Why FedRAMP High Is the New Standard for Secure Digital Identity
Video Transcript
Abby:
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I'd like to welcome you to today's webinar, why FedRAMP High is a new standard for secure digital identity. And at this time, I would like to introduce our speakers for today, Christine Owen, field CTO at 1Kosmos, and Michael Cardaci, CEO at FedHIVE. And Christine, I will give you the floor.
Christine Owen:
Thank you. All right, let me share my screen real quick. Which one do I want to show? Let me present.
Michael Cardaci:
I can see you.
Christine Owen:
I know it's because I'm trying to present this. Oh my gosh, let me try this again. You can't see it or can you see?
Michael Cardaci:
No, I see it. No, I see it. It's up.
Christine Owen:
I don't know why I've got a brain fart on presenting. Use presenter. Perfect. It's down here. This is why. Boom. There we go. All right. So thank you very much everybody for joining us. As you can see, I'm technologically disadvantaged today for some reason. I'm Christine Owen. I am the field CTO at 1Kosmos, as Abby said. And we are going to talk about FedRAMP High, which in my opinion is really the new standard for secure digital identity or really any kind of product out there.
So I actually invited Mike to come speak with us today. And the reason is because we at 1Kosmos use FedHIVE as our FedRAMP platform. So I think it's a very advantageous way to be able to get to FedRAMP High. And Mike is very, very well versed in FedRAMP in general and in the other areas of security like IL-IV, et cetera. And I think that he's just an amazing resource when it comes to anyone understanding what it means to be FedRAMP High, but also to anyone who's out there looking to see whether they should even try this journey because sometimes there's a lot of tears.
So I'm just going to go straight into what it is we do at 1Kosmos and then I'll let Mike talk a little bit about what he does at FedHIVE. So at 1Kosmos, we are the only FedRAMP High Kantara-certified credential service provider. So what does that mean? So it means that the first thing that we do is we identify end users. So we do identity verification. We are certified by Kantara to do NS863A-3 IAL2 remote verification. So how do we do that? We get a selfie, we get live NIST pictures of either driver's license, a passport, what have you. We triangulate the data, we make sure that the picture on the driver's license or the identity evidence matches the picture from the biometric, and then we also make sure that the identity evidence is authentic. And then we also verify the evidence that's on the face of the identity evidence.
So there's a lot that we do. Once we do all of that, we can actually hash it and wrap it in data and we can put it into a user-controlled digital identity wallet. In that case, we would take the information and we would wrap it in encryption, give the private key back to the end user, and then we would wrap it in additional encryption in a private and permission ledger. The last thing that we can do as well, once we have this verified identity, we can tie it to a strong credential. We have a lot of different credential types that we can tie it to. These are three. The authenticate and transact piece of our platform is actually quite large, usually on the slide, but I tried to condense it because we also wanted to show that not only are we FedRAMP High authorized, but our encryption standards do meet FIPS 140-3 because Mike made us know because they are very important. We have Kantara certification at IAL2, AAL2, and we also have our customer controlled keys.
Now the other piece of this that I think is really important is that our FedRAMP High environment and our commercial environments are the same. And when I mean by that is while our FedRAMP High environment is within GovCloud, so there are stronger controls around that cloud provider, our stacks are actually the same. We use the same encryption modules in both the commercial and the government side, and we use the same principles that we're going to talk about that are required under the FedRAMP program throughout the rest of our product stack as well. So I think that piece is really important to understand when it comes to 1Kosmos, we have a FedRAMP High environment and we have a commercial environment and that commercial environment is built to that government grade FedRAMP High environment. So how did we get here? Well, there was a lot of tears. It seemed like it took forever, but we made it and we made it thanks to Mike. So I'm going to pass it over to Mike to talk a little bit about the FedHIVE platform and how he works with clients.
Michael Cardaci:
Christine, I appreciate you inviting me here and I always love having our conversations about compliance. Sometimes they go down rabbit holes that are unnecessary, but it just adds to the overall color of the conversations. I will tell the folks here that are watching, we have had long conversations to understand what all of the individual controls are. Christine's been great as far as wanting to understand that information. My name's Michael Cardaci. I'm the CEO for FedHIVE. We've got a great relationship with 1Kosmos and a lot of the Carahsoft folks. Our primary duty is a compliance as a service organization. We are what is commonly called an accelerator for FedRAMP. We move folks through the process for the DoD requirements. The FedRAMP requirements are now the upcoming CMMC requirements. And the idea is that organizations like 1Kosmos, they have their core ability and they have somebody who is championing the compliance piece. And our job is to liaison with them and make sure that they're on the right tracks.
And then post getting through the compliance. We really look at helping the organization work with agency security and AOs to make sure that there's a smooth process. So Christine and her teams are going out and selling products to the government. We're there to work with the security part while they're working with the program part to make sure that the acquisition can go through and that whatever the requirements are for the agency, because remember, the FedRAMP baseline is a baseline and each agency may have some particulars that they want to see. And so we act as that liaison with those AOs.
And we'll talk a little bit more about the FedRAMP and how things are changing, but that's becoming more and more of a particular value because then we can speak the correct language and then point out all of the things, whether it's just in the SaaS product or whether it's the platform or in the infrastructure that the agency wants to see. So we try and make it easy. I know Christine had mentioned some tears, but there weren't a lot of tears. There were less tears than if they tried to do it themselves. She'll admit that I hope.
Christine Owen:
Definitely, definitely.
Michael Cardaci:
And then the other piece of that is we bring the ATO and the sponsor, so that eliminates having to go hunt that down on your own. And then finally we try and do this in a fixed fee way so that it doesn't have scope creep and cost creep and all those other pieces. We kind of agree what we're trying to achieve, what the goal is, and then we get people across the goal line to the addressable market. So that's what we do in a nutshell with regard to trying to move this through. I will say the name of this webinar is about the FedRAMP High being the new standard, FedHIVE has held that the high is an easier sell to the government because there's no issue with either the procurement folks, any acquisition specialists or the program folks where they're having to figure out what is the characterization of the data. This makes it much easier. And the cost differential between the two, even prior to all of the things that are going on now, the cost differential was minimal going from moderate to high, and it was just easier to do that.
So I think that Christine's dead on with FedRAMP High being the new standard, and I think even more so now with the new FedRAMP requirements. So okay, I've said enough about what we do, so I'll give it back to Christine and we can move on.
Christine Owen:
Yeah, you have one more slide. I think this is a fun slide too. I think this shows the value that you bring today.
Michael Cardaci:
So one of the things FedHIVE's, just like 1Kosmos's core business is their SaaS application for the government, ours is this compliance. And so I took an excerpt, Carahsoft was a sponsor of the ATO summit last week, and then this is a public discourse, you guys can go find this out on LinkedIn. Brian Conrad, who was the former acting PMO for FedRAMP and John Riddle who was an auditor in what was Lunarline, which is now Motorola. So they both have extensive understanding of these situations and this discussion came out after the ATO summit, and it's talking about in essence the gray areas and the transition between the FedRAMP 20X issues and the REV-5 paths that are going on.
And I've gone, and I've talked to Christine about these issues so that she's aware because she's my liaison with 1Kosmos, but the fact of the matter is she doesn't need to worry about those things because it's my job to make sure that as we transition from whatever happens in 20X and how that migrates to the new FedRAMP from REV-5 to 20X rather, that we're there in lockstep to make sure that they get there because there are a lot of changes. The key indicators for the conmon, the continuous monitoring, the POAMs and how they're going to be registered, the timelines for vulnerability fixes, that's all on us to make sure that her organization understands how that goes.
And the fog of war is what I wanted to point out here. These are two very seasoned experienced people in the compliance area and these are the discussions that we're having. We're talking to the PMO and we're talking to the government, we're talking to DoD to try and make sure that everybody is on track. So I just thought this was an interesting interaction. This was on the 28th, I think it was the day after we had that ATO summit. So I think it's very, very interesting.
Christine Owen:
Yeah. So to piggyback on what Mike is saying, the one thing that I think is really important, and we're going to talk about this later too, but when it comes to deciding whether to do FedRAMP on your own or to use a platform is to do you have that understanding that you need to be able to make it through the FedRAMP process? And then also do you have the resources to be able to continuously follow on rule changes, legal changes, regulatory changes? There's a lot that goes into FedRAMP. FedRAMP started out as a legal statute and then it tailors down. There's some regulations in place, there's some rules in place, and then there's the policy around the office. And then on top of that, there's all of the different agencies and how they operate with FedRAMP.
FedRAMP's, not like, "You're done. It's super easy." There's a lot more to it. There's all the continuous monitoring. We're constantly working on the vulnerability management. And then on top of that, every time we are building new features for our clients, we have to decide is this something that's going to affect the security of the overall platform? And if it is, then okay, we need to go get an assessment. Mike is very excited because he's going to get a very big assessment coming soon. He's going to be like, "This is a lot." But we're doing that because it's really important for us to stay ahead of what our customer's needs are. So there's a lot to it. And I will say I feel like in some days, and I think in the past two weeks, one of the 1Kosmos team members has really just taken a lot of FedHIVE's time because he wanted to fully understand all of the procedures on their side and on the government side and what the new regulations could mean to us.
And the good news is that FedHIVE took a lot of time and taught us that so that we are ready when those changes are made. And we'll talk about that a little bit more. So I'm going to go super simple on the first question. And so for those of you who don't know, I am probably not going to use a lot of these slides. They're very pretty and we like to have slides in the background and we are going to hit on all of these points, but one of the things is there's so many different levels of federating, so there's low, moderate, high, and then after that there's IL4, five, six. I'm fairly certain there's no seven, but I'm sure there is. It's probably an 11 and I don't know about it. What do all of those different things means? What's the difference between the FedRAMP and the IL levels and how do you from build your way up from one to another?
Michael Cardaci:
The good question is you can look at it as kind of stair step. Low is we're just making sure that the data is clean. That moderate is, we don't have any PII or CUI or anything that's sensitive really in the moderate. It's just that our system is secure. And then you get to the high where you have data that in addition to PII, it could be government data and CUI, and then that's on the federal side. And then a lot of folks ask, "Okay, I want to jump over and I want to get into the DoD space." And really what happens is everything just tightens down the amount of time. For instance, how long before your login screen turns black and you have to re-login. So it's that time that you're allowed to have that window, that vulnerability window open gets smaller and smaller and smaller.
