FEDRAMP 101

In this episode of Game Changers for Government Contractors, host Michael LeJeune and cybersecurity expert Gary Daemer discuss FedRAMP, an essential certification for cloud service providers looking to sell to the federal government. With over 40 years of experience in cybersecurity, Gary provides a comprehensive overview of what FedRAMP entails, who needs it, and the challenges involved. Learn about the rigorous process, timelines, costs, and ongoing maintenance requirements for certification. Gary also shares strategic advice on whether pursuing FedRAMP is right for your business and tips for leveraging resources like SBIRs to offset costs. This episode is a must-listen for contractors aiming to enter or expand in the government market.

To listen on your favorite podcast platform, click below:

???FA: https://federal-access.com/ep-346-fedramp-101-insights-to-prepare-for-certification/

???Apple Podcasts:?https://apple.co/3y4sNdA

???Spotify:?https://spoti.fi/3SPTZoB

??To watch, click here: https://youtu.be/oEujGl0lK1c

?

Read Transcript Here:

Michael LeJeune (00:00) Hey everybody, Michael LeJeune here with Game Changers for Government Contractors. Today, we are going to be talking about a very interesting topic called FedRAMP. I have my friend Gary here with me today to discuss this. We did an episode prior to this about cybersecurity hygiene, so if you're interested, please go take a listen. Gary, before we dive into FedRAMP, why don’t you tell us a bit about yourself—who you are and what you do?

Gary Dahmer Absolutely. My name is Gary Dahmer, and I've been working in cybersecurity for about 40 years now. It seems like just yesterday that I started, but it's been a long journey. I spent about half of my career in the Washington, D.C. region helping the three-letter agencies build cybersecurity into their operations. I helped build the cybersecurity engineering phase in the D.C. consulting world, mainly focused on moving organizations past just compliance.

Security is often seen as the "no" organization, but our approach is to always say, "Yes, but," and then engineer a solution to meet compliance requirements without slowing the organization down. I left the D.C. area about 20 years ago and started InfusionPoints about 17 years ago. Our focus has been on cybersecurity engineering services, helping customers build cybersecurity into their day-to-day operations by providing strong engineers and advisors.

We also run a security operations center 24/7, 365 days a year, to help our customers protect themselves from hackers. One of the things we say is, "Hackers never sleep, so why should we?" We see millions of events every single day, and it’s mind-boggling—all the things going on in cyberspace.

Michael LeJeune One of the things I appreciate about you guys, as opposed to many newer cybersecurity companies, is your experience. You've been doing this for 40 years. There are a lot of people who’ve been doing it for only four weeks, and while there's nothing inherently wrong with that, they haven’t seen what you’ve seen. You’ve been through situations they weren’t even born to witness. That experience adds so much value.

I've been in this industry for almost 30 years now, working in government, contracting, and running a business. There are things we've seen that someone just starting a business has never encountered. There’s so much value in watching this industry evolve, especially with your background in both government and commercial sectors. That brings us to FedRAMP, which is key for a lot of companies trying to do business with the government. They can't do it without this certification. Can you tell us a bit about what FedRAMP is, who it's for, and then we'll dive into the details?

Gary Dahmer I'll keep it as high level as I can, because FedRAMP can be a very detailed topic, and we've been doing it since its inception. FedRAMP is an authorization program for cloud service providers who want to sell their cloud services to the government—whether it’s a SaaS (Software as a Service) solution, PaaS (Platform as a Service), or even IaaS (Infrastructure as a Service). It’s used by federal agencies, including the Department of Defense and civilian agencies.

It’s a process where you have to do a lot of documentation, meet numerous security requirements, go through a rigorous audit, and have several organizations review you. There are two paths: agency authorization or the Joint Authorization Board (JAB). These paths lead to FedRAMP authorization, allowing you to sell your cloud services to the federal government.

Many companies start thinking about FedRAMP when they see it in a solicitation—that they need to be FedRAMP Moderate or High to bid on a contract. If you’re seeing it for the first time in an RFQ, that's not the ideal time to start working on it. FedRAMP is not simple, it's not fast, and it's definitely not guaranteed. It’s a process. I once had a customer tell me, "FedRAMP is not something you do; it’s something you become." That’s so true—it’s not just about the technology; it's about the processes. It’s about how well you manage your environment, handle change management, and prove that you’re doing what you say you're doing. It needs to be part of your corporate strategic plan—something you work on over the next three years. It can take that long, depending on the path you're taking.

It’s important to understand your market. Are you building something the government actually buys? Are you trying to sell without the right contract vehicles, relationships, or positioning? Just having the authorization doesn’t mean customers will automatically come to you.

Michael LeJeune That makes a lot of sense. You mentioned timelines and the importance of strategic planning. What should companies expect in terms of time and cost for FedRAMP?

