Navigating the Clouds: Decoding FedRAMP with LaunchDarkly and Schellman | The Pair Program Ep49

Welcome to The Pair Program from hatchpad, the podcast that gives you a front row seat to candid conversations with tech leaders from the startup world. I'm your host, Tim Winkler, the creator of hatchpad. And I'm your other host, Mike Gruen. Join us each episode as we bring together two guests to dissect topics at the intersection of technology, startups, and career growth. Hey everyone, welcome back to The Pair Program. Tim Winkler here with Mike Gruen. Uh, Mike, my wife is a big fan of these National Calendar Day, uh, items, so. You know what I'm talking about with that? I mean, I know that there are

national calendar days, but National days. Yeah, but I don't know. So every day

is some national day to celebrate. Is every day something? Yeah, they've come up with something for every day. So for example, today is national avocado day. And, um, so I'm gonna ask you an avocado guy. Are you big, big guacamole

guy? So I like avocados, but I'm not a big guacamole guy. Um, usually got too much garlic in it for me. And, uh, the garlic just doesn't sit well with me. So. Um, it's not that I don't like the taste of garlic, it's just that it does bad things to me.

Yeah, so, so, F. Mary, kill, uh, guac, queso, guac, queso, salsa. Oh, it's

Mary salsa, FK, so kill, uh, kill the guac, kill the guac. Okay. We're going to make a little sound bite of that for you. Not at

all. The most awkward beginning, just awkward, awkward start. Um, all right, we'll transition from, from there. Uh, I'm excited for today's episode. So today we are kind of diving into the world of government compliance and cloud technology. A special focus on FedRAMP. So FedRAMP is short for the Federal Risk and Authorization Management Program. And joining us are two experts who are pretty deeply entrenched in the FedRAMP ecosystem from, uh, a couple of different unique vantage points. So first we have Sarah Maser, the federal CTO at LaunchDarkly, a software company specializing in feature management for development teams. Uh, also note that Sarah is a co founder of the Federal Cloud Advisory Board, uh, which is a non profit dedicated to making the FedRAMP authorization process easier for all. Uh, and accompanying her is Nick, uh, Runog, a managing director at Shellman. A company providing compliance and attestation services globally. Nick's also an expert FedRAMP assessor. Uh, and so together we're going to explore what FedRAMP really means for companies, kind of that intricate journey of getting certified and why this is crucial for any software provider that's working with the U S government. So Sarah, Nick, thank you both for joining us today on the pair program.

Yeah. Thank you for having us. Of

course. All right. Now, before we dive in, we're going to kick off with our pair me up segment. Uh, here's where we all kind of go around the room and spitball a complimentary pairing of our choice. Mike, you lead us off what, what's your pairing for today? So.

Again, try and go back to some food. Uh, I'm going with, um, tuna salad with a hard boiled egg, uh, mixed into it. And it's, uh, my grandmother used to make it for me when I was a kid. It's just like, it's just a favorite. Um, toasted rye if you have to, or pita. But, uh, but yeah, the, um, egg salad and a hard boiled egg. That's my pairing. Oh, what do you say? Tuna salad. Oh, sorry. Tuna salad. Yes. Tuna salad. Yeah. Yeah. I had chicken salad for lunch. That's what made me think of it.

Uh, I'm right there with you, man. Tuna. Tuna salad's one of my go tos, but if you don't have that hard boiled egg in there, I feel like it's not a complete salad. There you go. Yeah. Yeah, big, big, uh, hard boiled egg fan. Awesome. Cool. Um, all right, I'm going to deviate from food. Uh, and this is just going to be probably a pairing for myself. Not, not many people will understand, but I'm going to go with solo parenting and documentaries. Um, so last night my wife went out to dinner with some of her, her girlfriends. So I, I played the single dad. Uh, you know, watching my daughter, uh, Alice and we always have a great time when I'm, when I'm, we're just kind of one on one with each other. So we did, we did dinner and read some books. And then when I put her down for, for bed and it's just me, I always find like, that's like the perfect time for me to get locked into a documentary. Documentaries, I feel like you just, you got to be really tuned in with no distractions. Uh, so this is kind of like my time to do just that. So that's, that's my parent. I got locked into a pretty wild one on political conspiracies last night. Um, I won't go too, too into detail on it, but, uh, I'll shout it out. It was called everything is a rich man's trick. Uh, and you can. It was only finding on YouTube, um, but, uh, went down this whole Reddit rabbit hole to find, uh, some interesting documentaries. So Reddit's another one. Reddit's another one. You could probably pair Reddit with some good conspiracy theories, but, uh, that's my, that's my pairing for today. Uh, let's kick it over to our guest, uh, Sarah, about yourself, quick intro and your pairing.

Yeah. So, uh, you intro'd me just very well. So I am the federal CTO of LaunchDarkly and been with the company over four years. I've taken the company through FedRAMP authorization from the very beginning, all the way through the end and continuous monitoring and that sort of thing, uh, looking at maybe doing it all over again. So a lot of this is really fresh in my mind. Um, and then I would like to say my pairing is. A dog and another dog. So I am an animal lover. I rescued dogs. I think that they're like potato chips. You can't have one. If you have one, it's not that big of a deal to get another one. So consider adoption and their pack animals. They love to just hang out in packs and makes you feel less guilty if you leave them at home alone. So I think, uh, I'd like to just shout out having multiple dogs.

We, uh, I grew up with dogs, our dogs were outside dogs, uh, and having, we always had at least two, usually three, sometimes four, uh, cause they're a pack animal and, uh, they want to hang out together. Awesome pairing.