And then once you get into the IL4 and IL5, the DoD specific areas also, you're no longer allowed to just go out on the regular internet. You now have to connect to the government directly. And so some of those kinds of things. And then the bridge between IL5 and IL6, that's where you get clear data and then you have all sorts of facility requirements associated people with guns and that kind of thing. And then there is higher levels, Christine, that you alluded to, but those are really on the government space. They don't really allow those outside of the facilities typically from the government.
So yeah, those are those difference, and that's our job is to help you navigate. And you talked about earlier the commercial side too, having a commercial than the federal. And what we've been seeing from our customers, and I think this is true with you guys too, is having that compliant environment for the commercial side acts as a differentiator also going the other direction with the commercial folks so that you can say, "Hey, we are not only minimally hitting this as a requirement, but we are continuously monitoring it. So it's not just internal. It is we have external monitoring going on." And I don't know, you would know that better, but that's the information that we're getting back from that.
Christine Owen:
Yeah, you're exactly right. Talking about it with our commercial customers is really helpful because they do know about what FedRAMP is. Sometimes we explain it a little more, but they do understand in theory what FedRAMP, and what they do understand about FedRAMP is it's hard and it's pretty secure. So when we talk about it in the context of we are FedRAMP High, so that's the highest security that you could get within FedCiv. And on top of that, all of those encryption modules, because of course we use a lot of encryption within our product blow down to the commercial side, and so we're using government grade encryption because FIPS 140-3 isn't always the easiest also to implement. So we're doing that on both sides and that really gives a boost to the thought of not only are we privacy by design, but we're also security by design. I think that those two things together really tell a good story.
The thing that I really want to pick up on that you said though is that FedRAMP High is where you want to go if you have PII that you're protecting. So why is it that high is better for PII than moderate?
Michael Cardaci:
Well, one of the main reasons is if you think about it from the government standpoint, the government is giving you data. They're giving you their PII data and moderate meets the requirements, but doesn't have the continuous monitoring requirement associated. So at the end of the day, the FedRAMP High gives the government that warm and fuzzy feeling because, we're talking to the government twice a month, but at least on a monthly basis, they get what your continuous monitoring is, what your vulnerabilities are, what your POAMs are, and if you're meeting those on a regular basis and if they have any vulnerabilities. So that really becomes the difference between those two is the government gets a feedback loop where they don't necessarily get that from a moderate standpoint.
Christine Owen:
Yeah. No, I think that makes sense. I think internally we appreciate the continuous monitoring because it allows us to put vulnerability management within our sprints, and so that's very helpful. I think moving forward, we're going to talk about this soon too, but I think that that's an important thing to think about when people might be commenting on FedRAMP rules coming up is companies have sprints, and so making sure that vulnerabilities are done within a sprint time period is pretty good management. So your platform is High, and then you also have an IL4 and an IL5 environment.
Michael Cardaci:
That's correct.
Christine Owen:
You do not have moderate or below. Why did you choose those three environments?
Michael Cardaci:
And it goes back to the question that you asked just previous. We went through and we did the economics of what it was going to cost for us to move to the FedRAMP High, and we also had the DoD, so we had to get to IL4 and IL5, so that was also part of our goal. And what we found was the cost differential to go directly to the FedRAMP High was nominal compared to going to moderate and then going to high. There's a much bigger cost lift with that. And since again, we had our goal as being in the DoD space, we wanted to, how's the fastest path to there? And then we could do the highest level. You can always go backwards. I can have moderate data inside my high. It's just a subset of that FedRAMP High environment. That is really what we want do.
Not to mention the fact that it's more intricate, there's more controls. It goes from, forgive me, the REV-4 was 325 and 421. I think it's gone down, it's changed a little bit. I think it's 328 and 410 for the REV-5, the idea was there are more controls associated, they're a little bit more intricate, there's a little bit more scrutiny. There's definitely more scrutiny from the 3PAO for what our business model was going to be. People were going to have a more difficult time going to that standpoint of the FedRAMP High.
The other piece of it is we found that there was a big value for us. We have customers that do their own moderate and we do their high because they had a tough time making that jump. They made that interim level. And because we are a pure outsourced model, we are time slicing everybody and giving this out to folks. There's about a 43% cost over the life cycle of a software for us to do it, an outsourcing method rather than somebody doing it themselves with getting the right people and the compliance folks and they're expensive and they have to do these things on ongoing basis and then tracking all of the issues which you brought up previously.
So those are kind of the issues. I do want to ask you one question, Christine. I'm going to throw it back on you and I'm going to put myself at risk a little bit here, but I think I'm okay.
Christine Owen:
You're a very bad attorney. You never ask a question that you don't already know the answer to.
Michael Cardaci:
That's true
Christine Owen:
Love law.
Michael Cardaci:
That's true. And I do kind of know the answer. So I touted all of these things that we are doing on your behalf. And I'd like to ask the question from your standpoint, because you've got a lot of experience even prior to 1Kosmos with doing compliance work, understanding controls, and a lot of these kinds of things. I'm going to ask about the benefit of A, having somebody who's looking out for these things and then feeding them back to you as an organization and B, that liaison part with working with the agencies themselves to help kind of bridge that gap. So those two pieces I'd like to publicly ask you.
Christine Owen:
Yeah, no, that's good. So the first off the bat, the one thing I want to say is I hate doing controls work. I mean I still have to, we still have controls that we have to work on and I and other team members are constantly looking at the controls and making sure that they are the right answers. But I do hate controls work. But the reality is a lot of things that you already laid out. One thing that was really important for us is the fact that it is very costly to build your own FedRAMP program within an organization. There are bigger SaaS vendors out there in the cybersecurity space who are amazing at it, and they have some of the best experts who I am sure are really well paid as they should be because they are so good at what they do. But we didn't really have the time to be able to go out and find those people and build that program.
And that's pretty costly, if you thought about how much it would cost to build the program in-house versus how much it costs to get a platform, it was a no-brainer. And so that's the reality of it because the monthly spend that we give you guys to be able to manage everything is significantly less than what we would have had to do. The second piece of this is that we decided to go, you didn't ask this question, but I'm still going to answer. So I guess I'm an A2 I guess, but we decided to go FedRAMP High and consequently on your platform because we were looking for a stronger security controls because we understood that we were going to be holding citizen data and we wanted to make sure that we had the strongest security controls within the federal civilian.
And on top of that, we knew that we would likely also want to do some work within the DoD. And in that case, we would need to get to aisle four just by way of their policies as well. So in theory is an easy hop between high and four. I don't know. I still think there's going to be tears. We haven't started it yet, but if we do, we will figure out. But I can see a little bit crying on my part before we get there. And then your last question, what was your last question?
Michael Cardaci:
Yeah, working, having us act as the intermediary between the agency and your alls.
Christine Owen:
Well, you're not just the intermediary between the agency and us, you're also the intermediary between us and the 3PAO.
Michael Cardaci:
Yes.
Christine Owen:
And number one, right off the bat, thankful. I am so grateful to have an intermediary because like you said, I have done a lot of compliance work in the past, and when I had to sit in on audits and work with auditors, I was trained and I also trained newbies on how to respond to those answers. But it's not always fun to be in an audit environment and that I've definitely sat through a lot of very boring audits, and I don't have to do that in these cases. It's really quick because you guys understand what it is that we do. You understand our platform, you understand what we're trying to do. And before we even get to the 3PAO, I think your team and our team have come together to discuss what the most secure way to be able to do X thing is. And I think that's really helpful because we get a sounding board and you guys too.
But then when it comes to interfacing with the agencies, that's another one that can be hard. We actually had an agency ask us some questions because they needed to be educated on the idea of a platform provider for FedRAMP. And we do see this time and time again where people ask us, 'Well, we looked on the FedRAMP website and we didn't see your name on there. And I said, well, you did because you definitely Googled us and then something came up, you just didn't click through." So in clicking through to the FedHIVE, you see our name on there, but the reason why it gets confusing I think, is that the platform providers are the ones that hold the entire authorization, whereas we hold a small piece of the controls within that greater control set.
So we would get questions like, "Well, are you guys reporting POAMs?" And I said, "Well, me? No, but yeah, we are. It's through FedHIVE because this is how we do it." And so we talked through that. I think having someone to be able to sit down with us and talk through the vulnerabilities and what they're seeing is also helpful because sometimes something spits out things that don't make any sense. And so you have some pretty good experts on your team now and having them explain to us, "Oh no, this is what it was," or even saying, "Oh, you're right, this is not right, let's go back and fix this," it's been very helpful because we see you more as a partner than the platform provider. We obviously have other platform providers for various things that we do, and I would say this is much more of a partnership, which we really enjoy.
Michael Cardaci:
Oh, love, hear that.
Christine Owen:
So we started this journey, if you recall, I know I do, we had to have a lot of hand holding, right? Because I knew that this was going to happen because we had to get through our first round of 3PAO. I think why don't, I wouldn't say we have a down pat yet, but we definitely have a better understanding of what we are going to go through the next time we go to the 3PAO. So are we a special snowflake in that we were the most uneducated customers you've had, or is this something normal where you have to constantly say like, "No, it's okay. Let me tell you how it works. It's going to be okay. Just breathe a little harder. It's going to be fine."
Michael Cardaci:
Yeah. The fact of the matter is, I kind of said this in my opening is your job is to do your core business. You understand controls the basics of it, but my job is this is what we do and to explain to you within the structure of what 1Kosmos does on how I'm going to get you from point A to point B is what I need to do. And of course, anytime you have folks that are developing stuff, they have curious minds and they want more information, and like you had mentioned, you'd asked for a meeting not too long ago to go over all of the things in all of the world of all compliant stuff. And we sat down and we went through all those questions because not only the folks that are in your organization that are running the product leadership has to understand where are we? What's going on? What's coming in the future? What are the costs associated that I can expect in the next one, two, three years, etc?
