Introduction Call and Initial Thoughts
Participants
Nathan S. Case | Security Advocate @ DataDog
- Background doing DOD work at AWS for about five years
- Helped many customers go to FedRAMP High and IL 4/5
- Worked a lot with DOJ/ATF regarding AWS services
- Looking to help more than anything else
- Presently talking to DOD leadership about some new programs to help with FedRAMP High sponsorships.
Julie Davila | VP, Global Field CTO Ops @ Sophos
- Diverse engineering background
- FedRAMP Moderate via DOJ with email startup
- Sponsorship obtained via prior relationships developed at a cyber gov contractor; owners were investors
- Noticing many CSPs starting to say âno thanksâ to the fed market
- Met with Brian Conrad, who shared PMO ideas to make it easier to inherit controls from other compliance bodies and make it possible for CSPs to have one env instead âone for fedâ and âone for everything else.â
Sara Mazer | Fed CTO @ LaunchDarkly
- Background in engineering
- Prev at MarkLogic as Dir of Civ Solutions
- Been mainly focused on fed, one of the first LaunchDarkly hires for gov programs
- One of the folks that convinced the board to go through FedRAMP
- It took three years internally to get to ATO
- Presently looking toward High sponsorship
- Happy to help with discussion and collabo in any way
Craig Thiesen | GRC @ Gong
- My current employer is Gong which is not in the Fed space at all
- Prev at Salesforce, where he led FedRAMP and DOD programs on the GRC side
- Including interactions with PMO and agency and managing internal sales expectations
- Experienced with expanding ATOs, like with M&A and standardizing on FedRAMP methodology (Mulesoft and Tableau as examples)
- Happy to offer help and connections
Rob Brown | SVP and CTO @ Systalex (fmr USCIS CTO)
- Working for PE firm, installed CTO for an acquired portfolio company
- Mostly civilian-fed work at the moment
- Recently left DHS as CTO of USCIS
- While a govie he brought in many platforms (inclusive of sponsorship), leaving the agency with about 90% workloads in the cloud for prod systems
- Experienced with FedRAMP on the fed side, helping companies like Adobe and others get FRâd as a sponsor, but also worked with agency CISO to craft programs to help companies move faster.
- Expressed that many fed-side challenges boil down to money and resources.
Chuck Kesler | CISO @ Pendo
- Prev CISO ad Duke Univ Health Systems
- lots of FISMA assessments; a close FR cousin
- Prior Symantec too, primarily commercial space there, light on gov
- With Pendo, heâs in the later parts of the FedRAMP journey
- Working with a 3PAO now
- Been about a 3-year journey
- Discouraged leadership initially from pursuing FedRAMP due to anticipated lift; would have preferred to invest in some other initiatives that would lay a better foundation for FR in the future.
- Pendo had decent fed interest early on.
- Some agencies are interested but aren't willing to be the first sponsor for a vendor.
- 4.5 years at Pendo, growing from about 250 to 900 people in that time
Tim Anderson | VP GRC @ ID.me
- Many years with AWS in security
- Worked with Nathan Case on many projects
- DOD/Civ consulting in the past
- Currently runs a FedRAMP moderate authâd system
- At AWS had lots of convos with PMO on advocacy and process certification
- I got a good view of how a big cloud player gets through
Nick Vigier | CISO at Talend (pending Qlik acquisition)
- Data integration company
- Was the process of pushing FedRAMP until they were acquired by a TB company
- Cliq just finished FR moderate and IL2/4, and will be resuming the journey there
- Before was at ID.me as CISO going through the FedRAMP journey
- FR novice but understands the value of prop
- Worked at CoalFire on the exec advisory side
- CIO at a crypto exchange and other companies
Mike Lyons | CISO @ Collibra
(Mike wasnât able to make the first meeting, but these are the notes from his initial conversation with Julie)
- I was at SNOW, second to get JAB
- I went through FISMA first
- GSA was a customer
- PMO decisions can feel arbitrary
- Sponsorship found through sales reps
- FAA was wishy-washy with sponsorship
- Tennesee valley authority was a sponsor
Chris Bates | CSO and acting CIO @ SentinelOne
(Chris wasnât able to make the first meeting, but these are the notes from his initial conversation with Julie)
- JAB ATO is a goal to minimizing conmon overhead
- Challenge: Agency sponsor accepts risk, PMO rejects it
- Challenge: PMO inconsistency about expectations
- Challenge: OSCAL has been tough. Submitted a high package in OSCAL and PMO, struggling to review/use
- Challenge: Notices much variability with sponsorship appetite
- Approach: Does two environments: fed and âall else.â
- Approach: OPM moderate sponsorship obtained through sales efforts
- Approach: Commerce for high ATO
- Approach: On-prem capabilities are not a factor in securing sponsorship
Chris Hughes | CISO & Co-Founder @ Aquia Inc
- Former GS 15 Technical Representative on the FedRAMP JAB at GSA
- 15+ years of DoD and Federal Cyber experience
- Been working with Cloud for six years in DoD/Federal across all classifications and Impact Levels
- Author of Cloud Security Alliance (CSA) Cloud Incident Response Framework and SaaS Security Best Practices whitepaper
Notes
Taking our experiences and ideas public
Tim mentioned that we ought to acknowledge the risk that what we do will upset the PMO, which can often become vindictive in their actions.