I like the analogy of the like potato chips can't have just one that's that was creative. We, we had two dogs, um, for, for a few years. We lost one, this guy, Griffin, uh, behind me here, we had a little, little painting, but we, we got, um, a puppy when Griffin was about seven years old. And I, I always found it really helpful to have a, you know, a puppy with a more mature dogs, it kind of, they follow suit helps with like training and stuff like that. So, um, Well said, I think great pairing, uh, all right, let's pack it, pass it over to, uh, Nick, but quick intro and, uh, your pairing.

Yeah, thanks Tim. Um, and like Sarah, uh, good, good intro already, but, uh, Necronomic Managing Director at Shulman. Now our federal service line leader, um, amongst others here, uh, for pairings, um, as you can tell behind me, I do enjoy some retro video games, uh, video games with my daughter. Um, she's 13 and of that, uh, age and generation where they like phones, they like games. So it's a perfect way to connect. Um, recently, uh, within the past year or so she was playing Fortnite. And I've never won a game. Um, I pride myself on a lot of, uh, the battle royales that I've won a game. Number one, and she got me my first win on there. I think I killed, got one kill. She had like eight, but I'll take it. A win's a win's a win. Uh, so yeah, video games and my daughter. It's a good pairing.

Awesome. That's a good pairing.

That's solid. Does she play some of your old school retro games? And it's like, what, what am I, what are we doing here?

Absolutely. Yeah. She appreciates all of them. Uh, and, and they've been good about porting a lot of those to Switch. So we do, we probably play Switch more than. More than PC games, but, um, yeah, she, she does appreciate some of the old ones at Mario's classic and time. Yeah.

Yeah. Nice. Yeah. Love the switch. All right. Uh, that's a, that's a wrap on the pair me up segment. So, um, let's go ahead and, uh, transition into the, the heart of our discussion here. So, as I mentioned, we're going to be talking about fed ramp, uh, and covering, you know, like the definition of, of fed ramp, the certification process. Um, some of the associated cost challenges and advice for companies that are considering the process. Uh, so in true pair program form, we're going to be able to approach this from both sides of the coin. Sarah, taking the perspective of a company getting certified. Uh, Nick, with the perspective of, uh, a three PAO or a third party assessment organization, uh, working with a company getting certified. So let's, let's dive into it. Sarah, how about you maybe kick us off with an explanation more on what FedRAMP is and its significance to companies?

Sure. So FedRAMP is an authorization program that is managed out of the GSA's program management office. So GSA for short. And it is a way that companies such as LaunchDarkly or other providers that have something to do with the cloud are able to get authorization to work with government agencies. Theoretically, it makes it easier for government agencies to purchase your software. It means that your software has been vetted as More secure than it otherwise would have been. So it means that you're compliant with certain government regulations. And the goal on the government side is really to share that work. So instead of every single agency going through and vetting, A CSP or cloud service provider, which we are, um, and making sure that it's secure and it means certain regulations. Now you have one organization that standardizes that practice and all the government agencies can kind of take advantage of the work of maybe your sponsor or the job in the past, there was a job and, and then. That work can be shared amongst all agencies and it makes it easier and cause it saves costs for the agencies as well.

Awesome. Can, um, so before we pass it over to Nick, can you tell us a little bit more about your launch dark, please? Like evaluation and initiation into FedRAMP.

Yeah. So it took us some time to actually go through that process. There's a lot that happens upfront, even before we start working with somebody like a 3PAO. And that is, do we even want to make that effort? And so there's analysis of looking at your pipeline, looking at your product, trying to figure out how much change would need to happen and putting together a proposal for the board. And so there's a lot of work that goes into it before you even start talking to 3PALS or the GSA on whether or not you're going to go through it. And then once you start talking. To the PMO, they expect you to pretty much do everything in about a year. So start to finish for LaunchDarkly, it was about three years. Uh, but starting from the point of working with the GSA on forward, that was just over a year.

And maybe for some helpful context, what's the size of LaunchDarkly or what was the size of it to like when you all first started going down the process?

So we were about 500 employees. And we are fully SAS. We run in the cloud and require cloud components. We did have a on prem version, which means that we're actually running at another government agency's cloud. So we started. We started with a little bit of an advantage and that we, we knew what kind of regulations we had to comply with already. So we had an idea of the level of work for creating a federal instance that some companies may not be able to take advantage of, but, uh, yeah, so we already had a couple of different versions of lunch darkly running in different places. And the decision was, do we want to migrate over to a federal instance? Where we can then bring on other government agencies at that time.

And your background specifically, maybe it's, it's helpful to paint the picture of where you kind of came from and where you specifically brought on, uh, to the team at LaunchDarkly with this initiative in mind, or was there other areas that you were satisfying and then this kind of came onto the, onto your plate?

So we were a small team at the time and I came in as the first, uh, Technical, uh, expert for the federal team at lunch darkly. And at the time we were not considering FedRAMP. So I had worked with the accounting executive to start building a case for FedRAMP. So it wasn't a done deal. We had to go and convince the board. We had to look at the pipeline. We had to look at all the companies that have approached us in the past and look at the deals lost because we weren't FedRAMP authorized. And so I started with that AE from day one to build a case and it, it did take some time.

And then when you were going through selecting these different vendors, you know, what is it, what was it that you were kind of looking into, or maybe some of these challenges that you ran into when you were kind of deciding or vetting through some of these three PAO firms?