So no, you're not a snowflake. Most people don't understand this, understandably. There are not a lot of compliance people out there. There's a lot of misinformation, there's a lot of misunderstanding. I try and be as transparent as possible and work through. And by the way, it goes both ways. We try and be a true partner with you guys, but we ask you to be as transparent with all of the creepy crawlies that you have, and so we can understand them so that we can mitigate those risks. Because at the end of the day, agencies want their missions to have the tools they need. My job is to help you get there and mitigate security issues, remediate those security issues, and then walk through so that the agency has a good idea of what the issues are.
So my job, and I think we did this quite a bit, there's a lot of details. Some of it's more detailed, "Hey, is this right or wrong?" It's not right or wrong, it needs to be set a certain way. And I think some people get that, "It's an audit. Oh my gosh, we're going to die." Right? And it's not. It's really about showing your security posture in a real way. Because here's the other thing, remember, you're signing off and your leadership is signing off that this is what you're doing. So everybody's on the hook for it, and we want to make sure that we're not putting you on the hook for something that you can't do or didn't do or that sort of thing.
So we are on your side and we're on the government side. Our job is to make sure that no matter how new you are to compliance and 1Kosmos , their thing is not compliance. Your thing is your core business about the identity, et cetera, et cetera. So that's my job. My job is to help you be comfortable and help your leadership be comfortable understanding all of the hurdles. I'm not going to say, "It's awesome. No problem. Everything's going to be perfect." As you remember in our meetings, I'm like, "Okay, so we need to have an answer for this. How do you toggle this?" And sometimes there is a little bit of development, but for the most part it's really try and just make sure.
Again, we're a partner. We benefit if you do better. That's a good thing for us too, because it is like a law firm or an accounting firm or all that. We look at us as the security firm, the compliance firm for you that all organizations are going to have in the future. They have no choice. This is part of doing business going forward. Because even in the commercial space, more and more people are becoming aware of it, state and local, et cetera, et cetera. Yeah. But you are by no means unique in your need for information or shepherding. That's our whole reason for being.
Christine Owen:
Yeah. So I think the one good thing that we had going for us is that we actually had had a lot of audits behind us from the commercial side. So we had ISO 27001, we had SOC2, type two Kantara certification, which is an audit, not necessarily security, but it's definitely an audit based on federal regs. But that still didn't give us enough of a ready for what we were getting into FedRAMP. So what's the one or two things that you think that anyone before they start out their FedRAMP journey should understand to be able to help them make that decision better?
Michael Cardaci:
Yeah. Well, honestly, I'll say the same thing that I said to you guys is where's the data go? At the end of the day, it's really where does the government data go? Not telemetry data for your system, not these ancillary things for health checks of the system, but the government data, because that's what I need to track. That's what I need to explain to the government agencies. And if you don't understand that or if it goes out of the boundary or wherever you have it, where does it go? Why does it go there? Does it have to go there? And those kinds of things. Those are the things that took the most time that we had to redirect. If something went outside the boundary, we had to redirect it to inside of the boundary so the government data, I want to make sure I'm clear, government data did not go where it shouldn't go. That's the biggest thing.
Christine Owen:
I agree. I think it probably took us three hours to understand, because our data that we collect actually is not government data because it doesn't touch the government before we collect it. It's collected straight from the end users. So therefore the data is not government. But then at some point, the data actually does get turned into government data. So then once that occurs, then we have to make sure that we are very clear and very controlled with what that data does. So I think that was the piece that I think both sides for us, especially because of that data piece, we really understood how to explain to the FedRAMP PMO and to the 3PAO what it is 1Kosmos is doing.
Michael Cardaci:
I think you had a good point earlier in this discussion where you're like, "Hey, this is a true partnership," because we're not being consultative here and just saying, "Okay, here's your gap analysis. Come back when you fixed all your problems," and you have no idea what to do. It's really a dialogue and a conversation of what are you trying to do with the data? Where are the limits of data? Where does things sit? What does it so that we can then help you with our experience about how do we do this so it is secure? You don't have vulnerabilities. And we can honestly say that to the government about where the data goes. Because they're going to ask us where the data goes, and we want to be able to do that.
So it's a two-way street. We're saying, "Hey, these are the things that you need to think about." You're saying, "Okay, this is how we're going to do it," and then we could formulate. Because each one of these is different. Every organization is different because you have differentiation in the marketplace about what you do for the government. So it is really that relationship of how do we not lower the bar, but get you across the line? That's really the partnership aspect.
Christine Owen:
Yeah, no, I totally agree. I previously was an attorney, I'm a recovering attorney. And I think when you're in law school, because you're just learning the rules and you're not understanding the real world application of the rules, you are quick to say no to things when clients are asking questions when you're first out of law school. And then when you realize that you can't be so yes and no, there's so much gray in the world, getting to a yes or some sort of way to get to a yes is really important, and you definitely helped us do that, which was important as well. So we'll do one more-
Michael Cardaci:
Can I make one comment on that? Because I think that is huge, and I think that a lot of folks out in the world think that the government is there, or the FedRAMP function is there to say, "No, you can't come in." It's really to get what is your stance on security? This is what we want as a baseline, and it's how do we adjust so that we can get this to the agencies and their mission? So that's really what our job is at FedHIVE is to interpret that we don't see them as a gateway that's a go, no go. We see them as, "Let us check your papers. You're allowed to come in. We want these products, but we need to make sure you're just doing it right. So we're consuming it correctly." And that's what our job is.
Christine Owen:
In some cases, you're teaching people how to do things slightly differently. So one thing that I think is a really important function is I actually think we're meeting weekly with you guys right now on vulnerability management with the continuous monitoring function that you do after you get FedRAMP authorized. And I think that that piece is extremely beneficial for us because we have someone else who's also monitoring what we're seeing, so we can check our results. But I think it's beneficial for us because we had a lot of questions about the rules around vulnerability management when it came to FedRAMP. So for example, there are strict timelines on when high, critical, moderate and lows have to be addressed. And then on top of that, there's also other guidelines that are likely coming, we'll talk about that in the next slide.
But there's a lot to that. I think it's been very nice and very helpful for you guys to give us that time and attention as we start to really ramp up our continuous monitoring program internally. So how did you guys decide to do this? And then I'm sure you're constantly improving it. How are you working towards improvement on that as well?
Michael Cardaci:
Yeah, so what we found was we don't want surprises. So again, if you look at it from a partnership rather than just kind of a consultative where we could just drop this and say, "Hey, this is what you need to do. Let us know when you do it. And by the way, here are the rules. You've got 30, 90, 180 days and don't miss it because otherwise you're in trouble." Because it's a partnership, we want to more continuously engage with you and make sure that, "Hey, we see this vulnerability now." I know that we're going to be telling you we're going to be running these scans or going through this at the end of the month on our monthly date, but, "Hey, we're doing this every week and we saw this. You want to fix this now because let's just get ahead of it." Because something always happens just before, whether it's Patch Tuesday or some vulnerabilities come out or whatever happens, you're going to have enough work to do.
So if we can do this on an ongoing basis, what we found was that now you're more secure, you have less vulnerabilities. We look better to the government because we're doing this ahead of time and they're seeing less, and they're going, "Oh, okay, so these guys are on top of it." So now you get that benefit from that. And the more that we do that, and the more we automate and get that tighter and tighter, the more time you have to fix before you have in essence a gun to your head. Now your homework is, "I got a term paper and a test and a quiz and all this other stuff." Instead, you can do that as you're going, and then really focus on those things that you need to. You can prioritize things the way they need to be, et cetera, et cetera. So this has been an evolution, not just with you, but overall with what we're doing.
Our first focus was get you through the compliance. The next focus is how do we make it easier for you to address your market better so you can make more money faster? So if I can turn around and we can show you have less vulnerabilities, you fix them on time or faster than on time and all that stuff, then when you go to your program and say, "We're awesome," we go to the security guys and say, "Hey, here are their POAMs specifically for this SaaS. Look, they're way ahead of what they needed to do," because the history's there. Now you look like you're taking it seriously. So now they're getting their box checked faster. That means program can do it so your acquisition to go through faster, and it's all about making money for you. The more you make money, you'll never leave home without me. That's our viewpoint. That's the quality of service that we're trying for. So we've talked about, we've added portals, we've done all of these things so it makes it easier for you guys to consume the information we're giving you so you can solve the problems faster.
Christine Owen:
Yeah, no, I think it's definitely very helpful and I think, yeah, I really appreciate it. So now we have the last slide, which is a fun slide. It's a future slide. We have so much going on right now with FedRAMP. So when the administration changed, really one of the first things that happened was FedRAMP started changing quickly as well. And so there have been a lot of changes. And then on top of that, there's a lot of future changes. So let's talk about the changes that have definitely occurred first. So what did you see as the biggest difference between last administration, this administration when it comes to FedRAMP?
Michael Cardaci:
Yes. So there's a philosophical difference that they've changed. They want to have the optics of FedRAMP not being the blocker. They want to get people through the quote/unquote FedRAMP hurdle. So that just shifts. So everybody's heard the horror stories takes 18 months, takes 24 months, could take forever to get this done. So yes, FedRAMP was slow in getting their things through the process. So they have now streamlined that so they can get you through the process. Problem is, you still have to go through the compliance piece and the 3PAO piece, and you still have to meet those requirements, especially for FedRAMP High, because what 20X attacked first was FedRAMP Low. Next they're going to look at FedRAMP Moderate, and then finally, obviously FedRAMP High. So I think it's great what they're trying to do. They want to move it faster.
The idea of 2011, 2012 FedRAMP is different than it is today. We have AI. We have folks, you know this, that your cadence for adding new value for your software is much faster. You're doing things, you got multiple teams and you have a CICD pipeline that is much different than it was 12 years ago. So they felt that FedRAMP did not keep up with that, which is accurate because it's a snapshot as opposed to now.
That's great. Things are moving faster. Unfortunately, the downside of that is things are going to move faster. That means they're trying to speed up the time for conmons. Instead of once every 30 days, they're trying to bring that down so it's more often. They're looking at key indicators rather than all of the controls and where they stand. They're looking at specific key indicators. So that's going to change. They want things to be fixed within three days instead of 30 days. And so they're changing the focus. Instead of the vulnerability is a high or it's a low or it's a moderate, they're now shifting, is it an internet facing vulnerability or is it an internal facing vulnerability? So this is a good thing, right?
