Interview transcript
Terry Gerton We’re going to talk about one of everybody’s favorite topics, FedRAMP. It’s been around for years, but agencies are still struggling to get modern tools. So from your perspective, why is the process so hard for software and service companies to get through?
Irina Denisenko It’s a great question. Why is it so hard to get through FedRAMP? It is so hard to get through FedRAMP because at the end of the day, what is FedRAMP really here to do? It’s here to secure cloud software, to secure government data sitting in cloud software. You have to remember this all came together almost 15 years ago, which if you remember 15 years ago, 20 years ago, was kind of early days of all of us interacting with the internet. And we were still even, in some cases, scared to enter our credit card details onto an online website. Fast forward to today, we pay with our face when we get on our phone. We’ve come a long way. But the reality is cloud security hasn’t always been the, of course, it’s secure. In fact, it has been the opposite. Of course, its unsecure and it’s the internet and that’s where you go to lose all your data and all your information. And so long story short, you have to understand that’s were the government is coming from. We need to lock everything down in order to make sure that whether it’s VA patient data, IRS data on our taxpayers, obviously anything in the DoW, any sort of information data there, all of that stays secure. And so that’s why there are hundreds of controls that are applied to cloud environments in order make sure and double sure and triple sure that that data is secure.
Terry Gerton You lived the challenge first-hand with your own company. What most surprised you about the certification process when you tackled it yourself? What most surprise me?
Irina Denisenko When we tackled FedRAMP ourselves for the first time was that even if you have the resources and specifically if you $3 million to spend, you know, $3 million burning a hole in your pocket doesn’t happen often, but even if have that and you have staff on the U.S. Soil and you have the willingness to invest all of that for a three-year process to get certified, that is still not enough. What you need on top of that is an agency to say yes to sponsoring you. And when they say yes, to sponsoring you what they are saying yes to you is to take on your cyber risk. And specifically what they’re saying yes to is to spend half a million dollars of taxpayer money of agency budget, typically using contractors, to do an initial security review of your application. And then to basically get married to you and do something called continuous monitoring, which is a monthly meeting that they’re going to have with you forever. They, that agency is going to be your accountability partner and ultimately the risk bearer of you, the software provider, to make sure you are burning down all of the vulnerabilities, all of these CVEs, every finding in your cloud environment on the timeline that you’re supposed to do that. And that ends up costing an agency about $250,000 a year, again, in the form of contractors, tooling, etc. That was the most surprising to me, that again, even as a cloud service provider, who’s already doing business with JP Morgan and Chase, you know, healthcare systems, you name it, even that’s not enough, you need an agency sponsor, because at the end of the day, it’s the agency’s data and they have to protect it. And so they have do that triple assurance of, yes, you said you’re doing the security stuff, but let us confirm that you’re doing the the security stuff. That was the most surprising to me. And why, really, ultimately, we started Knox Systems, because what we do at Knox is we enable the inheritance model. So we are doing all of that with our sponsoring agencies, of which we have 15. Knox runs the largest FedRAMP managed cloud. And what that means is we host the production environment of our customers inside of our FedRAMP environment across AWS, Azure, and GCP. And our customers inherit our sponsors. So they inherit the authorization from the treasury, from the VA, from the Marines, etc., Which means that the Marines, the Treasury, the VA, didn’t have to spend an extra half a million upfront and $250k ongoing with every new application that was authorized. They are able to get huge bang for their buck by just investing that authorization, that sponsorship into the Knox boundary. And then Knox does the work and the hard work to ensure the security and ongoing authorization and compliance of all of the applications that we bring into our environment.
Terry Gerton I’m speaking with Irina Denisenko. She’s the CEO of Knox Systems. So it sounds like you found a way through the maze that was shorter, simpler, less expensive. Is FedRAMP 20X helping to normalize that kind of approach? How do you see it playing out?
