You need to know what FedRAMP is. Don't even bother clicking on the link until you do.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
It's a bland title for a key thing: It sets compliance standards for government use of cloud computing. Even companies like Google have had massive projects to get FedRAMP compliant so that the federal government can use their services.
And this announcement is basically just that they're going to massively lower the bar.
stackskipton 11 hours ago [-]
I used to work on FedRamp and I’m fine with it. It’s just like SOC2 compliance, mostly dog and pony show for auditors who have conflict of interest and no clue what they are auditing.
tw04 10 hours ago [-]
That’s just easily and provably not true. FedRamp is absolutely not “mostly dog and pony”.
See: Okta being compromised, and their FedRamp High environment remaining secure:
Your example doesn't give details so it doesn't mean much.
First FedRAMP high is extremely strict. Most ATOs are NOT for FedRAMP high. Most people are good with a FedRAMP moderate.
Also, this doesn't mean the security controls are what stopped those other environments from being hacked. The other systems are just separate, that's why they weren't hacked with everything else.
Overall I think FedRAMP is good, because it at least gets somewhat of a baseline. But the other guy was pretty spot on. The auditors generally have no idea what they're looking at, there are a lot of security controls that don't make sense under many contexts and it is mostly a dog and pony show.
And really, it's not like these departments didn't have some type of due diligence to acquiring software, FedRAMP just makes it standardized and allows departments/agencies to piggyback off of other department/agency's due diligence.
MrDarcy 7 hours ago [-]
The dog and pony show isn’t the point. Most companies are not blatantly committing fraud, especially against the federal government. It’s just not worth it. The process of thinking about the controls and speaking to them itself results in demonstrably more secure operating environments.
hoseyor 11 hours ago [-]
I wish I could vote more for this.
You forgot that it costs at min $1M to get certified up to several dozen millions once everything is said and done; and that does not guarantee any government contracts or agency purchases. You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
TranquilMarmot 9 hours ago [-]
We got FedRAMP certified at a previous job. At first I balked at you saying it cost $1M but, doing some back-of-the-napkin math, that's probably pretty accurate once you take into account the salaries of everybody involved, time that we had to spend figuring out all the auditing, outside companies we had to hire and involve, and extra cloud costs and setup. Not to mention the ongoing cost of maintaining all of that and ongoing audits.
We were also a pretty small startup (~50 people?) but were focused solely on government data storage and management, so it made a lot of sense for us to get the certification. It definitely paid for itself in the number of contracts it unlocked.
kaydub 10 hours ago [-]
You are getting ripped off.
The 3paos can do FedRAMP audits for much lower. I've seen as low as $150k. We dropped our auditor for another because we were priced at $X, but when they came into our office and saw that we bring in a ton of money (we used to have our sales info on every screen on every floor of the office) they updated their pricing for next year's audit.
justincormack 4 hours ago [-]
Fedramp 20x is an attempt to change this and make it much cheaper and simpler to pass, via modernization.
dangus 10 hours ago [-]
Honestly if those numbers you’re providing are accurate, that’s not a lot of money.
The research I’ve done pegs the cost at $500,000 to $1.5 million.
That actually is “small SaaS company” territory.
And don’t forget that VCs throw more money than that around for much riskier propositions. The whole VC business is that you’ll have 1 success and 10 failures, throwing $2 million in hopes of landing a government contract (stable revenue above market rates) is probably a great investment for a lot of small/medium sized companies.
10 hours ago [-]
xvector 10 hours ago [-]
Anything involving auditors or policy people in tech turns into a clown show. Dunno what it is like for other industries (but my friends in pharmaceutical research feel similarly).