Christine Owen:
Yeah, very good.
Michael Cardaci:
Because this is a vulnerability that's buried three layers deep inside a Kubernetes pod that no human ever gets to, then that vulnerability is pretty nominal as far as a functional vulnerability, whereas a more moderate vulnerability that's facing the internet may actually be a higher vulnerability. So they are shifting how the focus is. So I think that's a good evolution. But now we've got two pieces. We have just what those gentlemen were talking about, we have the Rev-5, the NIST 800-53 Rev-5, which is the old style FedRAMP, and that's still the law for moderate and high. And then you have the 20X that's coming up, and when is that transition and how do you do it and how do you meet both? So those are the things that make things very, very complicated, intricate. And so I think we're moving to a more security-based rather than compliance checklist-y type thing.
And as you know from when we talked at the very beginning, we looked at operational compliance and operational security as opposed to just going through doing a gap analysis and what you told me and what you didn't, right? Because we are operationally talking to the agencies. So I think that moves more in line with what we're looking at from a compliance security aspect for how we can help you be better. I think it's going to be a painful road for folks that are not doing this. I have three people who are just focusing on what are the changes, what's going on, what are the changes that are going on? And they're folks that came out of FedRAMP. So these are guys who understand it, engage with it. So there's a lot of stuff going on. I'm personally on the board of ADI. I'm with CSPAB, so I'm talking with the Googles and AWS and the Azures of the world, and we're looking at how these regulations affect us.
So we are trying to be a bigger voice for the 1Kosmoses rather than you saying, "Hey, this is going to hurt. We are going to need this kind of a runway to do this stuff." I've got 25 organizations that are under us that I am saying, "Hey, I'm speaking for these 25 in this larger group," and saying, "We need to slow this down, or we need to change this, or we need to have a phased implementation," or those kinds of things so that we don't put in place something that affects you where you have to all of a sudden have a very big capital investment because you have to change what you're doing. So we don't know when all these pieces are going to come into play, arguably next year, next couple of years, whatever. But if you want to be doing work, you have to go through whatever the current one is, current FedRAMP High, so that you can get business so then you can change as things change. So that's the biggest issue.
Christine Owen:
Yeah, I think change is always hard. I will say we had meetings with the new administration in the early days, and one of the things that really stuck out was they were really open to hearing about from the industry about FedRamp, about how long it took us to get through FedRAMP, about what our pain points were. And I think that those pieces are really important, especially, this was before 20X came out, so they were definitely listening.
I am a heavy commenter for rules and other things within the federal government, so this is definitely one that we will be commenting on. And I am very excited that you guys, and also ADI and other ADI companies will be commenting you on too, because there's definitely going to be a lot of really smart people who live and breathe this that are going to be working to be able to make sure that the right decisions are made when it comes to the changes within FedRAMP.
Now, all that being said, the one thing that we haven't talked about is the number one buzzword right now, which is AI. Especially I think that this is something that those in the FedRAMP office are really thinking through as well. How can AI, how can automation help secure those SaaS products that are providing services to the federal government? My assumption is you've thought about this before. I know I sometimes think about it, but I don't think about it that hard. So how do you think that that would work for not just the vendors themselves, but also is there a way that it would be able to help the FedRAMP office or 3PAOs or even the AOs in the individual federal agencies?
Michael Cardaci:
I think there's kind of two questions there, frankly. Yeah. One question. How does it help the government itself do government stuff? And then number one, the other question or 1B would be how do we get AI things through these processes from a compliance standpoint? And I think that first of all, the government, they're trying to get faster and faster with being contemporary with industry and commercial space and that sort of thing. As with the administration saying, "Hey, we don't want to make a special thing. We want to use what folks are using out in the commercial area." And I will use an example. So Kubernetes came out, everybody was like, "How do we Kubernetes in and get it compliant?" Because it does all of these weird things. It spits out stuff and then it takes things down. It's just something that take questions. And so there's this machination, which does not fit with all of the stuff we need to do because we need to monitor, we need to make sure it's compliant.
And so how do you make sure all of those things happen? And so there was tools that came out for that. And then so with AI, they have those issues plus bias issues, et cetera, et cetera. Where's the data go? All of these pieces. So there's going to be some things that need to catch up, and in order for the government to use it, then the government will have to figure out a way to get it compliant or allow it to be compliant or accept the liabilities associated, which is what they do in the past. That's really what they do. They go, "Okay, we know it doesn't meet these criteria because the criteria hasn't caught up with Kubernetes for example. But what we're going to do is we're going to stick it inside of this so we can mitigate whatever issues there are until we can figure this out."
And that's kind of how they went about it. And that's kind of what you're seeing now is they're like, "Okay, we're going to take this large language model and we're going to put it inside here." Well, it loses stuff. It doesn't go out to the world. Well, yeah, well, we're going to do it just internal to the government. So it's slightly more vanilla than you would get from the learning that it would do, but it's going in the right direction, and it gives us the time to experience it and find out what the downsides are and gives the government a couple pieces of information and then tools associated so then we can look at it. And so those are the things that you're seeing. CDAO has done a lot of AI stuff and try to bring more AI things in and sequestering these. It's not all large language models, it's all these AI pieces.
So if the government is willing that, if you can basically stick it in the basement of something and put concrete around it so that if it just stays right there and doesn't really do any damage, they tend to be willing to do those kinds of experiments with the full knowledge that they don't know all of those things that can occur. They accept the liability that we need to use it, and this is exciting, so we're going to do this in this way. So I see that happening more and more with the AI. I mean all of these buzzwords, right? Cloud, containerization, zero trust, AI, all of these. FedHIVE AI, and now all of a sudden will take on a whole different trajectory. But you get what I'm saying is they are starting to tease that stuff out too. The government is like, "Yeah, that's not really AI. That's just some automation."
Christine Owen:
Machine learning. It's something we've had.
Michael Cardaci:
It's machine learning. It's something that's not quite AI yet or that sort of thing. So yeah, I think that's the trajectory that we will see. Now that's just my personal opinion. I'm not paid by any AI folks or anything. Just what I'm seeing as we kind of traverse the world.
Christine Owen:
Yeah, it's an interesting time that we live. Well, I think we are at time. That was a really fun conversation. So thank you for joining me on this webinar today. I really enjoyed talking about FedRAMP and where we're going to go maybe with FedRAMP or where we're not going to go, but it was so much fun. So thank you so much for spending time with us.
Michael Cardaci:
I loved it. I appreciate you giving me the opportunity to chat, and like I said, it's a great partnership that we have with 1Kosmos and also with Carahsoft, so I am happy to do these things anytime and anybody's happy to ask me any questions when this goes out. I'm happy to answer any of these questions. My job is to try and make everybody feel comfortable about compliance.
Christine Owen:
All right, Abby.
Abby:
Well, I want to thank everyone again for your participation, and we hope that everyone found this podcast very informative and helpful to you in your organization.
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I'd like to welcome you to today's webinar, why FedRAMP High is a new standard for secure digital identity. And at this time, I would like to introduce our speakers for today, Christine Owen, field CTO at 1Kosmos, and Michael Cardaci, CEO at FedHIVE. And Christine, I will give you the floor.
Christine Owen:
Thank you. All right, let me share my screen real quick. Which one do I want to show? Let me present.
Michael Cardaci:
I can see you.
Christine Owen:
I know it's because I'm trying to present this. Oh my gosh, let me try this again. You can't see it or can you see?
Michael Cardaci:
No, I see it. No, I see it. It's up.
Christine Owen:
I don't know why I've got a brain fart on presenting. Use presenter. Perfect. It's down here. This is why. Boom. There we go. All right. So thank you very much everybody for joining us. As you can see, I'm technologically disadvantaged today for some reason. I'm Christine Owen. I am the field CTO at 1Kosmos, as Abby said. And we are going to talk about FedRAMP High, which in my opinion is really the new standard for secure digital identity or really any kind of product out there.
So I actually invited Mike to come speak with us today. And the reason is because we at 1Kosmos use FedHIVE as our FedRAMP platform. So I think it's a very advantageous way to be able to get to FedRAMP High. And Mike is very, very well versed in FedRAMP in general and in the other areas of security like IL-IV, et cetera. And I think that he's just an amazing resource when it comes to anyone understanding what it means to be FedRAMP High, but also to anyone who's out there looking to see whether they should even try this journey because sometimes there's a lot of tears.
So I'm just going to go straight into what it is we do at 1Kosmos and then I'll let Mike talk a little bit about what he does at FedHIVE. So at 1Kosmos, we are the only FedRAMP High Kantara-certified credential service provider. So what does that mean? So it means that the first thing that we do is we identify end users. So we do identity verification. We are certified by Kantara to do NS863A-3 IAL2 remote verification. So how do we do that? We get a selfie, we get live NIST pictures of either driver's license, a passport, what have you. We triangulate the data, we make sure that the picture on the driver's license or the identity evidence matches the picture from the biometric, and then we also make sure that the identity evidence is authentic. And then we also verify the evidence that's on the face of the identity evidence.
So there's a lot that we do. Once we do all of that, we can actually hash it and wrap it in data and we can put it into a user-controlled digital identity wallet. In that case, we would take the information and we would wrap it in encryption, give the private key back to the end user, and then we would wrap it in additional encryption in a private and permission ledger. The last thing that we can do as well, once we have this verified identity, we can tie it to a strong credential. We have a lot of different credential types that we can tie it to. These are three. The authenticate and transact piece of our platform is actually quite large, usually on the slide, but I tried to condense it because we also wanted to show that not only are we FedRAMP High authorized, but our encryption standards do meet FIPS 140-3 because Mike made us know because they are very important. We have Kantara certification at IAL2, AAL2, and we also have our customer controlled keys.
