor tablet
- Lucas: looking into something similar for CMMC; managed enclave
Â
Â