These are deeply nontechnical people attempting to enforce regulations drafted by deeply nontechnical people (typically academics that graduated from an Ivy but have zero industry experience, like the folks at modern-day RAND) and it's just a clown show all the way down.
voidfunc 10 hours ago [-]
That's the point. It's all designed to setup a huge moat around products and service providers that can play the game.
estebarb 11 hours ago [-]
It feels like enforcing that everything must be written in Ada. And then relaxing the requirement... history always repeats itself, it seems.
solardev 11 hours ago [-]
Sounds like a good time to invest in Russian VPS hosts.
alephnerd 11 hours ago [-]
> And this announcement is basically just that they're going to massively lower the bar
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5-
2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
Spooky23 10 hours ago [-]
It’s mostly an easy button for procurement officers. You’re required to meet the control standards that FedRAMP requires anyway, and it saves months of the customer’s time to do it once.
Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway.
alephnerd 10 hours ago [-]
> It’s mostly an easy button for procurement officers
I know. I have never had an issue with FedRAMP as a single marketplace. The issue has always been arbitrary compliance requirements
> Startups are always problematic for government procurement
Absolutely, and ensuring that they are within a verified marketplace such as that which FedRAMP intended to make is good.
The issue is the upfront cost to become FedRAMP compliant is so high, that most vendors do not even try until extremely late in their lifecycle.
Furthermore, a lack of vendors does lead to extremely suboptimal pricing. There is some cost to recoup from going through FedRAMP compliance hurdles, but a lot of it is also because once you are FedRAMP compliant, depending on the tooling, you have a captive market with maybe 1 or 2 competitors.
> Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway
I'm not talking about SIs or MSSPs. I'm talking about specific FedRAMP compliance partners. They provide no value except checkboxing, but all of vendors need to partner with them.
drivingmenuts 9 hours ago [-]
Well, it explains why all the SV billionaires were so hot to get Trump in office. Basically, a taxpayer funded payday for them.
mindslight 8 hours ago [-]
Trump is basically living the dream of every computer illiterate boomer who responds to a text message asking for their bank account details so stolen money can be deposited. "This cyber thing is pretty great. I've been saying this for a long time, thanks J-Kush. By the way, I said, I'm sorry for calling you 'mid' yesterday. Am I am I using that right? I am using that right. I'm not doing that to brag, because, you know what, I don't have to brag."
SomaticPirate 11 hours ago [-]
Everyone in startups should be a fan of this. More competition in government space is a net benefit for everyone.
Its quite funny to see the comments complaining about "lowering the bar" when FedRAMP compliance is essentially a compliance regime that is so convoluted that most startups wouldn't be able to afford the entry barrier.
Now, there is a chance that a smaller vendor could feasibility compete with a massive consultancy like Accenture since the artificial barriers have been decreased.
FedRAMP compliance are also required for SaaS vendors. Datadog is famous for having it (and it took them awhile)
So, is there any evidence of actual improvement in anything that taxpayers care about?
Spooky23 10 hours ago [-]
The .gov be able to host cloud products in their tenants, and get the ability to do so more quickly. Perhaps cheaper.
It’s probably a good thing.
alephnerd 11 hours ago [-]
Better procurement rates.
I've been a Engineer, PM, and VC in the cybersecurity for more than a decade now, and most of us would need to spend $15-20M and 1.5-2 years just to get FedRAMP compliance.
In return, most vendors charge significantly higher than private sector rates despite selling the exact same product. And usually, an oligopoly forms per security feature.
Making it easier to have multiple vendors makes it easier for federal agencies to negotiate a competitive price.
kaydub 9 hours ago [-]
If it's costing $15-$20M to get a FedRAMP ATO you are probably doing at least some things VERY wrong. A ton of the security controls you should already be implementing in ANY environment.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
tguvot 9 hours ago [-]
I work for an established saas company with rather large and complicated system. For fedramp we had to build a new dedicated environment (because it was impossible to certify existing one which is hybrid, located in multiple countries ), hire dedicated us personal (agency requirements) and redo a bunch of internal processes to comply with fedramp controls.
I think cost was around $15m
alephnerd 7 hours ago [-]
This.
Spivak 9 hours ago [-]
> I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls
That's kind of cheating, no? It's practical but "I moved the company to a hosting provider that already did all of the hard bits" understates the difficulty.
tguvot 7 hours ago [-]
There is also a difference between dozen of vm or containers that were developed in last couple years by startup and hybrid behemoth with "legacy tech" that developed and supported by hundreds of people over decades.