Now the other piece of this that I think is really important is that our FedRAMP High environment and our commercial environments are the same. And when I mean by that is while our FedRAMP High environment is within GovCloud, so there are stronger controls around that cloud provider, our stacks are actually the same. We use the same encryption modules in both the commercial and the government side, and we use the same principles that we're going to talk about that are required under the FedRAMP program throughout the rest of our product stack as well. So I think that piece is really important to understand when it comes to 1Kosmos, we have a FedRAMP High environment and we have a commercial environment and that commercial environment is built to that government grade FedRAMP High environment. So how did we get here? Well, there was a lot of tears. It seemed like it took forever, but we made it and we made it thanks to Mike. So I'm going to pass it over to Mike to talk a little bit about the FedHIVE platform and how he works with clients.
Michael Cardaci:
Christine, I appreciate you inviting me here and I always love having our conversations about compliance. Sometimes they go down rabbit holes that are unnecessary, but it just adds to the overall color of the conversations. I will tell the folks here that are watching, we have had long conversations to understand what all of the individual controls are. Christine's been great as far as wanting to understand that information. My name's Michael Cardaci. I'm the CEO for FedHIVE. We've got a great relationship with 1Kosmos and a lot of the Carahsoft folks. Our primary duty is a compliance as a service organization. We are what is commonly called an accelerator for FedRAMP. We move folks through the process for the DoD requirements. The FedRAMP requirements are now the upcoming CMMC requirements. And the idea is that organizations like 1Kosmos, they have their core ability and they have somebody who is championing the compliance piece. And our job is to liaison with them and make sure that they're on the right tracks.
And then post getting through the compliance. We really look at helping the organization work with agency security and AOs to make sure that there's a smooth process. So Christine and her teams are going out and selling products to the government. We're there to work with the security part while they're working with the program part to make sure that the acquisition can go through and that whatever the requirements are for the agency, because remember, the FedRAMP baseline is a baseline and each agency may have some particulars that they want to see. And so we act as that liaison with those AOs.
And we'll talk a little bit more about the FedRAMP and how things are changing, but that's becoming more and more of a particular value because then we can speak the correct language and then point out all of the things, whether it's just in the SaaS product or whether it's the platform or in the infrastructure that the agency wants to see. So we try and make it easy. I know Christine had mentioned some tears, but there weren't a lot of tears. There were less tears than if they tried to do it themselves. She'll admit that I hope.
Christine Owen:
Definitely, definitely.
Michael Cardaci:
And then the other piece of that is we bring the ATO and the sponsor, so that eliminates having to go hunt that down on your own. And then finally we try and do this in a fixed fee way so that it doesn't have scope creep and cost creep and all those other pieces. We kind of agree what we're trying to achieve, what the goal is, and then we get people across the goal line to the addressable market. So that's what we do in a nutshell with regard to trying to move this through. I will say the name of this webinar is about the FedRAMP High being the new standard, FedHIVE has held that the high is an easier sell to the government because there's no issue with either the procurement folks, any acquisition specialists or the program folks where they're having to figure out what is the characterization of the data. This makes it much easier. And the cost differential between the two, even prior to all of the things that are going on now, the cost differential was minimal going from moderate to high, and it was just easier to do that.
So I think that Christine's dead on with FedRAMP High being the new standard, and I think even more so now with the new FedRAMP requirements. So okay, I've said enough about what we do, so I'll give it back to Christine and we can move on.
Christine Owen:
Yeah, you have one more slide. I think this is a fun slide too. I think this shows the value that you bring today.
Michael Cardaci:
So one of the things FedHIVE's, just like 1Kosmos's core business is their SaaS application for the government, ours is this compliance. And so I took an excerpt, Carahsoft was a sponsor of the ATO summit last week, and then this is a public discourse, you guys can go find this out on LinkedIn. Brian Conrad, who was the former acting PMO for FedRAMP and John Riddle who was an auditor in what was Lunarline, which is now Motorola. So they both have extensive understanding of these situations and this discussion came out after the ATO summit, and it's talking about in essence the gray areas and the transition between the FedRAMP 20X issues and the REV-5 paths that are going on.
And I've gone, and I've talked to Christine about these issues so that she's aware because she's my liaison with 1Kosmos, but the fact of the matter is she doesn't need to worry about those things because it's my job to make sure that as we transition from whatever happens in 20X and how that migrates to the new FedRAMP from REV-5 to 20X rather, that we're there in lockstep to make sure that they get there because there are a lot of changes. The key indicators for the conmon, the continuous monitoring, the POAMs and how they're going to be registered, the timelines for vulnerability fixes, that's all on us to make sure that her organization understands how that goes.
And the fog of war is what I wanted to point out here. These are two very seasoned experienced people in the compliance area and these are the discussions that we're having. We're talking to the PMO and we're talking to the government, we're talking to DoD to try and make sure that everybody is on track. So I just thought this was an interesting interaction. This was on the 28th, I think it was the day after we had that ATO summit. So I think it's very, very interesting.
Christine Owen:
Yeah. So to piggyback on what Mike is saying, the one thing that I think is really important, and we're going to talk about this later too, but when it comes to deciding whether to do FedRAMP on your own or to use a platform is to do you have that understanding that you need to be able to make it through the FedRAMP process? And then also do you have the resources to be able to continuously follow on rule changes, legal changes, regulatory changes? There's a lot that goes into FedRAMP. FedRAMP started out as a legal statute and then it tailors down. There's some regulations in place, there's some rules in place, and then there's the policy around the office. And then on top of that, there's all of the different agencies and how they operate with FedRAMP.
FedRAMP's, not like, "You're done. It's super easy." There's a lot more to it. There's all the continuous monitoring. We're constantly working on the vulnerability management. And then on top of that, every time we are building new features for our clients, we have to decide is this something that's going to affect the security of the overall platform? And if it is, then okay, we need to go get an assessment. Mike is very excited because he's going to get a very big assessment coming soon. He's going to be like, "This is a lot." But we're doing that because it's really important for us to stay ahead of what our customer's needs are. So there's a lot to it. And I will say I feel like in some days, and I think in the past two weeks, one of the 1Kosmos team members has really just taken a lot of FedHIVE's time because he wanted to fully understand all of the procedures on their side and on the government side and what the new regulations could mean to us.
And the good news is that FedHIVE took a lot of time and taught us that so that we are ready when those changes are made. And we'll talk about that a little bit more. So I'm going to go super simple on the first question. And so for those of you who don't know, I am probably not going to use a lot of these slides. They're very pretty and we like to have slides in the background and we are going to hit on all of these points, but one of the things is there's so many different levels of federating, so there's low, moderate, high, and then after that there's IL4, five, six. I'm fairly certain there's no seven, but I'm sure there is. It's probably an 11 and I don't know about it. What do all of those different things means? What's the difference between the FedRAMP and the IL levels and how do you from build your way up from one to another?
Michael Cardaci:
The good question is you can look at it as kind of stair step. Low is we're just making sure that the data is clean. That moderate is, we don't have any PII or CUI or anything that's sensitive really in the moderate. It's just that our system is secure. And then you get to the high where you have data that in addition to PII, it could be government data and CUI, and then that's on the federal side. And then a lot of folks ask, "Okay, I want to jump over and I want to get into the DoD space." And really what happens is everything just tightens down the amount of time. For instance, how long before your login screen turns black and you have to re-login. So it's that time that you're allowed to have that window, that vulnerability window open gets smaller and smaller and smaller.
And then once you get into the IL4 and IL5, the DoD specific areas also, you're no longer allowed to just go out on the regular internet. You now have to connect to the government directly. And so some of those kinds of things. And then the bridge between IL5 and IL6, that's where you get clear data and then you have all sorts of facility requirements associated people with guns and that kind of thing. And then there is higher levels, Christine, that you alluded to, but those are really on the government space. They don't really allow those outside of the facilities typically from the government.
So yeah, those are those difference, and that's our job is to help you navigate. And you talked about earlier the commercial side too, having a commercial than the federal. And what we've been seeing from our customers, and I think this is true with you guys too, is having that compliant environment for the commercial side acts as a differentiator also going the other direction with the commercial folks so that you can say, "Hey, we are not only minimally hitting this as a requirement, but we are continuously monitoring it. So it's not just internal. It is we have external monitoring going on." And I don't know, you would know that better, but that's the information that we're getting back from that.
Christine Owen:
Yeah, you're exactly right. Talking about it with our commercial customers is really helpful because they do know about what FedRAMP is. Sometimes we explain it a little more, but they do understand in theory what FedRAMP, and what they do understand about FedRAMP is it's hard and it's pretty secure. So when we talk about it in the context of we are FedRAMP High, so that's the highest security that you could get within FedCiv. And on top of that, all of those encryption modules, because of course we use a lot of encryption within our product blow down to the commercial side, and so we're using government grade encryption because FIPS 140-3 isn't always the easiest also to implement. So we're doing that on both sides and that really gives a boost to the thought of not only are we privacy by design, but we're also security by design. I think that those two things together really tell a good story.
The thing that I really want to pick up on that you said though is that FedRAMP High is where you want to go if you have PII that you're protecting. So why is it that high is better for PII than moderate?
Michael Cardaci:
Well, one of the main reasons is if you think about it from the government standpoint, the government is giving you data. They're giving you their PII data and moderate meets the requirements, but doesn't have the continuous monitoring requirement associated. So at the end of the day, the FedRAMP High gives the government that warm and fuzzy feeling because, we're talking to the government twice a month, but at least on a monthly basis, they get what your continuous monitoring is, what your vulnerabilities are, what your POAMs are, and if you're meeting those on a regular basis and if they have any vulnerabilities. So that really becomes the difference between those two is the government gets a feedback loop where they don't necessarily get that from a moderate standpoint.
Christine Owen:
Yeah. No, I think that makes sense. I think internally we appreciate the continuous monitoring because it allows us to put vulnerability management within our sprints, and so that's very helpful. I think moving forward, we're going to talk about this soon too, but I think that that's an important thing to think about when people might be commenting on FedRAMP rules coming up is companies have sprints, and so making sure that vulnerabilities are done within a sprint time period is pretty good management. So your platform is High, and then you also have an IL4 and an IL5 environment.
Michael Cardaci:
That's correct.
Christine Owen:
You do not have moderate or below. Why did you choose those three environments?