Yeah, I, I have a whole bunch to say on lessons learned and best practices that I'm sure we're gonna get into. I think at the time though, our company was so new to FedRAMP in general, I was new to it. It was a learning experience for everybody. So I think, you know, we, we knew the process, we knew about the timeline. We knew a little bit about the product. We didn't know much about the three PAOs. Um, and so vetting them was at the time just talking to them and getting prices and figuring out how long it will take and their expertise on, you know, taking companies through that and um, and now looking back and trying to decide if we're going to go through this all over again. There's, there's so many lessons learned there. Um, I think we did a decent job, but there's always room for improvement and that's what I wanted to do when a few of us got together in industry to start the federal plant advisory board, because there's really wasn't anybody to go call up and say, Hey, you went through this before. Who should we hire? Why? You know, tell me some horror stories or give me invite. There wasn't any of that for like the smaller and size CSPs. So a bunch of us through LinkedIn met and got together, and there were four co founders at the time to kind of help each other out. We were all in different stages of going through federal authorization, but it was such a painful procedure that we all just want to help each other out now. And so we have that nonprofit that we started to kind of hold other people's hands and give them advice. And And, um, we're very blunt internally about, you know, who's, who's a good three PAO and who's not, and here's why, and, and talking about all the issues and change that are going on at the GSA office right now.

That's great. It's what, this seems like a very helpful, uh, organization to. To, to identify with when you're going through the process and we'll be sure to, uh, shout out all the, the terrible three PAs on this podcast as well, uh, but no, it's, it's, it's sound. Let's talk about a good one. So you had a good experience here with, with Shaman and Nick, let's pass it over to you at this point. Um, maybe start with, you know, a little bit more of. Overview on like, you know, Shelman, how you all operate as as an organization, and then, um, uh, maybe a little bit more detail into, you know, coming to three PAO and, and then how you all kind of got intertwined with LaunchDarkly.

Yeah, no, absolutely. Um, one of the terms that, that you hear a lot is three three PAO three pal, uh, third party assessment organization and, you know, a critical piece of the FedRAMP process because the third party portion of that, um, prior. It'd be FISMA reports, and we just go right to the federal agency using it. Um, that's, that's good. It works on a small scale. So, FedRAMP is leverageable, so it's scalable, meaning you get that one report, and it can go to as many authorizations as, um, federal agencies want to use their product. So, LaunchDarkly, They can have multiple authorizations now, one report, so it saved time and money on everyone's side. Um, the third party part comes into play because now someone else who's independent comes in. It's not a self assessment, um, by the cloud service provider, so by and large, it's not the federal agency that might not have the expertise. So third party, that's us, um, uh, for FedRAMP, three PAOs are accredited. So there's a short list and shockingly over the years, it's only gotten shorter. So, um, that list, if you really go on there and it's all, it's all public, go on the marketplace and take a look, that list has gotten shorter over the years. Um, because there's an accreditation process to it. So A2LA is an organization that comes through and kind of audits the auditor, so to speak. So on a yearly basis, they check us, check our work and all that. Um, that's how one becomes a 3PAO. So Shellman, um, starting as a, an accounting firm, uh, doing non finance, we focus on security assessments. Uh, saw this as a, as a, you know, a market that is developing and we got our, um, accreditation and have been one of the first, uh, to, to do that. So we've grown over the years. Um, We, you have a choice and you can be, um, have consulting advising services as well, or you could be pure play assessment. We are pretty much the only one on that list that's pure play assessment only. We don't offer consulting advising. Um, that's helped us expand quite a bit in that, um, FedRAMP prohibits you from ever. Doing work and assessing your own work. Um, so that's one of those things that when folks are looking, looking at those that they have to kind of make that decision to want one or the other. Um, it's made us have that expertise specifically on assessing and so our assessors get very good at particularly FedRAMP assessing. So that's why you've seen the, uh, the growth in those numbers or anyone that has seen that. Um, That comes through on the on the marketplace. So that's how we kind of got in that business. And, um, we've expanded that quite a bit. And now we're the one in the marketplace, probably for one of those reasons, there is a pen test portion of that as well. So we also not only do we have assessors part of our assessment team. Are penetration testers as well as FedRAMP does require that. So it's kind of an all encompassing thing. Um, that's what every three PAO that you're hearing does. Um, and that that's what we do. We got introduced, um, launch darkly. I believe I remember correctly was kind of looking around at assessors. We did not do their initial assessment, but they were looking at, um, changing. So we spoke with them, um, kind of talked through how we would do things. Um, any, any, uh, Thing that they want to see differently how we would address that and see if there's a right fit. It was, and we've continued to do their annual assessment. From then on out and with fed ramp. That's kind of the other piece that was put into place when the program is developed is. It wasn't a 1 time report. There's a continuous monitoring aspect. Part of that umbrella continuous monitoring. Is an annual report that has to be done by a 3rd party assessment organization. So we come in and check them on an annual basis. Thanks. Um, and look at all sorts of stuff, but we basically look at a subset of controls every single year.