Former you can lift and shift easily. For later it's multimillion investment that takes a bunch of time to implement
downrightmike 11 hours ago [-]
[flagged]
bluedino 10 hours ago [-]
Every FedRAMP/GRC cloud service seems to be some funky version that's missing features or behind on releases
solatic 6 hours ago [-]
FedRAMP High requires having separate operators (developers are not allowed to deploy directly to production). Being behind on features is considered a feature, not a bug.
tguvot 10 hours ago [-]
Updates of service that alter controls, change crypto libraries and some other stuff require assessment and approval.
For most of companies it's easier just to update it once a year of ever
0xbadcafebee 10 hours ago [-]
So for ya'll who haven't been involved with DoD/secret/etc cloud projects, there's a bunch of jargon to learn, but suffice to say there's a lot legally-required standards that define the right way to run secure government IT. It's normal good practice, but cranked up, standardized, and verified.
There is a problem though. With so many companies moving projects to the cloud, the government would need to take time to verify everyone is as secure as they're supposed to be. But that would require a huge number of new employees (thus $$$) and it would still take a lot of time. So how does the government make sure they're all secure before they send them secret data? Here's a tip:
> The concept emphasizes security over compliance
Huh? How can you have security without compliance?
Afaik, "compliance" means "we make sure they're as secure as they say they are". And how do they do that? For the past few years at least, it's involved a process called self-attestation. The company fills out a bunch of forms, and sends them to the government, saying "we promise we are doing all these things like you told us to". And then the government... takes them at their word. As you can imagine, with millions/billions of dollars to earn, companies might be incentivized to fudge it a bit. And fudge it they do... (not just FedRAMP, but NIST 800-54, 800-171, CMMC v1/2/3, etc etc).
Now, with so many companies and use cases, there are obviously some things that won't apply to some companies, so it would be nice if they could avoid that red tape. With the old processes, if you were actually doing things the right way, it could take a company between 6 months and 1 year to set everything up securely / the way the govt wants it. There's a whole cottage industry dedicated to helping companies understand how the fuck to follow these regulations. But since that's expensive and time consuming.... a lot of companies just fudge it, or call a friend who knows a friend who knows a General.
That was the state of things before this "20x" version of FedRAMP was released. Personally I was not thrilled by the state of things before, but this seems to be both accelerating the process, and providing less oversight. Not great for the military, not great for national security, but really great for "industry" and any military branch getting a contract faster and cheaper than otherwise.
(disclaimer: i'm a noob in this area, but I dipped my toes in last year, and "shitshow" would be one way to put it...)
paulddraper 7 hours ago [-]
Most people in the security space realize there are two things you do: (1) things for security (2) things for compliance.
And the Venn diagram has less overlap than you might think.
tguvot 10 hours ago [-]
Fedramp 20x as of now is only for low impact services that are hosted on fedramp authorized cloud.
It's not suitable for more complicated services.
On the upside, pmo seems to stop reviewing packages. It should resolve certification delays
tw04 12 hours ago [-]
If there’s one thing I don’t really want to see “accelerated” it’s the pace at which our state secrets add new, unvetted technology.
“Move fast and break things” is absolutely insane for the things that let us all sleep soundly at night…
derektank 11 hours ago [-]
FedRAMP services, even FedRAMP High services, aren't authorized to host classified material. My understanding is that those agreements are still largely negotiated directly between the intelligence / defense services and the big providers, such as the Joint Warfighting Cloud Capability contract. FedRAMP is a program for vetting SaaS services for use by government agencies broadly. FedRAMP Moderate and High certified services are qualified to host Controlled Unclassified Information, which might be sensitive and held by either the government or private companies like defense contractors, but I wouldn't call them state secrets per se
lordofgibbons 12 hours ago [-]
This is a false dichotomy. There's a massive grand canyon sized gulf between "unvetted technology" and whatever the hell SAP/Oracle/Tyler-Technologies are.
paulddraper 7 hours ago [-]
FedRAMP can’t have classified data.