Michael Cardaci:
And it goes back to the question that you asked just previous. We went through and we did the economics of what it was going to cost for us to move to the FedRAMP High, and we also had the DoD, so we had to get to IL4 and IL5, so that was also part of our goal. And what we found was the cost differential to go directly to the FedRAMP High was nominal compared to going to moderate and then going to high. There's a much bigger cost lift with that. And since again, we had our goal as being in the DoD space, we wanted to, how's the fastest path to there? And then we could do the highest level. You can always go backwards. I can have moderate data inside my high. It's just a subset of that FedRAMP High environment. That is really what we want do.
Not to mention the fact that it's more intricate, there's more controls. It goes from, forgive me, the REV-4 was 325 and 421. I think it's gone down, it's changed a little bit. I think it's 328 and 410 for the REV-5, the idea was there are more controls associated, they're a little bit more intricate, there's a little bit more scrutiny. There's definitely more scrutiny from the 3PAO for what our business model was going to be. People were going to have a more difficult time going to that standpoint of the FedRAMP High.
The other piece of it is we found that there was a big value for us. We have customers that do their own moderate and we do their high because they had a tough time making that jump. They made that interim level. And because we are a pure outsourced model, we are time slicing everybody and giving this out to folks. There's about a 43% cost over the life cycle of a software for us to do it, an outsourcing method rather than somebody doing it themselves with getting the right people and the compliance folks and they're expensive and they have to do these things on ongoing basis and then tracking all of the issues which you brought up previously.
So those are kind of the issues. I do want to ask you one question, Christine. I'm going to throw it back on you and I'm going to put myself at risk a little bit here, but I think I'm okay.
Christine Owen:
You're a very bad attorney. You never ask a question that you don't already know the answer to.
Michael Cardaci:
That's true
Christine Owen:
Love law.
Michael Cardaci:
That's true. And I do kind of know the answer. So I touted all of these things that we are doing on your behalf. And I'd like to ask the question from your standpoint, because you've got a lot of experience even prior to 1Kosmos with doing compliance work, understanding controls, and a lot of these kinds of things. I'm going to ask about the benefit of A, having somebody who's looking out for these things and then feeding them back to you as an organization and B, that liaison part with working with the agencies themselves to help kind of bridge that gap. So those two pieces I'd like to publicly ask you.
Christine Owen:
Yeah, no, that's good. So the first off the bat, the one thing I want to say is I hate doing controls work. I mean I still have to, we still have controls that we have to work on and I and other team members are constantly looking at the controls and making sure that they are the right answers. But I do hate controls work. But the reality is a lot of things that you already laid out. One thing that was really important for us is the fact that it is very costly to build your own FedRAMP program within an organization. There are bigger SaaS vendors out there in the cybersecurity space who are amazing at it, and they have some of the best experts who I am sure are really well paid as they should be because they are so good at what they do. But we didn't really have the time to be able to go out and find those people and build that program.
And that's pretty costly, if you thought about how much it would cost to build the program in-house versus how much it costs to get a platform, it was a no-brainer. And so that's the reality of it because the monthly spend that we give you guys to be able to manage everything is significantly less than what we would have had to do. The second piece of this is that we decided to go, you didn't ask this question, but I'm still going to answer. So I guess I'm an A2 I guess, but we decided to go FedRAMP High and consequently on your platform because we were looking for a stronger security controls because we understood that we were going to be holding citizen data and we wanted to make sure that we had the strongest security controls within the federal civilian.
And on top of that, we knew that we would likely also want to do some work within the DoD. And in that case, we would need to get to aisle four just by way of their policies as well. So in theory is an easy hop between high and four. I don't know. I still think there's going to be tears. We haven't started it yet, but if we do, we will figure out. But I can see a little bit crying on my part before we get there. And then your last question, what was your last question?
Michael Cardaci:
Yeah, working, having us act as the intermediary between the agency and your alls.
Christine Owen:
Well, you're not just the intermediary between the agency and us, you're also the intermediary between us and the 3PAO.
Michael Cardaci:
Yes.
Christine Owen:
And number one, right off the bat, thankful. I am so grateful to have an intermediary because like you said, I have done a lot of compliance work in the past, and when I had to sit in on audits and work with auditors, I was trained and I also trained newbies on how to respond to those answers. But it's not always fun to be in an audit environment and that I've definitely sat through a lot of very boring audits, and I don't have to do that in these cases. It's really quick because you guys understand what it is that we do. You understand our platform, you understand what we're trying to do. And before we even get to the 3PAO, I think your team and our team have come together to discuss what the most secure way to be able to do X thing is. And I think that's really helpful because we get a sounding board and you guys too.
But then when it comes to interfacing with the agencies, that's another one that can be hard. We actually had an agency ask us some questions because they needed to be educated on the idea of a platform provider for FedRAMP. And we do see this time and time again where people ask us, 'Well, we looked on the FedRAMP website and we didn't see your name on there. And I said, well, you did because you definitely Googled us and then something came up, you just didn't click through." So in clicking through to the FedHIVE, you see our name on there, but the reason why it gets confusing I think, is that the platform providers are the ones that hold the entire authorization, whereas we hold a small piece of the controls within that greater control set.
So we would get questions like, "Well, are you guys reporting POAMs?" And I said, "Well, me? No, but yeah, we are. It's through FedHIVE because this is how we do it." And so we talked through that. I think having someone to be able to sit down with us and talk through the vulnerabilities and what they're seeing is also helpful because sometimes something spits out things that don't make any sense. And so you have some pretty good experts on your team now and having them explain to us, "Oh no, this is what it was," or even saying, "Oh, you're right, this is not right, let's go back and fix this," it's been very helpful because we see you more as a partner than the platform provider. We obviously have other platform providers for various things that we do, and I would say this is much more of a partnership, which we really enjoy.
Michael Cardaci:
Oh, love, hear that.
Christine Owen:
So we started this journey, if you recall, I know I do, we had to have a lot of hand holding, right? Because I knew that this was going to happen because we had to get through our first round of 3PAO. I think why don't, I wouldn't say we have a down pat yet, but we definitely have a better understanding of what we are going to go through the next time we go to the 3PAO. So are we a special snowflake in that we were the most uneducated customers you've had, or is this something normal where you have to constantly say like, "No, it's okay. Let me tell you how it works. It's going to be okay. Just breathe a little harder. It's going to be fine."
Michael Cardaci:
Yeah. The fact of the matter is, I kind of said this in my opening is your job is to do your core business. You understand controls the basics of it, but my job is this is what we do and to explain to you within the structure of what 1Kosmos does on how I'm going to get you from point A to point B is what I need to do. And of course, anytime you have folks that are developing stuff, they have curious minds and they want more information, and like you had mentioned, you'd asked for a meeting not too long ago to go over all of the things in all of the world of all compliant stuff. And we sat down and we went through all those questions because not only the folks that are in your organization that are running the product leadership has to understand where are we? What's going on? What's coming in the future? What are the costs associated that I can expect in the next one, two, three years, etc?
So no, you're not a snowflake. Most people don't understand this, understandably. There are not a lot of compliance people out there. There's a lot of misinformation, there's a lot of misunderstanding. I try and be as transparent as possible and work through. And by the way, it goes both ways. We try and be a true partner with you guys, but we ask you to be as transparent with all of the creepy crawlies that you have, and so we can understand them so that we can mitigate those risks. Because at the end of the day, agencies want their missions to have the tools they need. My job is to help you get there and mitigate security issues, remediate those security issues, and then walk through so that the agency has a good idea of what the issues are.
So my job, and I think we did this quite a bit, there's a lot of details. Some of it's more detailed, "Hey, is this right or wrong?" It's not right or wrong, it needs to be set a certain way. And I think some people get that, "It's an audit. Oh my gosh, we're going to die." Right? And it's not. It's really about showing your security posture in a real way. Because here's the other thing, remember, you're signing off and your leadership is signing off that this is what you're doing. So everybody's on the hook for it, and we want to make sure that we're not putting you on the hook for something that you can't do or didn't do or that sort of thing.
So we are on your side and we're on the government side. Our job is to make sure that no matter how new you are to compliance and 1Kosmos , their thing is not compliance. Your thing is your core business about the identity, et cetera, et cetera. So that's my job. My job is to help you be comfortable and help your leadership be comfortable understanding all of the hurdles. I'm not going to say, "It's awesome. No problem. Everything's going to be perfect." As you remember in our meetings, I'm like, "Okay, so we need to have an answer for this. How do you toggle this?" And sometimes there is a little bit of development, but for the most part it's really try and just make sure.
Again, we're a partner. We benefit if you do better. That's a good thing for us too, because it is like a law firm or an accounting firm or all that. We look at us as the security firm, the compliance firm for you that all organizations are going to have in the future. They have no choice. This is part of doing business going forward. Because even in the commercial space, more and more people are becoming aware of it, state and local, et cetera, et cetera. Yeah. But you are by no means unique in your need for information or shepherding. That's our whole reason for being.
Christine Owen:
Yeah. So I think the one good thing that we had going for us is that we actually had had a lot of audits behind us from the commercial side. So we had ISO 27001, we had SOC2, type two Kantara certification, which is an audit, not necessarily security, but it's definitely an audit based on federal regs. But that still didn't give us enough of a ready for what we were getting into FedRAMP. So what's the one or two things that you think that anyone before they start out their FedRAMP journey should understand to be able to help them make that decision better?
Michael Cardaci:
Yeah. Well, honestly, I'll say the same thing that I said to you guys is where's the data go? At the end of the day, it's really where does the government data go? Not telemetry data for your system, not these ancillary things for health checks of the system, but the government data, because that's what I need to track. That's what I need to explain to the government agencies. And if you don't understand that or if it goes out of the boundary or wherever you have it, where does it go? Why does it go there? Does it have to go there? And those kinds of things. Those are the things that took the most time that we had to redirect. If something went outside the boundary, we had to redirect it to inside of the boundary so the government data, I want to make sure I'm clear, government data did not go where it shouldn't go. That's the biggest thing.