I think 1 of the things that you touched on it, but I think it's important to point out is the fact that there's that separation between doing the work and assessing the work, having gone through any number of assessments for various things over the years. There was always there were there's plenty of certifications you can get where the company that's doing the assessment is also the one that's helping you and miraculously they have a 100 percent success rate if you just pay them. Um, so, um, so I like that about FedRAMP. I, um, Like from my perspective, I at one of the companies I started the process, I left that company before we sort of did it. But we went, we started going through the whole FedRAMP, um, like looking at it and assessing it. And we didn't get to the point where I got to pick an assessor, but, um, did get through like, so there is a lot of tools. I think, um, Sarah, back to your point of like, there's a lot of tools you can use To do pre assessment and early stuff to sort of get an idea of how much work this is going to be, because that's when you're talking about, you know, like going to the board and getting approval, not only do you need to know what the pipeline is, but you also have to have some concept of what the cost is going to be. Um, so, um, so I've gone through a little bit of it, but not the whole thing, but, uh, I did, I was, I'll wrap it up. I was, uh, happy to see that the, the, they keep it separated, that you can't do the work and assess your own work. Oh, that's cool.

Let's, let's dive deeper into the cost of it. Um, I'd love to, you know, try to get as transparent as possible for some of those. Folks out there that might be considering this. So, um, yeah, Nick, what, what are some of the typical assessment calls for companies wanting to become certified?

Yeah. And we can kind of break it down really into there's everything before the assessment, um, Sarah's probably gonna come in on that. Uh, so there's architecting, right. Standing it up. Um, and all of that is, uh, possibly consulting, advising work that goes into that, getting someone's expert expertise as to, Hey, what is fits 140 dash two or dash three mean? And what are the current modules that do that? That's all that pre work, right? Then there's the assessment piece, that's us. There is an ongoing piece after that that's worth mentioning, we have a part of that, but, um, it's, it's always good to, to recognize that a CSP is going to have regular costs probably as part of that, right? Like, there's, there's increased scanning requirements, there's certain logging and instance response, and all that does come with a cost, um, that Sarah will probably be able to answer better than I can. As for actual assessment costs, um, it's it's fairly transparent. It's a level of effort thing. Um, it is The, uh, as an assessment firm, it is the most expensive, most expansive, uh, most, uh, technically, um, you know, uh, complicated assessment. We do most of the time. That means we, um, have a pre period where, um, there's some deliverables federal requires like a SAP security assessment plan, and then the actual SAR package security assessment report. All of that kind of gets bundled in as well as with a pen test, penetration test. Uh, up to six vectors that includes everything inside that bubble of a boundary and, and, uh, any mobile apps and other type of things they want to authorize all that means we know the number of weeks and a lot of times just comes out to number of weeks as well as that kind of review afterwards, a standard, um, as of 2024, a, uh, moderate initial assessment, 260, 000 is about what it costs a quarter mail ballpark right on in there. That's just that assessment piece on an annual basis. Think around 200. Um, other costs that can come into play from an assessor is if you have changes that are ad hoc throughout the year, those have to be tested. So, once again, level of effort on number of weeks and if a pen test, but those are some ballpark pricing just on the assessment piece. But then you take that and add it to, uh, throw it over to Sarah on probably what a lot of that cost is rolling up to that. Um, and it goes up quite a bit.

Yeah, Sarah, what kind of additional cost, uh, kind of came into play on, on your end?

It's interesting because I was just looking at the numbers because we're trying to figure out where we go next. And we look back at the ROI of the better at moderate instance. And I looked at how we were doing accounting for that federal instance. And, um, it was, it was pretty interesting cause that's not necessarily my world. Um, I would say, you know, it really depends on your product and the company and Where you're at in the process, how much it's going to be, um, for lunch darkly. I, I think it's safe to say that, you know, it's over seven figures to do the whole thing that includes a lot of, you know, infrastructure costs because you're standing up a completely new instance and some other region of Amazon. And. It also includes product changes, so there's going to be engineering effort to swap out components of your architecture with things that are FedRAMPable. So there are, and so that's going to differ from company to company. Not everything is bedrampable, so you have to then figure out, like CDNs are a good example, right? There's, you know, our commercial instance uses Fastly and they're not bedramped. So then what do we do, right? And so there's all these decisions that you have to make. And so there's the engineering hours just to change the architecture, which then are people hours, plus you're buying new software, new components, potentially. Right. And then there's compliance costs. So there's all the way down to the operating system level where we switch to like canonicals, BIPs. Um, bunch of pro, which is, you know, fed rampable because it has got the encryption in a, um, all the way up to like higher level, um, types of services that we take advantage of. So, you know, that, that whole across the board from really low level to higher level components that may need to be replaced and then on the flip side, it's not really cost, but you could lose. Capabilities in your product, and does that hurt your market share because you don't have all the capabilities your commercial version does because things just can't be compliant with FedRAMP as things stand today. And so there's kind of that loss that doesn't show up on, you know, the P& L sheets. For it, but it certainly plays a factor in the decision of whether somebody would want to go through FedRAMP or not. So, and then just the general, as Nick mentioned, you know, the Kanban meetings, all the paperwork that you have to go through all the time, a significant change or class that all takes time and eats up engineering and security team hours. So it does end up being pretty significant for all of the CSPs.

I'm curious, did you, um, have like a separate team that was sort of responsible for this or was it just part of broad engineering responsibility to maintain essentially both versions? I'm just sort of curious. And did you experiment with both? What was sort of your experience?

We kind of had a tiger team that did the migration. So we did take it, our instance that was posted at a federal agency and move it. And so the tiger team were the experts in the migration effort. But right now, all of engineering is expected to be able to understand the federal instance and go in and, uh, and deal with incidents and all of that. There's another component, which we made the decision at the time not to do, but it's whether you should run in a GovCloud region or not. That's independent of FedRAMP and you have to look at your pipeline and your potential customers to be able to make that call. Um, but that is another change where then maybe you do have to start isolating out who's going to work on the federal instance because they have to be U. S. citizens and so all the way from support personnel to, uh, security to developers. And so That's another organizational change that you might have to think about if you're going to go through and install in GovCloud.

