In the world of federal compliance, Independent Software Vendors (ISVs) face a confusing and often misunderstood problem: FedRAMP doesn’t apply to ISVs in the traditional sense.
ISVs are not within the scope of FedRAMP because they do not have a cloud-based “as a service” offering. Instead, ISVs build a software subscription package that gets built into an ecosystem with app components like Oracle, Salesforce, or ServiceNow.
For an ISV looking to do business with the Federal government, this presents a major issue. There is no traditional path for an ISV to achieve FedRAMP Authority to Operate (ATO). But ISVs are still subject to FedRAMP requirements in specific scenarios (ex. if they fall within the authorization boundary of a cloud service offering (CSO) into which they are incorporated) and are expected to achieve FedRAMP authorization to work with federal agencies.
ISVs must therefore pursue a custom solution to demonstrate the security of their offering for federal agency prospects — or miss out on opportunities to expand work in the federal sector.
Nuvolo, Inc. is an ISV which builds a suite of applications, which provide cloud-based connected workplace solutions, and is built on the ServiceNow Platform. Per NIST 800-145, an ISV does not fit into any of the NIST Definitions of Cloud Computing.
Like other ISVs, the company cannot undergo the typical FedRAMP process, and it’s not covered under ServiceNow’s FedRAMP authorization.
As the company began to scale within the federal market in 2020, this issue became even more apparent:
Nuvolo wasn’t able to participate in closed bids. The company was immediately disqualified based on “Yes/No” application questions related to FedRAMP authorization status. Applications provided no room to elaborate and explain the company’s position.
Lengthy Education Process
When Nuvolo was able to get in the door, company leaders spent hours educating multiple teams within each agency prospect (ex: ServiceNow owner, security system owner, business owner, legal team, etc.) about the nuances of FedRAMP and why the company wasn’t authorized.
Existing FedRAMP memos do very little to fix the confusion, as they all focus on what’s in scope, not what’s out of scope for FedRAMP. Education falls on the part of the ISV. It’s a time-intensive process that often involves repeating the same information again and again.
For Nuvolo, this resulted in:
- An extended buying cycle
- Friction in the sales process
- Difficulty renewing business every year
To hit its growth goals, Nuvolo needed to find a solution.
Searching for a Solution
Nuvolo spoke with several Third Party Assessment Organization (3PAO) auditors about what the company could do to combat misconceptions and position itself favorably among federal agency prospects.
Ultimately, the company chose to work with A-LIGN because of A-LIGN’s experience. A-LIGN is a top FedRAMP assessor and an experienced 3PAO. Plus, the company offers many other compliance assessments and attestations. Nuvolo had several compliance priorities beyond FedRAMP. With A-LIGN, the company could simultaneously pursue SOC 2, ISO 27001, and CMMC — without duplicating efforts and taxing internal resources.
A-LIGN and Nuvolo Work to Build a FedRAMP ISV Report
A-LIGN was able to create a path for Nuvolo to earn a FedRAMP ISV Report outlining how the company’s processes and controls stack up against applicable FedRAMP Medium requirements.
The process began with a planning phase where A-LIGN determined which FedRAMP controls applied to Nuvolo and which did not. For example, controls related to things such as infrastructure and backup were decidedly out of scope. But security controls and background investigation requirements for people working on the product were all relevant to Nuvolo. As were controls related to integrity, confidentiality, and availability of code during the build, test, and review process. This process to determine relevancy of controls was completely custom to Nuvolo, as the list of relevant controls will vary between ISVs based on the specific offering and company.
In addition to confirming the scope, A-LIGN and Nuvolo worked out logistics related to the assessment process, interview requests, and evidence/information requests.
Formal Assessment Phase
Next was a formal assessment phase. A-LIGN performed an assessment scoped to the FedRAMP controls that applied to Nuvolo. A-LIGN used the same level of rigor for controls and acceptance that would be used for any traditional FedRAMP authorization.
After the formal assessment was completed, A-LIGN granted Nuvolo a report that could be provided to agency prospects, detailing A-LIGN’s findings and the remediations Nuvolo took related to any determined control gaps.
Impact and Next Steps
With a report from an accredited 3PAO on hand, Nuvolo can reassure federal agency prospects who must ensure their vendors are FedRAMP authorized. Since completing the report, Nuvolo has been able to concisely (and quickly) explain its position related to FedRAMP authorization and increase its pipeline of federal agency prospects.
Since implemented, government agencies appreciate the efforts to demystify the FedRAMP for ISV process, and understands and honors this type of document in their own internal compliance programs.
The General Services Administration (GSA) is currently working on a FAQ document intended for organizations purchasing products from ISVs. When available, we will provide further information.
If you are an ISV facing similar challenges, contact A-LIGN today to learn about how you can earn a FedRAMP ISV Report.