This is for a lot of very benign government tools that that are expensive, stodgy, with very little competition.
echelon 12 hours ago [-]
What is this, exactly?
Is this Oracle (or whomever) getting government cloud contracts without a bidding / RFP process?
Is there adequate security review being done?
_bin_ 11 hours ago [-]
The point here is to avoid the oracles of the world getting everything. Please trust me on this one: fedramp isn’t really about security. Compliance with it doesn’t ensure it and noncompliance doesn’t preclude it. It was okay when originally released but that’s not been the case for years now.
tcfunk 12 hours ago [-]
Oracle was already on the FedRAMP list I think. AFAIK this is about getting smaller cloud providers approved to host government projects so there’s more options available.
ritwikgupta 11 hours ago [-]
This is about changing the way FedRAMP accreditation is done for any cloud service, like Box (or a new SaaS that you may create tomorrow). The FedRAMP process requires you go through a certain set of audits, meet a certain set of standards, etc., in order to be approved to host CUI (IL4/5) or SECRET (IL6) information.
Normally this can take a lot of time and monetary investment. On one hand, these processes encode cybersecurity best practices. On another hand, it keeps new companies out of the market.
It seems this effort is doing away with a lot of those processes. I hope the level of compliance stays the same.
kaydub 9 hours ago [-]
I'm pretty sure IL4/5/6 are all outside the scope of FedRAMP
tguvot 11 hours ago [-]
IL 4/5/6 actually add a bunch of additional controls and parameters on top of standard fedramp baselines
ksec 11 hours ago [-]
But why would any agency chooses smaller cloud providers other than Oracle, AWS, Azure and Google? They are the lowest risk selection in terms of responsibility.
Edit: Another comments actually replied it is much more than hosting but cloud services like BOX. I assume even SaaS could fall into this category.
justincormack 4 hours ago [-]
SaaS companies, not just cloud providers.
Spooky23 10 hours ago [-]
They tend to converge on each other. Also the Feds may have particular needs for connectivity, location, etc.
cyberge99 11 hours ago [-]
To stay off the radar. To do shady stuff at a small company that you can easily control/manipulate.
tguvot 11 hours ago [-]
Saas is most common use case
ecb_penguin 10 hours ago [-]
Serious question: Why don't you spend a few minutes learning about it, rather than throwing negative comments out?
Do you think vomiting a negative talking point without understanding it is considered "smart"?
tomrod 11 hours ago [-]
FedRAMP is a set of technologies vetted by a common standard by GSA. It assists in moving technologies from one-off authority to operate (ATO) with a specific CIO office in an agency or department to a shared standard.
It takes some investment, but it is cheaper than each company jumping through arbitrary hoops and opens most of the federal government as a client.
It was part of the brainchild of GSA's 18F, recently DOGE'd.
Founded in 2011.
> The FedRAMP PMO mission is to promote the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment.
Seems pretty bland to me. I'm not worried about this one.
[1]: https://en.wikipedia.org/wiki/FedRAMP
See for example: https://fedscoop.com/google-earns-fedramp-high-authorization...
And this announcement is basically just that they're going to massively lower the bar.
See: Okta being compromised, and their FedRamp High environment remaining secure:
https://www.meritalk.com/articles/okta-hack-didnt-touch-fedr...
First FedRAMP high is extremely strict. Most ATOs are NOT for FedRAMP high. Most people are good with a FedRAMP moderate.
Also, this doesn't mean the security controls are what stopped those other environments from being hacked. The other systems are just separate, that's why they weren't hacked with everything else.
Overall I think FedRAMP is good, because it at least gets somewhat of a baseline. But the other guy was pretty spot on. The auditors generally have no idea what they're looking at, there are a lot of security controls that don't make sense under many contexts and it is mostly a dog and pony show.
And really, it's not like these departments didn't have some type of due diligence to acquiring software, FedRAMP just makes it standardized and allows departments/agencies to piggyback off of other department/agency's due diligence.