Yeah. I mean, I think you were saying in the, in those early stages, when you're kind of got getting the key stakeholders and onboard with this, you know, you're probably really looking at that opportunity pipeline, you know, some of those opportunities that you lost out on, uh, yeah, one or two of those. It's an easy justify the cost of. You know, this type of implementation and the value add there. So, um, yeah, it's, it's, you know, it's not a drop in the bucket and, and I, this is kind of leads me to another question too, is, you know, um, you know, there's this list of assessors, these, these three pals that you all reference. Um, is it pretty standard pricing across the board or is there, you know, uh, I guess you mentioned level of effort, right? So if it's a smaller organization, do you find that the cost is going to fluctuate, um, you know, based on the size of that org?

I can answer, I can answer first. Um, a lot of times we don't entirely know, um, you know, what, what, uh, our competitors are charging, but, but we do hear quite a bit, you know, um, We'll be higher than than quite a few. But once again, um, a decision we made on on talent retention, focusing on that and hoping that that that comes through, um, it's also several different models that folks have. I know we we approach things and try and provide value that way going. It's not going over that. And others will kind of take a different approach and go, well, we'll charge you for support meetings and things like that. Whereas, um, we'd rather, um, folks kind of know that going in, but prices, I, I would be, um, surprised, especially because when I said that shrunk, a lot of them could not find a model at work. So, you know, we've been doing this a good 10 years, um, really came out 2011. I think. You know, we're doing it close to the beginning of that. So, um, that list that was well over 100 or maybe approach 100, but it's quite a bit. Um, it's down to really, in my opinion, about 30 active, of which, um, only about 10 of those have double digits. So, um, some of those pricing models that were. Very low. Uh, I think to try and get the foot in the door have gone away. So, um, they're probably all within about the same, um, certain percentage, maybe 20%, I know that's a pretty big percentage, but, um, yeah. And then I'm not sure Sarah has any insight there as well.

I do. Since I talked to quite a few of them and we got quotes from a bunch, maybe this is a good time where I could go over, um, my list of tips for vetting.

Yeah.

But for, uh, so. I'll start out with saying that price should be really on the bottom of your list, right? So they're all somewhat in the same ballpark and it really matters who you choose. The first thing that you should do is ask other people, their experience of working with companies and there are now organizations such as my nonprofit, but there are others. But it's really, really important to get feedback on which are good and which aren't, because there are some that are pretty well known to be not so good. And some that are. You know, there's, there's about four of them in my mind that I've heard nothing but positive things. And you know, another tricky thing is people move around too. So it doesn't matter. It's like, who is the person doing the work? It's not just the sales guy that's giving you the quote. Um, you really need to make sure that they have a good team of people that know what they're doing and retention is really important. Some of them have a lot more turnover, and so you don't know that unless you talk to others in the industry that have potentially gone through this, but that's the first thing is really just do background checks on them and reach out to people that have gone through it. I think almost everybody that has gone through the process, if you even find them on LinkedIn and say, Hey, I just have a few questions, they'd be more than happy. To tell you their experience because it's, it's such a painful procedure, but there's other things that you might want to consider, um, related to, uh, whether they've got experience with companies in your space. So they may not have experience with a company that does exactly what you do. It may be on the database side, or it may be on, you know, the, the higher level, uh, software as a service side that's, you know, fully application based. And so somebody that has a little bit of an experience and, and what you do or understands your industry and our space is really important. Um, and I would say also they understand the agency that you've worked with and they've got authorizations with the, uh, sponsoring agency because, for example, CMS is our sponsoring agency and on top of the FedRAMP regulations, they've got something called ARS, A R S, um, that are additional compliance regulations that we have to adhere to to get that ATO. So if your assessor knows that and is familiar with that, then it just makes it a little bit easier. Thanks. And then there's the contracting side as well. So you want to make sure that if you contract with one, that you want to ask for some way to do weekly status updates or monitor their progress. Um, because we've seen issues with other three POs where they're, they could just go radio silent or things get delayed and you want to stay on top of it and you want to put that right in your contract. Another one, I was like an early termination class. Um, sad to say that that does happen sometimes is that, uh, for whatever reason you want to get out of your contract and work with a different 3PO, um, you want to make sure that you have the right clauses in, you know, up front and you've thought of that ahead of time. And then I also think in terms of going back to pricing, there are companies out there that offer FedRAMP in a box. And And they do a similar thing, right? And they, they kind of promise that you'll go through a FedRAMP authorization and some of them help you do 3PO work. Um, but then it kind of limits the architecture and limits the control that you have in making changes to your architecture. So there are a lot of trade offs there. So the prices on those are not apples to oranges and those, but you want to be very wary of the FedRAMP in the box. Type of, um, services out there. And my experience, uh, some of them are, you know, have had really good positive customer, um, outcomes, but other ones that I've heard frustration from as well.

Yeah. Uh, well said Tara on all those points. I, uh, the one key thing that she said, I think is very important. I always say, if, if, you know, You get on a sales call, people can tell you anything. How do you know they're lying? Go on that marketplace. The cool thing FedRAMP did, they made all that information public. Reach out to one of those that is a client, pick randomly, pick randomly, right? And see what they say. Like, that's a true test right there. Uh, and say, Hey, how was your experience? I put a lot of stock behind that and think that, um, everyone should do that.

