Navigating FedRAMP: Tips for Startups Wanting to Sell to the Federal Government

The siren call of Washington, DC, is almost irresistible for tech startups. With so many potential customers in a 70-square-mile radius, the geography of the Nation’s Capital makes it appear easy for any company to do business with any federal agency.

However, D.C. is synonymous with bureaucracy and processes. It’s a place where certifications and approvals — which may take months, and possibly years — can lead to business opportunities. 

One such sought-after “stamp of approval” is the Federal Risk and Authorization Management Program (FedRAMP). Offered by the U.S. Office of Management and Budget (OMB), the program lays out the path to federal adoption of a technology. For example, if companies want to successfully sell a cloud technology to a federal agency, they will need to go through this certification and approval process. 

Everlaw has secured an “In Process” designation under this program. The next step is “Authorized to Operate,” which allows greater adoption by federal agencies and represents a milestone in the journey that many startups struggle to reach. 

Lisa Hawke, Vice President of Security and Compliance at Everlaw, recently appeared on the a16z podcast with Everlaw board member Steven Sinofsky to discuss the federal government’s efforts to provide more cloud-based services. Their conversation focused on what startups should know about FedRAMP, and how to successfully navigate the various certifications offered.

For instance, as Lisa notes, it helps to team up with a federal agency that can be an advocate. An agency partner can help the startup’s leadership understand the resources required to assemble the documentation that FedRAMP authorization requires. When the company’s leadership team knows a government agency is willing to purchase the software, it’s easier to commit the budget and time required to create the documentation and satisfy FedRAMP’s security audit requirements.  

“This is not a ‘secret part of the government.’ Their goal is to get you [the startup] authorized.” – Steven Sinofsky, a16z

At first, the process of pursuing FedRAMP authorization might seem daunting to companies, especially startups. However, the OMB provides materials and guides to understand the process, such as an application flow chart, a vendor playbook, and a template for preparing the systems security package. 

FedRAMP’s strict requirements can help startups prioritize security practices such as continuous monitoring and industry certifications such as SOC 2 Type 2. These practices and certifications are a jumping-off point for the security requirements under FedRAMP.

“We found that, on the whole, a lot of the controls really pushed us forward. The process made our entire infrastructure more secure.” – Lisa Hawke, Everlaw

One of the most work-intensive portions of the certification process is preparing for and managing the independent on-site audit by a “3PAO” or third party assessment organization. Startups should understand the options offered in this portion of the program, and develop strategies to prepare for and manage the audit and relationship with the auditors.

For additional tips on navigating FedRAMP, listen to the podcast on a16z’s website: a16z Podcast: What to Know about FedRAMP.