We have all been dealing with FEDRAMP for years along with associated misinformation, ambiguity, and missteps.
FEDRAMP is Hindering Facilities Management in the Federal Sector due to its failure to keep pace with current technology and methods.
As a result, there is a misunderstanding as to how and if these requirements provide benefit. The fact is that FEDRAMP can and has harmed efficient federal sector stewardship of the built environment.
We are happy to hop on a call to assist you from an informational standpoint.
The following factual information is provided to assist Federal Departments and Agencies in making, or revising, policy specifically with respect to effectively and securely using commercial SaaS solutions to improve the efficiency of facilities and physical infrastructure operations, repair, renovation, maintenance, and new build activities, sustainment, and sustainability.
#1FEDRAMP was initially establish to provide a standardized method for ensuring digital information security for federal government agencies. It was based upon NIST standards and other information available at the time. Since that time, it has failed to keep pace with evolving technologies and methods.
#2 There a total of 459 companies in the world who have achieved FedRAMP certification. As you can imagine, the Government contracts with a lot more than that for SaaS solutions (https://marketplace.fedramp.gov/products). When looking over those companies who are certified, most of them are very very large companies and companies who are “hosting focused” versus “application focused”. As a result the “application focused” solutions tend to be traditional, outdated, and relatively expensive and do not maximize potential value to a government using agency.
#3 It is now recognized that the FEDRAMP process, while well intended, has several major issues. It is now understood that requiring FEDRAMP certification in not in the best interests of federal government agencies and departments for many, if not most applications. Please review the following which clearly support this fact.
Here is a draft memo from OMB regarding FEDRAMP revisions, that: https://www.cio.gov/assets/files/resources/FedRAMP-updated-draft-guidance-2023.pdf . This memo clearly notes that SaaS product like those provided by Four BT, LLC and hundreds of other innovative solutions per #3 below are NOT subject to FEDRAMP requirements. )
“Examples of excluded cloud-based services that do not host an information system operated by an agency or contractor of an agency or another organization on behalf of an agency include:
#1. Ancillary services whose compromise would pose a negligible risk to Federal information or information systems, such as systems that make external measurements or read information from other publicly available services.
#2. Publicly available social media or communications platforms governed under Federal agency social media policies, in which Federal employees or support contractors may or may not enter Federal information.
#3. Publicly available services that provide commercially available information.”
“FedRAMP acts as a barrier to entry to firms offering their cloud services to the government.
FEDRAMP has created barriers for businesses offering cloud services to the government and have slowed agencies’ access to technology that increases their operational efficiency and reduces costs.
These issues have created artificial barriers to businesses offering their services to the federal government, thereby slowing agencies’ access to cloud services that increase their ability to serve the public while cutting costs.
The wide-ranging benefits of cloud computing make it clear that it is in the interest of the government to remove any unnecessary barriers to its adoption.”
This above quotes clearly support the issues associated with FEDRAMP(source: of above – https://itif.org/ )
Because Federal agencies require the ability to use more commercial SaaS products and services to meet their enterprise and public-facing needs, the FedRAMP program must continue to change and evolve. (Source: (Federal Secure Cloud Advisory Committee (FSCAC) Feedback to the GSA Administrator on the 2023 Draft Office of Management and Budget(OMB) Memo, “Modernizing the Federal Risk Authorization Management Program (FedRAMP)”)
#54BT’s Job Order Contracting and cost estimating systems using locally researched current and objective granular repair, renovation, maintenance, and new build cost and construction cost data are hosted in a FedRAMP certified data center and therefore inherit the controls from them.
There are few if any additional requirements that should be requested.
ALL Federal Departments and Agencies MUST update their SaaS use policies and change from needlessly requiring FEDRAMP approval. Not doing so, negatively impacts the efficiency of these organizations, in contradiction to FAR regulations and their fiduciary responsibility to taxpayers. Furthermore, exclusively requiring FEDRAMP certification for all SaaS applications favors large businesses, again, a violation of existing statutes.
#6It important that commercial SaaS providers, and the associated infrastructure used to deploy SaaS products, meet appropriated compliance requirements for specified levels of security as developed by NIST.
For example, Four BT LLC products are fully compliant in this regard.
Four BT, LLC (4BT) SaaS products are hosted on Microsoft AZURE and Amazon AWS. Our products are hosted on Microsoft AZURE, and Amazon AWS in the United States, both hosting infrastructures are FEDRAMP compliant.
As a result of Microsoft AZURE hosting for example, and its FEDRAMP compliance, 4BT SaaS software inherits compliance. In addition, Four BT, LLC is company is DFARS, NIST 800-171 and CMMC Level 2 compliant and operates using the Microsoft GCC High. [Note: Microsoft 365 Government Community Cloud High is a cloud platform developed by Microsoft for cleared personnel and organizations that support the Department of Defense (DoD).]