Yeah, that's awesome advice in 20. So I, when I was going through it, it was 2012. Uh, it wasn't a lot of people to talk to. There were a lot of companies offering that there are a lot of, and it was the way we got hooked up with the company that I think we ultimately ended up using. Um, it was, it was all just connections, people knew people and they're, and they really pushed hard on how well connected they were with the agency we were going with. And I don't know, I never really felt great about them. I'm not going to throw any shade, but I'd be surprised if they're still around, but it is, it's nice to hear though, that, I mean, that is part of it is that relationship is important that they understand. Um, so maybe, maybe my read on that situation was, was a little off. Maybe that was an important aspect that I, uh, didn't pick up on. Um, but yeah, those are really helpful tips.

Yeah. Super helpful on the, on the three PAO vetting. And I guess to kind of put a bow on the, on the discussion at large, any advice for just companies considering FedRAMP at large, like the when and the why that you would, Just want to point out and closing.

Yeah, I can, I can start. Um, we, we get a surprisingly large amount of CSPs, cloud service providers that come to us, find us first. They're actually probably looking for consultants, advisors. Um, and then we also see through that and those initial kind of steps of as well as the actual assessment and we see a lot of items that stop. You know, kind of a showstopper or cause issues. Um, one is just kind of what Sarah is saying is just get familiar with it. You know, a lot, a lot of that, that stuff is out there, um, on the FedRAMP website. There's a lot that's not right. A lot of the guidance that's, that's missing and you have to kind of learn it, but there's a lot that's out there that shockingly, Folks just don't know even though it's ready. It's ready there. So, um, there's a thing called a readiness assessment report and it's, uh, the templates are out there. So is the system security plan template within that is essentially an open book test. Everything you need to do is out there. There's items that they've even designated mandates, right? So encryption, it's 140 2, 140 3, as well as scanning requirements. Those are the two biggest issues that we run into as far as the technical implementations that cause a delay. And time is money, right? Because you want those federal contracts, the quicker you can get them, the quicker this pays off and your return investment comes through. So, focusing on that early and building it and architecting it into the system early is absolutely critical. So, being familiar with those requirements and distilling them down to the technical requirements and the mechanisms you can do to employ. Um, Huge pride, pride. Number one thing. I think that, um, I think, uh, CSPs could do early with their engineers is just plan for that. No, they have to do it and get familiar with those.

It's funny that sorry, just to jump in. It's funny that you mentioned the encryption 1 because that was 1 that when we were doing our self assessment, we're doing all of the readiness and bubble on all the scans. Our, it came back that our, well, we were using one that wasn't compliant, but it was actually higher that like we were doing more than what was in the standard and that tripped us up a lot because it was like, how do, how are we going to navigate this? We weren't really sure. And, uh, eventually we figured it all out, but it's, it's these weird things that you don't even, you think, Oh yeah, we're, we're great. We're fine. And then it's like, Oh no, actually you're not. And

the

scanning, I mean,

there's requirements on, you know, CVS is three Oh scoring and a high has to be remedied in 30 days. That's hard to do on a re you know, and repeat that. So knowing that ahead of time, get your teams ready, having a few practice months. Looking at your DNSSEC, making sure it has all those parameters in there that you don't wait till the last minute because sometimes that can take months to deploy and that's an item that you have to have in place in order to proceed. So there's these gates in place. So, yeah.

Yeah, really helpful. Sarah, anything that you would add to that?

Oh, absolutely. I have a lot of advice is the first thing I'd advise on is finding an advisor, somebody who has before maybe a fractional CTO, somebody out there that's just a mentor, somebody that you can ask questions to, there's a lot of changes that are going on right now in the FedRAMP office. The OMB wrote a draft memo on October 23 and they just updated it for, um, I think on the 26th of July for changes to the FedRAMP program, one of which is removing the JAB, which is the DOD side of authorization. So, what that means is, The FedRAMP office is a little bit overwhelmed right now. So it is possible to get FedRAMP authorized, but it's going to take even longer. So just finding somebody who's kind of connected to that world to be able to figure out how to take advantage of the situation or get to the front of the line or get advice on how to work with the PMO is really critical, but then there's like internal advice that I have as well. Which just you need to learn how to set the appropriate expectations with your own executive leadership and board that can cause a lot of friction if everybody's not aligned. And there's always friction between sales and engineering or security, but it just seems to increase when you're talking FedRAMP and there's a lot of money that's been invested and at stake and you've got customers waiting. So learning how to set those expectations and that's where an advisor could potentially help. Um, that's really going to get you going like out of the gate really well, uh, in a good position. But then also looking at the market fit of your product, like, do you even really want to do that? Do you want to target civilian agencies over DOD? Maybe FedRAMP isn't the way to go. Maybe you want to go right to DOD and do something that's more on prem and focus on their impact level, uh, accreditations instead of FedRAMP. There's a lot of pros and cons, and that's what we talk a lot about internally, as well as the Federal Cloud Advisory Board. Um, not everybody is, uh, seeing ROI on FedRAMP, to be honest. Don't assume that if you build it, people will come. There are people, if you go on the marketplace and you see they're in FedRAMP ready stage, they've been there a while and they have not found a sponsoring agency. And with the removal of the jab, now you really do need an agency sponsor. And a lot of agencies are being asked to sponsor and they're kind of overwhelmed as well. And it's much harder to find a sponsor. So you need to make sure that you've really got that down. And you found a sponsor. You're pretty sure you're going to get a sponsor before you think about investing such a huge amount of money into. Yeah,

