Blog

In this video, Doug Barbin, President and National Managing Principal at Schellman, and Anil Markose, Chief Strategy Officer at Abacode, discuss the theme of trust in the context of cybersecurity and compliance. Join Doug and Anil as they delve into the challenges posed by the current audit-based trust mechanism, particularly in a rapidly evolving IT landscape characterized by innovations like AI and DevOps.

You're a cloud service provider and you want to do work for the federal government. In order to do that though, you need to be FedRAMP authorized and you've been told by the government agency that you're trying to sell to that, you need to be FedRAMP authorized. In this short video, we're going to walk you through what the process is, what the journey is to get to the point where you have that authorization, you've been approved, and you can go and sell work to your federal agency customers.

We get it: You didn't budget for a compliance assessment. You were trying to sell a deal to a customer who came back to you and said you needed a SOC 2 audit or an ISO certification. But when you're making a choice, what are the implications if you go with one firm versus another in particular if you go with a low-cost provider? I'm Doug Barbin, managing principal and chief growth officer at Schellman. We've been performing assessments for over 20 years of companies of all sizes, from start-up companies to the Fortune 50. You're a start-up company. You're active in the marketplace and you're selling to customers. And you get to that deal where this customer says, this looks great, it looks like a fit for me, but I need to see proof of your security program. I need a SOC 2 report. From there, what do you do? You go out, you research different types of firms. There are certainly firms that are larger at the higher end, such as the big four firms that have the brand names and the prestige and are very, very expensive. There are often smaller firms, too, that can do this at a much lower cost. What are the things that you need to think about, though, when you're going in the direction of a low-cost provider? In particular, we get that this was not budgeted. We get that this was something that you weren't planning to do. And from a certain degree, it's a checkbox that you need to achieve in order to sell to that customer. However, what does it really mean after that? A SOC 2 report is really a statement that your security program and your commitments to your customers are being met. And those commitments have been vetted by an independent third-party assessor like Schellman. And that's what we do.

So you are a defense contractor or maybe you are participating in a large defense contract. As a result, you may have heard that you need to comply with CMMC. Let's talk about what that is.

So you want to provide cloud services to the federal government? There's a process that you need to go through in order to get there, and that requires an authorization and an assessment, but it also requires an agency sponsor. Let's talk about what that actually means. I'm Doug Barbin, managing principal, and chief growth officer at Schellman. We've also had the privilege at Schellman of being one of the first third-party assessment organizations, or 3PAO, since the FedRAMP program's inception 10 years ago. What does this agency sponsorship mean? Fedramp is one of the unique types of third-party assessments that require interactions by the second party. In most cases, if you look at a SOC 2 report or an ISO 27001 certification, you can come to a body or a provider like Schellman, we can perform an assessment, we can issue you a report that you can share with your customers. In the case of FedRAMP, that's not enough. To get into the FedRAMP process, you have to have a sponsor, you have to have a means of entry into the federal government. Typically what that means is you have a government agency - could be a division of the Department of Defense as well, but you have a group within the government that is going to sponsor your entryway into FedRAMP. They want to do business with you, and so they're willing to be your sponsor in that FedRAMP process. Now, that is a requirement, unfortunately, and that can be a barrier for some companies that are looking to get into the market but don't have an existing relationship or an initial relationship that can be that sponsor. So what do you do to address that? There are a few avenues such as going through a FedRAMP ready assessment. There are other outreach programs. You can reach out to the FedRAMP PMO who can give you guidance on how to get there. But it is important to know: going into FedRAMP, it's not enough just to hire an assessment firm. As a matter of fact, you can't hire us to do the assessment unless you have someone, an agency or the joint authorization board that's willing to sponsor you through the process. Getting an agency sponsor is a critical first step in your FedRAMP path. Contact us today so that we can walk you through what the broader picture is from a journey on FedRAMP, from getting that agency sponsor to going through the assessment and ultimately getting your authorization.