You forgot that it costs at min $1M to get certified up to several dozen millions once everything is said and done; and that does not guarantee any government contracts or agency purchases. You have to basically be a big player that can put up the money and because by any number of the various methods of corruption, you already know that you will have government contracts waiting for you on the far side.
We were also a pretty small startup (~50 people?) but were focused solely on government data storage and management, so it made a lot of sense for us to get the certification. It definitely paid for itself in the number of contracts it unlocked.
The 3paos can do FedRAMP audits for much lower. I've seen as low as $150k. We dropped our auditor for another because we were priced at $X, but when they came into our office and saw that we bring in a ton of money (we used to have our sales info on every screen on every floor of the office) they updated their pricing for next year's audit.
The research I’ve done pegs the cost at $500,000 to $1.5 million.
That actually is “small SaaS company” territory.
And don’t forget that VCs throw more money than that around for much riskier propositions. The whole VC business is that you’ll have 1 success and 10 failures, throwing $2 million in hopes of landing a government contract (stable revenue above market rates) is probably a great investment for a lot of small/medium sized companies.
These are deeply nontechnical people attempting to enforce regulations drafted by deeply nontechnical people (typically academics that graduated from an Ivy but have zero industry experience, like the folks at modern-day RAND) and it's just a clown show all the way down.
The FedRAMP bar was always dumb.
I've been in the cybersecurity industry for more than a decade now, and while FedRAMP was envisioned as a way to streamline Fed cloud and security procurement, it ossified extremely quickly.
To get FedRAMP you ended up having to work with a handful of dedicated FedRAMP partners, and your development velocity would dramatically decrease as you spent most of your time dealing with compliance BS that didn't actually affect your security posture.
A lot of the innovation on the security vendor side is happening at early-mid stage startups, but sinking $15-20M and 1.5- 2 years just to get FedRAMP compliance became too much of a lift, hence incentivizing consolidation amongst larger vendors.
Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway.
I know. I have never had an issue with FedRAMP as a single marketplace. The issue has always been arbitrary compliance requirements
> Startups are always problematic for government procurement
Absolutely, and ensuring that they are within a verified marketplace such as that which FedRAMP intended to make is good.
The issue is the upfront cost to become FedRAMP compliant is so high, that most vendors do not even try until extremely late in their lifecycle.
Furthermore, a lack of vendors does lead to extremely suboptimal pricing. There is some cost to recoup from going through FedRAMP compliance hurdles, but a lot of it is also because once you are FedRAMP compliant, depending on the tooling, you have a captive market with maybe 1 or 2 competitors.
> Startups are always problematic for government procurement, and unless you play in a space that is setup to handle small vendors, your business is going through partners anyway
I'm not talking about SIs or MSSPs. I'm talking about specific FedRAMP compliance partners. They provide no value except checkboxing, but all of vendors need to partner with them.
Its quite funny to see the comments complaining about "lowering the bar" when FedRAMP compliance is essentially a compliance regime that is so convoluted that most startups wouldn't be able to afford the entry barrier.
Now, there is a chance that a smaller vendor could feasibility compete with a massive consultancy like Accenture since the artificial barriers have been decreased.
FedRAMP compliance are also required for SaaS vendors. Datadog is famous for having it (and it took them awhile)
RFC-0005: Minimum Assessment Scope Standard, https://github.com/FedRAMP/rfcs/discussions/17
RFC-0006: 20x Phase One Key Security Indicators, https://github.com/FedRAMP/rfcs/discussions/18
RFC-0007: Significant Change Notification Standard, https://github.com/FedRAMP/rfcs/discussions/19
RFC-0008: Continuous Reporting Standard, https://github.com/FedRAMP/rfcs/discussions/27
It’s probably a good thing.
I've been a Engineer, PM, and VC in the cybersecurity for more than a decade now, and most of us would need to spend $15-20M and 1.5-2 years just to get FedRAMP compliance.
In return, most vendors charge significantly higher than private sector rates despite selling the exact same product. And usually, an oligopoly forms per security feature.