it's really sound feedback. And I love the, like the fractional, you know, CTO concept, you know, a lot of the listeners from our community are. Startups are, you know, very small businesses, right? Where, you know, it costs is everything in a lot of ways. And the idea of biting off more than you can chew before, uh, really getting a good picture and make it a little bit more of an investment up front with a fractional CTO to give you some, some guidance and advisor or some sort of a mentor in that space. I think that's, that's fantastic. Uh, fantastic idea and great feedback for a company that's either short on a runway or what have you, when it comes to. You know, expenses. So, um, Yeah, really, really great Intel. All right. Well, I think, uh, that kind of, uh, puts a wrap on, on the main discussion. So we're going to pivot to our final segment, uh, the five second scramble. Uh, we're just going to do a little bit of a rapid fire Q and a, um, some business, some, some personal, not, we're not getting too personal here. Uh, Mikey, why don't you lead us off with Nick and then I will, uh, get to Sarah. Sounds good.

All right. And also, these questions are going to be different for both of you. So, Sarah, don't bother. I mean, some of them might might repeat, but no, no, no need to take notes. All right, so here we go. What's the most common misconception about FedRAMP?

Common misconception about FedRAMP? Um, I think It would probably be on, uh, sponsors and, uh, kind of a lot to what Sarah just said, but, um, that if you build it, that you'll, they'll come. Um, finding a sponsor is one of the hardest things that, that CSP seem to have. And, um, luckily there has been a little bit of traction of FedRAMP is coming up with, uh, kind of a job replacement as well as DOD on their own, and, uh, Issued a memo where there's a FedRAMP equivalency for contractors, um, so that they can, uh, go that route if they don't have a sponsor, but their, their products being used by actual, you know, contractor to subcontractor. So, we just, we've been hearing a lot, really 2023, 2024, trouble finding sponsors, like Sarah was saying, I think a lot of the sponsors out there, they're kind of at the limit. And bedroom kind of needs to address that because you have a bunch of kind of a top five, in my opinion, of sponsors, and they got a lot that they sponsor. So that's a lot of check ins they have to do. And I think they're a little overwhelmed. So I think the 1 of big misconceptions is that it is easy to find it if your product is that good. And that's not always the case. Sometimes it's first to market.

Uh, what's your favorite type of, uh, CSP to work with? Ooh,

man. Um, I've actually worked with quite a bit of, yeah, the, the ones that upload evidence early. How about that?

I

love it. But, but, but yeah, but yeah, Sarah, they, um, if we can get onsite and, uh, or onsite, uh, we start our interview portion, which is like the, kind of the main, main portion we're going through all those 18 control families. And we have, I mean, I'll say even approach it 70%. I'd love a hundred percent centers. Those are my favorite ones. Cause we will finish likely on time and, uh, everyone will be happy. So, uh,

what's the best piece of advice you've ever been given?

Oh, man. Um, Uh, a quote from Bruce Lee and, and it was, uh, to hell with opportunity. I create my own opportunity, um, to, to just essentially to just go in and do it yourself, right? Like go in, like open a NIST special pub, read the whole thing, go and figure it out yourself. Don't, you don't have to rely on other people to give you that answer. Answers are out there. Uh, experience is out there. Everything's out there. Just go find it,

you know? Awesome. Uh, what problems is Shellman solving? Uh, we

single single source for all assessments. Uh, really, uh, trying, trying to make it easier for folks to just reduce that audit fatigue. I hear it all the time. Right? We're constantly in assessments that we can. We can make it and work with you to make it to submit 1 piece of evidence, and we can look at it for all your different frameworks. That's that's where a lot of that value comes in along with, um. You know, same people that just same faces every year.

Uh, favorite company value, uh, say what's your favorite company value, like value that we have. Yeah. Cultural value. Yeah.

Yeah. Yeah. I mean, uh, I think investing in your people, like a company is it's people that that's the product, right? Is, um, you know, there, there is, there is always technology before professional services. It's the people, um, are going glass door. You'll see really high ratings for us. And I think that's reflected like investing in the people that they stay develop that expertise. Uh, good leadership means that it flows down, down to the assessor all the way to the top. And, uh, uh, company reflects that, uh, what was your dream job as a kid? Oh, man, I think I wanted to be a, a chef or a ninja, but I don't think ninjas pay well. Um, so, uh, uh, I, I don't cook at all, but I think that was it. I think it was chef

something with knives. What's the large speaking of what's the largest land animal you think you could take in a street fight? No weapons, just bare hands

and I'll probably just a dog, but man, not too big of a dog. I see that some of those, those pit bulls are like pure muscle. I don't know. I could take out pit bull, but you know, a smallish dog, maybe bring it back to that pairing. Okay. Uh, I hope I don't have to test it out, but I used to run a lot and I remember being chased. I can outrun dogs at a certain amount of distance, but they're close enough. No way.

Um, what's something you love to do, but are really bad at?

Oh yeah. Some of the, some of the, I love, I'm a big video gamer. So some of the new, new games, I just can't, I can't keep up, man. I tried that Fortnite. That was impossible. You have to build. I can't build. You know, I can, I'm a doom Wolfenstein kind of a guy. I

don't build in my first person shooter, so I wish I was better at that. Um, I'm going to jump ahead because it's tied in. What's the worst video game you've, uh, you've played worst? Oh, man,

uh, the, uh, Superman for Nintendo 64, anyone that knows, knows it. It's one of the worst ones. I still, to this day, though, I'm not a big Battletoads fan. I think it's, it's impossible. Um, so I'll also go with Battletoads. All right. Controversial.

