[dcveloper]

I've worked in this field, as well. Both implementing a FedRAMP'ed PaaS and sponsoring a CSP from the customer side where FedRAMP compliance was required. One thing that is often missing in these articles are compliance costs. Most don't realize that FedRAMP compliance at a High baseline is likely a $750K - 1M investment.

[cm2012]

The cost is much higher than that when you account for the friction added to day to day developer work after compliance processes are put into place.

Adding 5% more friction on every step of development compounds a lot.

[worker_person]

Then all the good developers leave. A series of decent people hire in, get frustrated and quit. After awhile you just have a core group of either incompetent or desperate people hanging on.

Management can ignore for a few years. Rebooting things isn't too hard. But then the issues that could be ignored can't be anymore. Eventually you get sold for the intellectual property or customer base.

[nloding]

If a "good developer" doesn't want to deal with the overhead of security, then, frankly, I have to ask why they are a "good developer"?

Why does security and compliance frustrate "good developers"? Is it the extra steps required? Is it that it sometimes (often?) means that they don't get to work with bleeding edge/greenfield technology and feel left out?

This seems like the heart of the security issue, IMO. Sure, there are investors and managers who don't prioritize this work, and there are definitely concerns with the amount of investment it takes to accomplish ... but if a large majority of the engineering team were pushing for security and compliance as part of their normal routine in the same way they push for things like automation, would that solve some of other issues too?

[FeaturelessBug]

So in that case it's much less about a company desiring to comply to these costs and much more about not being able to realistically being able to afford to do so?

[darren]

Ouch, I had no idea it cost that much. What are the main cost areas?

What would you estimate compliance at a Moderate baseline would be?

[dcveloper]

1. Engineer costs - A PaaS at the high baseline will likely implement 300+ controls. It's been a while since I looked at an IaaS CSP's FedRAMP package, but they typically implement roughly 100 fully implemented controls. The rest is on the customer to fully implement or engineer completely. Likely 300K-500K worth of engineering costs.

2. Assessment - 3PAO assessor will likely be 100K-200K. Most first time CSP's may require more than 1 assessment as the process is usually (1) Assess (2) Submit to FedRAMP PMO (3) they provide feedback (4) limited time to implement. If you cannot implement in sufficient time, you'll have to reassess. Note, unless you are AWS, Azure, Google, FedRAMP PMO may not prioritize you without sufficient customer support. As a result, your contract with your 3PAO may be expired. You'll need to bring them in again.

3. Documentation experts – There’s an art to generating the FedRAMP package. Engineers typically aren’t good at it, and it often requires one level of abstraction above internal technical documentation. Having technical writing experts that know how to communicate the security implementation without diverging too much is a skill set. You share the bear minimum to get compliance. As there’s business risk from sharing too much (sharing implementation details with a competitor or untrusted source). Also, the more technical details there are, the more audit questions often arise.

4. Control Implementation SME’s – Often time your engineers don’t know how to implement a required security control or don’t know what the compliance people really want. Many CSP’s hire a 3PAO assessor to advice you how to implement. This cannot be the same 3PAO assessor that audits you.

5. Conflict between product/feature value versus control implementation - Sometimes a value or feature of your product directly conflicts with a control requirement. A good example is a CMS PaaS (WP as a service or Drupal as a Service). Those CMS's often support user code or user code to spawn processes. The high baseline requires process whitelisting. Solving this problem while not destroying that feature can be difficult or expensive.