FedRAMP ROI Expectations: Separating Myth from Reality

Josh Beard, the Chief Strategy Officer of Constellation GovCloud, provides commentary to help companies separate myth from reality when setting FedRAMP ROI expectations. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

The world’s largest buyer of IT and cybersecurity solutions is not a tech giant or a Fortune 50 company but the U.S. Federal Government. In 2024, U.S. federal agencies will spend more than $80B on private IT solutions and $9B on cloud-based solutions specifically. This represents a huge sales opportunity for vendors, and the venture capital and private equity firms that back these companies are eager to see these solutions scale within the U.S. public sector market. But the journey is not for the faint of heart. Before a federal agency can purchase any solution, it must achieve FedRAMP authorization. This is typically a multi-year, multi-million-dollar investment—and even then, there is no guarantee of ROI.

It is critical for business executives and their backers to separate myth from reality when it comes to FedRAMP. Expectations are often based on assumptions, anecdotal stories, and expectations of large contracts immediately following approval. In reality, it usually takes several years and significant product and compliance investments before building enough traction to convert to revenue. It’s not uncommon for companies to invest $1-4M on FedRAMP authorization, and business leaders who have been through the process frequently note that the technical requirements and retooling of the product to meet government-specific needs were more involved and time-intensive than originally anticipated. But the process doesn’t need to be a headache.

Rather than seeing FedRAMP as an expensive toll to pay to “get to the other side” where sales will come, it should be viewed as a strategic enterprise growth investment that requires proper planning and readiness. The following identifies strategies for assuring product, compliance, and market readiness, paving the way for monetizing the FedRAMP investment.

Seeing Double: Use a Digital Twin in Your FedRAMP Journey

Proving that your solution meets FedRAMP’s compliance requirements often requires multiple product iterations. Deploying a “digital twin” of the product helps to simulate how the solution would function in the federal market and can help expedite the FedRAMP audit process.

With this approach, the unique code is scanned as if it were in production, and any compliance gaps can be addressed early within the digital twin. This greatly streamlines the process and saves tremendous time, enabling engineering and development teams to quickly resolve any problem areas that could prevent the product from achieving FedRAMP authorization. Otherwise, each tweak to the actual product could take weeks, and communication among team members is inhibited because not everyone can access the code in the FedRAMP “bubble.” Beyond just the FedRAMP process, using a digital twin helps get changes approved and integrated for the lifetime of the product as well.

Shared Enterprise Priority: FedRAMP Requires Full Company Engagement

FedRAMP must be a combined effort from the entire company—from the C-suite, board, investors, IT, and compliance team to the sales department. It cannot be seen as just a compliance or a sales endeavor. All teams must work together to set overarching business goals and return on investment expectations. A cohesive plan must be put in place from the get-go. This plan requires data analysis on government programs that may need your type of solution, budget allocation for those programs, and competitive offerings competing in the space. The plan should also include key milestones, timelines, budgeting, and incentives for both the sales and compliance teams.

Importantly, sales should not be viewed as starting only after the compliance goal (FedRAMP authorization) has been achieved. Instead, a complete go-to-market plan must be implemented in concert with compliance efforts. The first federal sale should be everyone’s end goal. Think of the infamous anecdote of the NASA janitor telling President Kennedy that he was helping to put a man on the moon—this is the mentality the entire organization needs to have around not just achieving FedRAMP authorization but actually beginning to sell into the U.S. Federal Government.

The FedRAMP journey could also help vendors pursue critical infrastructure markets and other highly regulated industries like energy, financial services, and healthcare. Again, shared planning and involvement in the FedRAMP process will make it easier to achieve tangential business goals.

Consider Pursuing StateRAMP 

If pursuing FedRAMP still seems too daunting, consider pursuing StateRAMP authorization first. The StateRAMP process is less time-intensive and less expensive, but it still provides valuable entry into state and local government markets. Make adjustments to your plan as needed before tackling FedRAMP. This approach also enables companies to build traction with state and local government customers and learn how best to support government customers.

The most important thing for any company pursuing FedRAMP to remember is that FedRAMP authorization is not the end goal—revenue is the goal. Too often, solution providers relegate the FedRAMP approval process to a compliance team. However, it is impossible to properly analyze return on investment and calculate revenue if you only look at it through the compliance lens. The go-to-market team, compliance team, C-suite, and board must be involved in making the right strategic decision for the company. Following this approach yields benefits not just for the company but for the U.S. Federal Government market as well.