Christine Owen:
I agree. I think it probably took us three hours to understand, because our data that we collect actually is not government data because it doesn't touch the government before we collect it. It's collected straight from the end users. So therefore the data is not government. But then at some point, the data actually does get turned into government data. So then once that occurs, then we have to make sure that we are very clear and very controlled with what that data does. So I think that was the piece that I think both sides for us, especially because of that data piece, we really understood how to explain to the FedRAMP PMO and to the 3PAO what it is 1Kosmos is doing.
Michael Cardaci:
I think you had a good point earlier in this discussion where you're like, "Hey, this is a true partnership," because we're not being consultative here and just saying, "Okay, here's your gap analysis. Come back when you fixed all your problems," and you have no idea what to do. It's really a dialogue and a conversation of what are you trying to do with the data? Where are the limits of data? Where does things sit? What does it so that we can then help you with our experience about how do we do this so it is secure? You don't have vulnerabilities. And we can honestly say that to the government about where the data goes. Because they're going to ask us where the data goes, and we want to be able to do that.
So it's a two-way street. We're saying, "Hey, these are the things that you need to think about." You're saying, "Okay, this is how we're going to do it," and then we could formulate. Because each one of these is different. Every organization is different because you have differentiation in the marketplace about what you do for the government. So it is really that relationship of how do we not lower the bar, but get you across the line? That's really the partnership aspect.
Christine Owen:
Yeah, no, I totally agree. I previously was an attorney, I'm a recovering attorney. And I think when you're in law school, because you're just learning the rules and you're not understanding the real world application of the rules, you are quick to say no to things when clients are asking questions when you're first out of law school. And then when you realize that you can't be so yes and no, there's so much gray in the world, getting to a yes or some sort of way to get to a yes is really important, and you definitely helped us do that, which was important as well. So we'll do one more-
Michael Cardaci:
Can I make one comment on that? Because I think that is huge, and I think that a lot of folks out in the world think that the government is there, or the FedRAMP function is there to say, "No, you can't come in." It's really to get what is your stance on security? This is what we want as a baseline, and it's how do we adjust so that we can get this to the agencies and their mission? So that's really what our job is at FedHIVE is to interpret that we don't see them as a gateway that's a go, no go. We see them as, "Let us check your papers. You're allowed to come in. We want these products, but we need to make sure you're just doing it right. So we're consuming it correctly." And that's what our job is.
Christine Owen:
In some cases, you're teaching people how to do things slightly differently. So one thing that I think is a really important function is I actually think we're meeting weekly with you guys right now on vulnerability management with the continuous monitoring function that you do after you get FedRAMP authorized. And I think that that piece is extremely beneficial for us because we have someone else who's also monitoring what we're seeing, so we can check our results. But I think it's beneficial for us because we had a lot of questions about the rules around vulnerability management when it came to FedRAMP. So for example, there are strict timelines on when high, critical, moderate and lows have to be addressed. And then on top of that, there's also other guidelines that are likely coming, we'll talk about that in the next slide.
But there's a lot to that. I think it's been very nice and very helpful for you guys to give us that time and attention as we start to really ramp up our continuous monitoring program internally. So how did you guys decide to do this? And then I'm sure you're constantly improving it. How are you working towards improvement on that as well?
Michael Cardaci:
Yeah, so what we found was we don't want surprises. So again, if you look at it from a partnership rather than just kind of a consultative where we could just drop this and say, "Hey, this is what you need to do. Let us know when you do it. And by the way, here are the rules. You've got 30, 90, 180 days and don't miss it because otherwise you're in trouble." Because it's a partnership, we want to more continuously engage with you and make sure that, "Hey, we see this vulnerability now." I know that we're going to be telling you we're going to be running these scans or going through this at the end of the month on our monthly date, but, "Hey, we're doing this every week and we saw this. You want to fix this now because let's just get ahead of it." Because something always happens just before, whether it's Patch Tuesday or some vulnerabilities come out or whatever happens, you're going to have enough work to do.
So if we can do this on an ongoing basis, what we found was that now you're more secure, you have less vulnerabilities. We look better to the government because we're doing this ahead of time and they're seeing less, and they're going, "Oh, okay, so these guys are on top of it." So now you get that benefit from that. And the more that we do that, and the more we automate and get that tighter and tighter, the more time you have to fix before you have in essence a gun to your head. Now your homework is, "I got a term paper and a test and a quiz and all this other stuff." Instead, you can do that as you're going, and then really focus on those things that you need to. You can prioritize things the way they need to be, et cetera, et cetera. So this has been an evolution, not just with you, but overall with what we're doing.
Our first focus was get you through the compliance. The next focus is how do we make it easier for you to address your market better so you can make more money faster? So if I can turn around and we can show you have less vulnerabilities, you fix them on time or faster than on time and all that stuff, then when you go to your program and say, "We're awesome," we go to the security guys and say, "Hey, here are their POAMs specifically for this SaaS. Look, they're way ahead of what they needed to do," because the history's there. Now you look like you're taking it seriously. So now they're getting their box checked faster. That means program can do it so your acquisition to go through faster, and it's all about making money for you. The more you make money, you'll never leave home without me. That's our viewpoint. That's the quality of service that we're trying for. So we've talked about, we've added portals, we've done all of these things so it makes it easier for you guys to consume the information we're giving you so you can solve the problems faster.
Christine Owen:
Yeah, no, I think it's definitely very helpful and I think, yeah, I really appreciate it. So now we have the last slide, which is a fun slide. It's a future slide. We have so much going on right now with FedRAMP. So when the administration changed, really one of the first things that happened was FedRAMP started changing quickly as well. And so there have been a lot of changes. And then on top of that, there's a lot of future changes. So let's talk about the changes that have definitely occurred first. So what did you see as the biggest difference between last administration, this administration when it comes to FedRAMP?
Michael Cardaci:
Yes. So there's a philosophical difference that they've changed. They want to have the optics of FedRAMP not being the blocker. They want to get people through the quote/unquote FedRAMP hurdle. So that just shifts. So everybody's heard the horror stories takes 18 months, takes 24 months, could take forever to get this done. So yes, FedRAMP was slow in getting their things through the process. So they have now streamlined that so they can get you through the process. Problem is, you still have to go through the compliance piece and the 3PAO piece, and you still have to meet those requirements, especially for FedRAMP High, because what 20X attacked first was FedRAMP Low. Next they're going to look at FedRAMP Moderate, and then finally, obviously FedRAMP High. So I think it's great what they're trying to do. They want to move it faster.
The idea of 2011, 2012 FedRAMP is different than it is today. We have AI. We have folks, you know this, that your cadence for adding new value for your software is much faster. You're doing things, you got multiple teams and you have a CICD pipeline that is much different than it was 12 years ago. So they felt that FedRAMP did not keep up with that, which is accurate because it's a snapshot as opposed to now.
That's great. Things are moving faster. Unfortunately, the downside of that is things are going to move faster. That means they're trying to speed up the time for conmons. Instead of once every 30 days, they're trying to bring that down so it's more often. They're looking at key indicators rather than all of the controls and where they stand. They're looking at specific key indicators. So that's going to change. They want things to be fixed within three days instead of 30 days. And so they're changing the focus. Instead of the vulnerability is a high or it's a low or it's a moderate, they're now shifting, is it an internet facing vulnerability or is it an internal facing vulnerability? So this is a good thing, right?
Christine Owen:
Yeah, very good.
Michael Cardaci:
Because this is a vulnerability that's buried three layers deep inside a Kubernetes pod that no human ever gets to, then that vulnerability is pretty nominal as far as a functional vulnerability, whereas a more moderate vulnerability that's facing the internet may actually be a higher vulnerability. So they are shifting how the focus is. So I think that's a good evolution. But now we've got two pieces. We have just what those gentlemen were talking about, we have the Rev-5, the NIST 800-53 Rev-5, which is the old style FedRAMP, and that's still the law for moderate and high. And then you have the 20X that's coming up, and when is that transition and how do you do it and how do you meet both? So those are the things that make things very, very complicated, intricate. And so I think we're moving to a more security-based rather than compliance checklist-y type thing.
And as you know from when we talked at the very beginning, we looked at operational compliance and operational security as opposed to just going through doing a gap analysis and what you told me and what you didn't, right? Because we are operationally talking to the agencies. So I think that moves more in line with what we're looking at from a compliance security aspect for how we can help you be better. I think it's going to be a painful road for folks that are not doing this. I have three people who are just focusing on what are the changes, what's going on, what are the changes that are going on? And they're folks that came out of FedRAMP. So these are guys who understand it, engage with it. So there's a lot of stuff going on. I'm personally on the board of ADI. I'm with CSPAB, so I'm talking with the Googles and AWS and the Azures of the world, and we're looking at how these regulations affect us.
So we are trying to be a bigger voice for the 1Kosmoses rather than you saying, "Hey, this is going to hurt. We are going to need this kind of a runway to do this stuff." I've got 25 organizations that are under us that I am saying, "Hey, I'm speaking for these 25 in this larger group," and saying, "We need to slow this down, or we need to change this, or we need to have a phased implementation," or those kinds of things so that we don't put in place something that affects you where you have to all of a sudden have a very big capital investment because you have to change what you're doing. So we don't know when all these pieces are going to come into play, arguably next year, next couple of years, whatever. But if you want to be doing work, you have to go through whatever the current one is, current FedRAMP High, so that you can get business so then you can change as things change. So that's the biggest issue.
Christine Owen:
Yeah, I think change is always hard. I will say we had meetings with the new administration in the early days, and one of the things that really stuck out was they were really open to hearing about from the industry about FedRamp, about how long it took us to get through FedRAMP, about what our pain points were. And I think that those pieces are really important, especially, this was before 20X came out, so they were definitely listening.
I am a heavy commenter for rules and other things within the federal government, so this is definitely one that we will be commenting on. And I am very excited that you guys, and also ADI and other ADI companies will be commenting you on too, because there's definitely going to be a lot of really smart people who live and breathe this that are going to be working to be able to make sure that the right decisions are made when it comes to the changes within FedRAMP.
Now, all that being said, the one thing that we haven't talked about is the number one buzzword right now, which is AI. Especially I think that this is something that those in the FedRAMP office are really thinking through as well. How can AI, how can automation help secure those SaaS products that are providing services to the federal government? My assumption is you've thought about this before. I know I sometimes think about it, but I don't think about it that hard. So how do you think that that would work for not just the vendors themselves, but also is there a way that it would be able to help the FedRAMP office or 3PAOs or even the AOs in the individual federal agencies?
