B3 Group

Insights

Leveraging VA’s Best Practices for FedRAMP Success

MKTG Security Samah M Web

By: Samah Mahmood, Director of Strategy/B3 Group

Summary: The VA’s success expediting FedRAMP authorizations for dozens of SaaS products at a time stems from its decision to organize a nimble, dedicated, and centralized team around the accreditation process.

The VA’s success as a champion of FedRAMP

A leader among government agencies, the Department of Veterans Affairs (VA) has embraced GSA’s Federal Risk and Authorization Management Program (FedRAMP) with visionary enthusiasm, climbing sharply in the past three years to be the #2 most active organization using FedRAMP-approved products. As FedRAMP came of age over the past decade, VA demonstrated its commitment to the federal community by building an internal model around agency sponsorship, making the complex accreditation process more accessible for Cloud Service Providers (CSPs) and streamlining delivery for its VA users.

As a rule, CSPs need an agency sponsor in order to “play,” and since implementing the Digital Transformation Center (DTC) model, the VA has played a critical partnership role for many of these vendors. To date, the VA has sponsored 24+ products through full authorization (with many more in process), contributing significantly to the pool of products available for all federal agencies to use. The DTC also straightforwardly reflects the value of reusing approved products: at VA alone, 47 products are being leveraged by two or more business groups, and the DTC portfolio’s top five most requested products (Salesforce, Microsoft Power Platform, Box, Qualtrics, and Pitney Bowes Send Pro) serve an average of 70 business groups each. Adopting products that are already authorized typically reduces delivery time by a year or more.

Investing into the commons to put business needs first

VA’s strong stance on enabling FedRAMP adoption is part of a larger strategy to create a type of enterprise technology commons, where business needs can be met more quickly thanks to a growing tradition of IT sharing and reusability. This commons environment is centrally endorsed and makes available—explicitly for purposes of sharing—not only authorization packages, but also many subject matter experts, support staff, enterprise contracts, and knowledge documentation for the broader DTC program.

The word “commons” is probably best known as part of the phrase “tragedy of the commons,” and while consequences may be more tragic for scarcer resources like staff time (as opposed to reusable security approvals), some agencies might still chafe at the idea of subsidizing a marketplace where others benefit at less or no cost. It can also be disappointing to remember that one of FedRAMP’s potential benefits was in shifting the expense of accreditation back from the government to product vendors, on the assumption that they would be incentivized to do so.

But as we have seen at the VA, this is not always the case, and sometimes the price of authorization simply isn’t worth it for a small product company, causing each side involved—usually disappointed—to withdraw from the process. This non-ideal scenario would likely happen much more frequently if the DTC had not consciously provided a layer of support for the companies who do move forward, applying hundreds of hours of our assistance to get their products across the finish line. We thus created a subsidizing arrangement, supporting CSPs tactically while also honoring two bigger-picture commitments: 1) to remain aligned with the sharing and reuse values promoted by FedRAMP, and 2) equally or more importantly, to deliver necessary tools safely and serve Veterans as quickly as possible.

How to achieve success with FedRAMP and SaaS/PaaS

The recommendations below are both strategic and tactical, focused on making the FedRAMP process less cumbersome. They are based largely on the accomplishments we realized in executing the DTC—your agency’s mileage may vary.

  1. Have a clear posture on FedRAMP adoption. Not every organization will be in a position to corral resources around a new foundation of support for SaaS and PaaS, but it will always be useful to define how much your enterprise can invest to lay this groundwork. You may decide to focus solely on implementing solutions already available in the FedRAMP marketplace (and devote resources only to meeting agency-specific authorization needs) or pre-assigning the number of products you will proactively sponsor to address unique agency needs.
  2. Centralize expertise and support. The DTC serves SaaS and PaaS demand across the VA, and our cybersecurity team deploys subject matter experts on cloud security and architecture based on the data/security levels of the use cases requested. This mode of allocation helps create the expected economies of scale for a specialized group; our team can see commonalities across diverse needs and technologies and streamline the work accordingly. This team can also help the wider organization meet practical timelines by informing federal decisions on where to carry reasonable risk.
  3. Create a process to allow enterprise reuse of security authorizations. To maximize the benefits of a product’s reuse once approved, its future adopters should know about the ones that came before them. A centralized team helps here as well: as stewards of the product portfolio, our DTC team allows new VA customers to discover and reuse available solutions. The work necessary to update Authority to Operate packages for additional users may vary, especially when there are changes in architecture (as seen in low-code platforms) but it can be made relatively painless if the process is consistent, reliable, easy to access, and inclusive of strong federal involvement.
  4. Be a genuine partner to CSPs and FedRAMP. Commercial product companies sometimes have no experience working within federal security requirements, and it pays off to make the complex authorization process as accessible and user-friendly for them as possible. Our team’s experts serve as liaisons between the VA and its CSPs, dedicating a specific set of team members to consult with vendors in preparation for their assessments. While some CSPs hire consultants for this service elsewhere, the VA uses the DTC to shepherd them through the process, widening the door for smaller innovators. We also work carefully to maintain a good relationship with the FedRAMP Program Management Office, communicating openly about our pipeline of work and regularly receiving positive feedback on our transparency.

Closing thoughts

Our team has been fortunate to work alongside the VA, a government champion of FedRAMP that is committed to the program’s ethos of federal collaboration. The partnership pattern appears everywhere in the DTC; in a way, the initial frameworks and investments required for a robust FedRAMP model became more affordable because of the VA’s larger commitment to the commons, as well as its premonitions of the skyrocketing outcomes it would return. The VA has succeeded with SaaS/PaaS because of the supportive environment it created early on, recognizing the wisdom of meeting others more than halfway as the best path toward change management.

Note: B3 could not have supported this FedRAMP program without the strong partnership and wise counsel of our teaming partner, Armavel LLC. We are indebted to our colleagues at Armavel for seeding this model with good practices and helping us understand why it works.