Making it easier to have multiple vendors makes it easier for federal agencies to negotiate a competitive price.
Care to explain those numbers? Bigger places I could see racking up the costs, but those numbers seem absurd.
Just for a reference, I've been the technical side of a FedRAMP audit for 2 different companies, 1 getting a moderate ATO and the other we first got a li-saas and then later a moderate ATO to encompass more of our products.
The first company, when I started, didn't even hit $10M ARR. The audit itself, at least the first one, cost us $150k (went up to $250k the next year). I migrated their workloads from a rack in a data center to AWS GovCloud and implemented all the FedRAMP security controls. The FedRAMP instance probably cost us $150k per year to run, plus probably $250k/yr in additinoal salaries. We heavily depended on free open source software, but there were definitely some tools I would've preferred to buy. Most of the controls should have already been enabled and there were only a couple which "cost" us anything.
The company I'm at now is much bigger. We're kinda a cybersecurity SaaS and we practice what we preach. Our FedRAMP audits have always gone off without a hitch. Took minimal changes to hit all security controls. It definitely helps that we're 100% cloud and cloud native though.
I think cost was around $15m
That's kind of cheating, no? It's practical but "I moved the company to a hosting provider that already did all of the hard bits" understates the difficulty.
Former you can lift and shift easily. For later it's multimillion investment that takes a bunch of time to implement
There is a problem though. With so many companies moving projects to the cloud, the government would need to take time to verify everyone is as secure as they're supposed to be. But that would require a huge number of new employees (thus $$$) and it would still take a lot of time. So how does the government make sure they're all secure before they send them secret data? Here's a tip:
> The concept emphasizes security over compliance
Huh? How can you have security without compliance?
Afaik, "compliance" means "we make sure they're as secure as they say they are". And how do they do that? For the past few years at least, it's involved a process called self-attestation. The company fills out a bunch of forms, and sends them to the government, saying "we promise we are doing all these things like you told us to". And then the government... takes them at their word. As you can imagine, with millions/billions of dollars to earn, companies might be incentivized to fudge it a bit. And fudge it they do... (not just FedRAMP, but NIST 800-54, 800-171, CMMC v1/2/3, etc etc).
Now, with so many companies and use cases, there are obviously some things that won't apply to some companies, so it would be nice if they could avoid that red tape. With the old processes, if you were actually doing things the right way, it could take a company between 6 months and 1 year to set everything up securely / the way the govt wants it. There's a whole cottage industry dedicated to helping companies understand how the fuck to follow these regulations. But since that's expensive and time consuming.... a lot of companies just fudge it, or call a friend who knows a friend who knows a General.
That was the state of things before this "20x" version of FedRAMP was released. Personally I was not thrilled by the state of things before, but this seems to be both accelerating the process, and providing less oversight. Not great for the military, not great for national security, but really great for "industry" and any military branch getting a contract faster and cheaper than otherwise.
(disclaimer: i'm a noob in this area, but I dipped my toes in last year, and "shitshow" would be one way to put it...)
And the Venn diagram has less overlap than you might think.
It's not suitable for more complicated services.
On the upside, pmo seems to stop reviewing packages. It should resolve certification delays
“Move fast and break things” is absolutely insane for the things that let us all sleep soundly at night…
This is for a lot of very benign government tools that that are expensive, stodgy, with very little competition.
Is this Oracle (or whomever) getting government cloud contracts without a bidding / RFP process?
Is there adequate security review being done?
Normally this can take a lot of time and monetary investment. On one hand, these processes encode cybersecurity best practices. On another hand, it keeps new companies out of the market.
It seems this effort is doing away with a lot of those processes. I hope the level of compliance stays the same.
Edit: Another comments actually replied it is much more than hosting but cloud services like BOX. I assume even SaaS could fall into this category.
Do you think vomiting a negative talking point without understanding it is considered "smart"?
It takes some investment, but it is cheaper than each company jumping through arbitrary hoops and opens most of the federal government as a client.
It was part of the brainchild of GSA's 18F, recently DOGE'd.