Nick also agrees that there is a risk of the PMO being vindictive and can seem mood-driven at times.
Sponsorship
ID.me was blocked from JAB sponsorship due to too many external service providers, even though this cap is not documented or mentioned anywhere. Getting a JAB ATO would save them a lot of time and energy.
LaunchDarkly faced the issues about âwho does ConMonâ concerning DoD not wanting to be on the hook for ConMon for CSPs with agency ATOs. Additionally, Sarah has witnessed Moderate CSPs getting JAB ATOs contradicting prior positioning.
Advocacy and Interest Groups
Tim brought up the Cloud Provider Interest Group, and Craig confirmed that it still exists and has regular meetings. This seems to have been âthe wayâ to engage with the PMO historically neutrally.
Julie mentioned the FSCAC advisory board being launched, but a few group members expressed concern over the relatively limited representation.
Feds
Rob mentioned that the feds have a high appetite for new technology, but the challenge is in the priorities. Those familiar with the FedRAMP process know itâs inefficient and tend to âthrow their hands up.â The questions become, how do we get forward-thinking federal leaders engaged (even ITPMs), and how can programs be better crafted to enable CISOs better to sponsor CSPs.
Nathan mentioned that a former USAF CISO expressed appetite to create a program via AWS to help partners more easily obtain a FedRAMP ATO.
3PAOs
There was a broad and pervasive dissatisfaction with 3PAOs across the group.
Chuck expressed frustration with expensive feedback loops between Pendo <> 3PAO <> PMO where 3PAO would have to backtrack or otherwise materially change prior suggestions that would cost much money regarding FTE cost. He has even gone through multiple project managers on the 3PAO side.
Tim mentioned that a significant causal factor is that 3PAOs, across the board, have been experiencing a dramatic drain of talent and are left with many inexperienced folks to do advisory and audit work. He also mentioned that there had been substantial QA turnover at the PMO level, causing problems for 3PAOs who can find themselves in untenable situations that canât be quickly remediated.
While Sara was actively involved in the 3PAO interview process, the final decision wasnât hers to make, and it ended up being a disastrous relationship anyway.
Nathan agreed with the sentiment and clarified that itâs not an issue of an individual 3PAO but a broader industry issue and that itâs a spinning dart bard overall in that it requires pure luck to get a decent 3PAO
Incubator/Startup/Foundation Idea
Rob brought up the idea that perhaps a small group could be created that could create coordination across DHS agencies to have a shared FedRAMP sandbox environment.
Nathan pondered if C1 or Vespen could be augmented to do this.
What is Vespen? A USAF program to do POCs, trial wares, etc., for field operational stuff. It is a âbackdoorâ to the government. Multiple other groups have something similar.
What is C1? A multi-cloud service provider that USAF created a long time ago that is inclusive of Azure, Akamai, and AWS. Used for rapid software evaluations. Two low-security zones are easy to get things installed into. It makes sponsorship easier because C1 onboarding is akin to an early vetting process.
Sara expressed concern that this would be half the battle in that it wouldnât address ConMon pain points for feds or CSPs. Rob agreed with this concern and mentioned that many CxOs in Fed are leaving after six months and that time, finding, and energy is in short supply. Even though Rob created multiple frameworks to improve this, they never took off.
Nathan mentioned that there is likely to be high interest from ODNI and DHS. Rob agreed and said that Dept of State is also hungry for this and can broker many introductions at the C-level to make something happen.
Rob brought up that we need to be prepared to do a lot of automation with minimal buy-in on the gov side.
Nathan thought that a VC firm like Plug and Play would be interested in funding something like this. The idea would be to do something like what Wavv is doing with NATO. Nathan is connected with WAVVâs CEO, who might be a good PoC for the group.