Gary Dahmer Some of the hardest parts aren’t even within your control. From a timeline perspective, it varies. We recently set up a demonstration environment for a customer in about four days, but integrating their application into that environment takes more time. Let’s say it takes us four to six months to get your system compliant. Then, there’s the third-party audit, which can take another eight weeks. After that, you need agency authorization, which could take anywhere from a month to 18 months, depending on the agency. So, you’re looking at eight to twelve months for everything up to authorization.

Once you get agency authorization, you get in the queue to be reviewed by the FedRAMP PMO. Right now, that review queue can take eight to ten months. Once reviewed, there’s often remediation to address new regulations or changes. By the time you’re listed on the FedRAMP marketplace, you’re looking at 18 months to two years. The idea is "authorized once, used many times," but it’s a long process—especially for small organizations. There are ongoing costs as well for maintaining that compliance.

Michael LeJeune It sounds like the ongoing maintenance is almost as much work as the initial build. Can you explain what some of those ongoing requirements are?

Gary Dahmer Exactly. The operational side is where a lot of companies struggle. It's not just about building a compliant environment; it’s about maintaining it. You have to keep up with monthly documentation and reporting, for example, proving that you’re mitigating vulnerabilities. If there's a zero-day vulnerability out there, you need to ensure your environment isn’t affected and report that back to the PMO.

Michael LeJeune For those who don’t know, can you explain what a zero-day vulnerability is?

Gary Dahmer A zero-day vulnerability is a security flaw in software that has no fix available. Essentially, it's a vulnerability that’s exposed before the developers have had a chance to fix it, which makes it a prime target for hackers. You have to mitigate it as best you can until a patch is available. It’s crucial because other people, including attackers, know about it, which makes it easy to exploit.

Michael LeJeune For companies that have a cloud solution but don’t know if they need FedRAMP, what should they do to determine if it's necessary?

Gary Dahmer I highly recommend having strategic discussions with an advisor, someone like us, who can help you think through your requirements. Are you selling to the federal government or to the Department of Defense? If so, you may need FedRAMP. The Department of Defense has its own requirements for systems handling controlled unclassified information, which they call FedRAMP equivalency. So, understanding who your customer is and what you're trying to sell will help determine the right path.

Michael LeJeune What about companies that are leveraging existing cloud providers like AWS? Do they need to get FedRAMP certified?

Gary Dahmer As always in cybersecurity, it depends. If you own your account and are developing a solution to sell, that’s different from just using AWS, which already has FedRAMP authorization. If you’re leveraging an AWS FedRAMP-certified environment, you may still have additional requirements to meet, but you don’t necessarily need FedRAMP authorization yourself. The tools you use must meet FedRAMP Moderate or have an equivalency.

Michael LeJeune That’s helpful. One takeaway is that FedRAMP, like many things in government contracting, takes time. And that time is often spent waiting on someone else. What’s the average cost for a company that’s building its own solution and needs certification?

Gary Dahmer The cost is in the seven-figure range—at least a million dollars. That includes building, integrating, and documenting your solution, plus $200,000 or more for the audit. You also need to maintain compliance during the audit process. It’s not an easy process, and it’s definitely not something for a solo entrepreneur without significant backing.

However, I’ve seen companies secure grants, such as SBIRs, to help cover these costs. If you have something innovative that the government wants, you can potentially get funding to help you through this process.

Michael LeJeune That’s good to know. I hadn’t thought of using SBIRs for that purpose. So, beyond time and cost, what else should people know about FedRAMP?

Gary Dahmer There’s no silver bullet. It’s complex, and there’s no other standard quite like it. It’s a very tough standard to meet, but it can be done. There are over 300 certified companies today. We’re even seeing commercial organizations that want their systems to be FedRAMP-certified because of the rigor involved. It’s not just about building a secure environment; it’s about the ongoing validation that ensures you’re following best practices. Issues like configuration management and patch management are some of the biggest challenges in cybersecurity, and FedRAMP forces you to address them properly.

Michael LeJeune That’s really good insight. If people are interested in going through this process, they can contact your company—you guys are experts at it. I think for most companies getting into government contracting, while you can do a lot on your own, it’s so important to have experts guiding you. Even with your knowledge, it could take two years to navigate this process. Imagine how long it would take without that guidance.

I’ve seen in business where one wrong turn means months of backtracking. Time is precious, and the longer it takes to bring your solution to market, the less time you have to sell it. It could mean millions in lost revenue. I always recommend bringing in experts to ensure you’re going down the right path.

Some people call us and ask if they should do government contracting, and sometimes the answer is no. That simple conversation can save a lot of time, money, and headaches. I really appreciate you being willing to share your expertise on this topic, Gary. For anyone who missed it, check out the Cybersecurity Hygiene episode as well. Thanks again for being here, and I’m sure we’ll talk about more security topics in the future.

Gary Dahmer Thanks for having me, Michael. I appreciate the opportunity to share.

Michael LeJeune I hope you enjoyed the podcast today. If you did, I’d really appreciate it if you’d like and subscribe to the podcast, and maybe screenshot it and tag me on LinkedIn or whatever social media you use. Thanks again for joining us, and we’ll see you next time.

?