Last one. Uh, what's a charity or corporate philanthropy that's near and dear to you?

Yeah. Uh, I'm a, I'm a veteran. Um, I've worked, um, with wounded warrior, uh, a few different times, uh, really liked them and, uh, had a friend that, that worked directly for them, uh, as well. So I always give a shout out to WDP. Awesome. Good job. All right.

All right. Great answers. Minus the Battletoads answers. I agree though. It is near impossible. Isn't it? Like, have you ever, did you ever beat Battletoads? No, no,

maybe, maybe with a game genie, but no.

Awesome. Uh, all right, Sarah, are you ready? Sure. All right, let's do it. Can you describe the culture at LaunchDarkly? The

culture is developer first. And so that includes just supporting our own developers, but then we eat our own dog food and we produce a product that really does support developers over anybody else, which is pretty cool to see. So we do things that compete with other companies out there, um, say with experimentation that are geared towards more marketing. Roles, but we're always developer first and that's just core to our philosophy. And we try to make our own lives better. And then by doing that, we make our customers lives better.

So what kind of technologist thrives at LaunchDarkly?

I think people that really care about the user experience for our product. So it's not just writing cool features, but actually seeing the excitement from our customers and getting that feedback and going back again, if we make a mistake and making sure that we get it right. And so the whole feedback loop and hearing and celebrating success. So we've got a lot of internal feeds where we have somebody, you know, It has a good comment out there on Twitter about lunch darkly or on our own support channel. We celebrate that internally.

What kind of tech roles are you all usually hiring for?

So there's many different tech roles from on the presale side, solutions engineering to professional services to engineering. Um, I know we've had a couple of roles open for reliability engineers in past. Just, um, making sure that our customers have the best experience at all times. And platform engineers. So typical SAS organization type growth.

What's an area of GovTech modernization that you're most excited to see in the next five years?

I'm excited to see where AI takes government and technology. So we're already seeing some people pilot AI within the government agencies. We're building features in our product to help people use ai, um, and kind of feature test or switch between different types of AI models or prompts. And I think that's really taking off and it's gonna help the government agencies in so many ways, just write code faster, do things with less people. Um, and it's gonna be an exciting, you know, five years.

Can you describe your morning routine?

Oh, um, morning routine. I get woken up by my dogs and have to take them out and go for a walk, usually a mile around the block because it takes forever for my one dog to decide to go to the bathroom and then, uh, get back in and eat breakfast and then get online and get ready for the day. Um, and then I do a series of meetings with, um, Talking to customers about potentially using LaunchDarkly or solving heart problems or talking about FedRAMP, trying to decide where we're going. Going from here, um, talking about veteran pie as an example and working with DoD organizations and how are we going to do that? So, um, it takes me through the evening and then I chill out watching some YouTube before I go to bed.

Nice. How do you handle, uh, your dogs when they get into a street fight with Nick? Um, uh, moving on. What is your favorite app on your phone?

It's got to be YouTube or Tik TOK. I admit that, like, you know, if I'm, if I have some downtime, even five minutes, I'm like scrolling through Tik TOK, seeing what's, what's happening. I, I heard Mike's question about the, the thing that you'd love to do, but you really are horrible at, for me, it's like Tik TOK dances, like a breakdance through way back in the eighties. And like, I, my, my brain thinks that I can do that, but yeah,

some of those dances are super impressive. Um, what's a charity or a corporate philanthropy that's near and dear to you?

Yeah, there's one is speaking of dogs and pets. There's one in Gaithersburg, Maryland. It's called house with a heart. And it's for senior dogs, and so it's a woman who has like tons and tons of little dogs and in her home and people come and volunteer, send her donations, and they're all very senior dogs, last stages of their lives, but it's just heartwarming to see that there are people like that out here on the planet that have such a heart to take care of dogs and need like that.

Very cool. If you could have dinner with any celebrity past or present, who would it be with?

Uh, I think probably Oprah comes to mind. I just think she might be fun to hang out with and certainly has met so many interesting people and I could chill out on her fancy yacht.

Good answer. What is the worst fashion trend that you've ever followed?

Oh man, there's been so many. I think I used to, I used to be a big Madonna lover back in the 80s. Now you guys know how old I am, but I used to dress like Madonna with the gloves, the lace gloves and all the beads around my neck and everything. I don't think there's that many pictures of me like that. Thank goodness. But yeah,

pre pre tick tock. It's it works out. Yeah.

Uh, all right. Last one. What is one thing that is still on your bucket list?

Oh, I want, um, I want to go to Svalbard, which is one of the islands, um, north of Norway that just seems so cool to me. It's like they have, um, polar winter and like, During the winter, there's no sun for months, and then in the summertime, it's just constant sun and beautiful landscapes, and so I want to go there someday. It's on my bucket list. Yeah. S P A L B A R D.

Oh, very cool. Yeah. I have a friend that went to Norway and some of the pictures were just incredible. Um, cool. All right. That is a wrap. That wasn't too difficult. Was it? But quick, quick and easy. Thank you both so much for joining us. Uh, you both been really fantastic guests and sharing your knowledge and the, uh, the FedRAMP space. I'm sure it's going to be very helpful for, for any of those software companies out there looking to work with the, with the government. So thank you both for joining us on the pod.