Irina Denisenko Great question. FedRAMP 20X is a phenomenal initiative coming out of OMB-GSA. And really the crux of that is all about machine-readable and continuous authorization. Today, when I talked about continuous monitoring, that’s a monthly meeting that happens. And I kid you not, we, as a cloud service provider, again, we secure Adobe’s environment and many others, we come with a spreadsheet, an actual spreadsheet that has all of the vulnerabilities listed from all the scans we’ve done over the last month, and anything that is still open from anything prior months. And we review that spreadsheet, that actual Excel document, and then after the meet with our agencies and then, after that meeting, we upload that spreadsheet into a system called USDA on the FedCiv side, eMass, DOW side, DISA side. And then they, on their side, download that spreadsheet and they put it into other systems. And I mean, that’s the process. I think no one is confused, or no one would argue that surely there’s a better way. And a better would be a machine readable way, whether that’s over an API, using a standard language like OSCAL. There’s lots of ways to standardize, but it doesn’t have to be basically the equivalent of a clipboard and a pencil. And that’s what FedRAMP 20X is doing. It’s automating that information flow so that not only is it bringing down the amount of just human labor that needs to be done to do all this tracking, but more importantly, this is cloud security. Just because you’re secure one second doesn’t mean you’re secure five seconds from now, right? You need to be actively monitoring this, actively reporting this. And if it’s taking you 30 days to let an agency know that you have a critical vulnerability, that’s crazy. You, you got to tell them in, you know, five minutes after you find out or, you know to put a respectable buffer, a responsible buffer to allow you to mitigate remediate before you notify more parties, maybe it’s a four day buffer but it’s certainly not 30 days. That’s what FedRAMP20X is doing. We’re super excited about it. We are very supportive of it and have been actively involved in phase I and all subsequent phases.
Terry Gerton Right, so phase II is scheduled to start shortly in 2026. What are you expecting to see as a result?
Irina Denisenko Well, phase I was all about FedRAMP low, phase II is all about FedRAMP moderate. And we expect that, you know, it’s going to really — FedRAMP moderate is realistically where most cloud service offerings sit, FedRAMP moderate and high. And so that’s really the one that the FedRAMP needs to get right. What we expect to see and hope to see is to have agencies actually authorized off of these new frameworks. The key is really going to be what shape does FedRAMP 20x take in terms of machine readable reporting on the security posture of any cloud environment? And then of course, the industry will standardize around that. So we’re excited to see what that looks like. And also how much AI does the agency, the GSA, OMB and ultimately FedRAMP leverage because there is a tremendous amount of productivity, but also security that AI can provide. It can also introduce a lot of risks. And so we’re all collaborating with that agency, as well as we’re excited to see what, you know, where they draw the bright red lines and where they embrace AI.
Terry Gerton So phase II is only gonna incorporate 10 companies, right? So for the rest of the world who’s waiting on these results, what advice do you have for them in the meantime? How can companies prepare better or how can companies who want to get FedRAMP certified now best proceed?
Irina Denisenko I think the end of the day the inheritance model that Knox provides — and, you know, we’re not the only ones, actually there’s two key players.; it’s ourselves and Palantir. There’s a reason hat large companies like Celonis like OutSystems like BigID like Armis who was just bought by ServiceNow for almost $8 billion. There’s reason that all those guys choose Knox and there’s a reason Anthropic chose Palantir and Grafana chose Palantir, because regardless, FedRAMP 20X, Rev 5, doesn’t matter, there is a massive, massive premium put on getting innovative technology in the hands of our government faster. We have a window right now with the current administration prioritizing innovative technology and commercial off-the-shelf. You know, take the best out of Silicon Valley and use it in the government or out of Europe, out of Israel, you name it, rather than build it yourself, customize it until you’re blue in the face and still get an inferior product. Just use the best and breed, right? But you need it to be secure. And we have this window as a country. We have a window as country for the next few years here to get these technologies in. It takes a while to adopt new technologies. It takes awhile to do a quantum leap, but I’ll give you a perfect example. Celonis, since becoming FedRAMPed on August 19th with Knox — they had been trying to get FedRAMPed for five years — since getting FedRAMPed on august 19th, has implemented three agencies. And what do they do? They do process mining and intelligence. They’re an $800 million company that’s 20 years old that competes, by the way, head on with Palantir’s core product, Foundry and Gotham and so on. They’ve implemented three agencies already to drive efficiency, to drive visibility, to drive process mining, to driving intelligence, to drive AI-powered decision-making. And that’s during the holidays, during a government shutdown, it’s speed that we’ve never seen before. If you want outcomes, you need to get these technologies into the hands of our agencies today. And so that’s why, you know, we’re such big proponents of this model, and also why, our agencies, our federal advisory board, which includes the DHS CISO, the DOW CIO, the VA CIO are also supportive of this because ultimately it’s about serving the mission and doing it now. Rather than waiting for some time in the future.
The post FedRAMP is getting faster, new automation and pilots promise approvals in months, not years first appeared on Federal News Network.