The cost of working with the government is high

To navigate the Risk Management Framework, vendors must answer an Authorizing Official’s questions about their commercial security management practices. Vendors spend significant amounts of time, effort, and money completing the ATO process.

“As soon as you go into the government space, it seems like you pay 30% more.”

At times, vendors said they needed to reduce the security of their product or eliminate features altogether in order to receive an Authority to Operate.

“We have to disable features, for sure, based off of the compliance requirements.”

To work with Federal agencies that require the highest FISMA or FedRAMP approvals, vendors often have to make difficult decisions. Some decide to divide their companies (or product lines) into two separate organizations with one focused solely on meeting government-specific requirements. Others decide simply not to sell to the government. This is especially true of small businesses who cannot shoulder the cost or commit the dedicated time to meet the Framework requirements.

“I think we would need to split into a commercial deployment and a Federal deployment and build a moat around it and fill it with laser sharks. And I’m not sure if that’s something we have the will to do.”

To be successful in the healthcare space, one company we spoke with wanted to work with the Department of Veterans Affairs (VA), the largest health provider network in the United States. Due to the VA’s FedRAMP High requirements, however, the company could not justify the enormous burden and cost of getting and maintaining their security compliance requirements. This left the company and their other clients, including the Department of Health and Human Services, with significant gaps in their capabilities.