Michael Cardaci:
I think there's kind of two questions there, frankly. Yeah. One question. How does it help the government itself do government stuff? And then number one, the other question or 1B would be how do we get AI things through these processes from a compliance standpoint? And I think that first of all, the government, they're trying to get faster and faster with being contemporary with industry and commercial space and that sort of thing. As with the administration saying, "Hey, we don't want to make a special thing. We want to use what folks are using out in the commercial area." And I will use an example. So Kubernetes came out, everybody was like, "How do we Kubernetes in and get it compliant?" Because it does all of these weird things. It spits out stuff and then it takes things down. It's just something that take questions. And so there's this machination, which does not fit with all of the stuff we need to do because we need to monitor, we need to make sure it's compliant.
And so how do you make sure all of those things happen? And so there was tools that came out for that. And then so with AI, they have those issues plus bias issues, et cetera, et cetera. Where's the data go? All of these pieces. So there's going to be some things that need to catch up, and in order for the government to use it, then the government will have to figure out a way to get it compliant or allow it to be compliant or accept the liabilities associated, which is what they do in the past. That's really what they do. They go, "Okay, we know it doesn't meet these criteria because the criteria hasn't caught up with Kubernetes for example. But what we're going to do is we're going to stick it inside of this so we can mitigate whatever issues there are until we can figure this out."
And that's kind of how they went about it. And that's kind of what you're seeing now is they're like, "Okay, we're going to take this large language model and we're going to put it inside here." Well, it loses stuff. It doesn't go out to the world. Well, yeah, well, we're going to do it just internal to the government. So it's slightly more vanilla than you would get from the learning that it would do, but it's going in the right direction, and it gives us the time to experience it and find out what the downsides are and gives the government a couple pieces of information and then tools associated so then we can look at it. And so those are the things that you're seeing. CDAO has done a lot of AI stuff and try to bring more AI things in and sequestering these. It's not all large language models, it's all these AI pieces.
So if the government is willing that, if you can basically stick it in the basement of something and put concrete around it so that if it just stays right there and doesn't really do any damage, they tend to be willing to do those kinds of experiments with the full knowledge that they don't know all of those things that can occur. They accept the liability that we need to use it, and this is exciting, so we're going to do this in this way. So I see that happening more and more with the AI. I mean all of these buzzwords, right? Cloud, containerization, zero trust, AI, all of these. FedHIVE AI, and now all of a sudden will take on a whole different trajectory. But you get what I'm saying is they are starting to tease that stuff out too. The government is like, "Yeah, that's not really AI. That's just some automation."
Christine Owen:
Machine learning. It's something we've had.
Michael Cardaci:
It's machine learning. It's something that's not quite AI yet or that sort of thing. So yeah, I think that's the trajectory that we will see. Now that's just my personal opinion. I'm not paid by any AI folks or anything. Just what I'm seeing as we kind of traverse the world.
Christine Owen:
Yeah, it's an interesting time that we live. Well, I think we are at time. That was a really fun conversation. So thank you for joining me on this webinar today. I really enjoyed talking about FedRAMP and where we're going to go maybe with FedRAMP or where we're not going to go, but it was so much fun. So thank you so much for spending time with us.
Michael Cardaci:
I loved it. I appreciate you giving me the opportunity to chat, and like I said, it's a great partnership that we have with 1Kosmos and also with Carahsoft, so I am happy to do these things anytime and anybody's happy to ask me any questions when this goes out. I'm happy to answer any of these questions. My job is to try and make everybody feel comfortable about compliance.
Christine Owen:
All right, Abby.
Abby:
Well, I want to thank everyone again for your participation, and we hope that everyone found this podcast very informative and helpful to you in your organization.
Christine Owen
Field CTO
1Kosmos
Michael Cardaci
CEO
FedHive
Federal agencies and highly regulated organizations handling sensitive data require cloud security that goes beyond the basics. FedRAMP High authorization is now the benchmark, providing stronger protections for critical unclassified information—far surpassing the requirements of FedRAMP Moderate.
Join Christine Owen, Field CTO at 1Kosmos, and Michael Cardaci, CEO at FedHIVE, as they break down why FedRAMP High matters and how it enables agencies to safeguard against evolving threats. Learn how FedHIVE’s platform helps organizations achieve and maintain this rigorous standard and discover the operational and compliance benefits of deploying high-assurance identity solutions.
This webinar is essential for anyone responsible for digital identity, cloud security, or federal compliance.
Christine Owen
Field CTO
1Kosmos
Michael Cardaci
CEO
FedHive
Video Transcript
Abby:
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I'd like to welcome you to today's webinar, why FedRAMP High is a new standard for secure digital identity. And at this time, I would like to introduce our speakers for today, Christine Owen, field CTO at 1Kosmos, and Michael Cardaci, CEO at FedHIVE. And Christine, I will give you the floor.
Christine Owen:
Thank you. All right, let me share my screen real quick. Which one do I want to show? Let me present.
Michael Cardaci:
I can see you.
Christine Owen:
I know it's because I'm trying to present this. Oh my gosh, let me try this again. You can't see it or can you see?
Michael Cardaci:
No, I see it. No, I see it. It's up.
Christine Owen:
I don't know why I've got a brain fart on presenting. Use presenter. Perfect. It's down here. This is why. Boom. There we go. All right. So thank you very much everybody for joining us. As you can see, I'm technologically disadvantaged today for some reason. I'm Christine Owen. I am the field CTO at 1Kosmos, as Abby said. And we are going to talk about FedRAMP High, which in my opinion is really the new standard for secure digital identity or really any kind of product out there.
So I actually invited Mike to come speak with us today. And the reason is because we at 1Kosmos use FedHIVE as our FedRAMP platform. So I think it's a very advantageous way to be able to get to FedRAMP High. And Mike is very, very well versed in FedRAMP in general and in the other areas of security like IL-IV, et cetera. And I think that he's just an amazing resource when it comes to anyone understanding what it means to be FedRAMP High, but also to anyone who's out there looking to see whether they should even try this journey because sometimes there's a lot of tears.
So I'm just going to go straight into what it is we do at 1Kosmos and then I'll let Mike talk a little bit about what he does at FedHIVE. So at 1Kosmos, we are the only FedRAMP High Kantara-certified credential service provider. So what does that mean? So it means that the first thing that we do is we identify end users. So we do identity verification. We are certified by Kantara to do NS863A-3 IAL2 remote verification. So how do we do that? We get a selfie, we get live NIST pictures of either driver's license, a passport, what have you. We triangulate the data, we make sure that the picture on the driver's license or the identity evidence matches the picture from the biometric, and then we also make sure that the identity evidence is authentic. And then we also verify the evidence that's on the face of the identity evidence.
So there's a lot that we do. Once we do all of that, we can actually hash it and wrap it in data and we can put it into a user-controlled digital identity wallet. In that case, we would take the information and we would wrap it in encryption, give the private key back to the end user, and then we would wrap it in additional encryption in a private and permission ledger. The last thing that we can do as well, once we have this verified identity, we can tie it to a strong credential. We have a lot of different credential types that we can tie it to. These are three. The authenticate and transact piece of our platform is actually quite large, usually on the slide, but I tried to condense it because we also wanted to show that not only are we FedRAMP High authorized, but our encryption standards do meet FIPS 140-3 because Mike made us know because they are very important. We have Kantara certification at IAL2, AAL2, and we also have our customer controlled keys.
Now the other piece of this that I think is really important is that our FedRAMP High environment and our commercial environments are the same. And when I mean by that is while our FedRAMP High environment is within GovCloud, so there are stronger controls around that cloud provider, our stacks are actually the same. We use the same encryption modules in both the commercial and the government side, and we use the same principles that we're going to talk about that are required under the FedRAMP program throughout the rest of our product stack as well. So I think that piece is really important to understand when it comes to 1Kosmos, we have a FedRAMP High environment and we have a commercial environment and that commercial environment is built to that government grade FedRAMP High environment. So how did we get here? Well, there was a lot of tears. It seemed like it took forever, but we made it and we made it thanks to Mike. So I'm going to pass it over to Mike to talk a little bit about the FedHIVE platform and how he works with clients.
Michael Cardaci:
Christine, I appreciate you inviting me here and I always love having our conversations about compliance. Sometimes they go down rabbit holes that are unnecessary, but it just adds to the overall color of the conversations. I will tell the folks here that are watching, we have had long conversations to understand what all of the individual controls are. Christine's been great as far as wanting to understand that information. My name's Michael Cardaci. I'm the CEO for FedHIVE. We've got a great relationship with 1Kosmos and a lot of the Carahsoft folks. Our primary duty is a compliance as a service organization. We are what is commonly called an accelerator for FedRAMP. We move folks through the process for the DoD requirements. The FedRAMP requirements are now the upcoming CMMC requirements. And the idea is that organizations like 1Kosmos, they have their core ability and they have somebody who is championing the compliance piece. And our job is to liaison with them and make sure that they're on the right tracks.
And then post getting through the compliance. We really look at helping the organization work with agency security and AOs to make sure that there's a smooth process. So Christine and her teams are going out and selling products to the government. We're there to work with the security part while they're working with the program part to make sure that the acquisition can go through and that whatever the requirements are for the agency, because remember, the FedRAMP baseline is a baseline and each agency may have some particulars that they want to see. And so we act as that liaison with those AOs.
And we'll talk a little bit more about the FedRAMP and how things are changing, but that's becoming more and more of a particular value because then we can speak the correct language and then point out all of the things, whether it's just in the SaaS product or whether it's the platform or in the infrastructure that the agency wants to see. So we try and make it easy. I know Christine had mentioned some tears, but there weren't a lot of tears. There were less tears than if they tried to do it themselves. She'll admit that I hope.
Christine Owen:
Definitely, definitely.
Michael Cardaci:
And then the other piece of that is we bring the ATO and the sponsor, so that eliminates having to go hunt that down on your own. And then finally we try and do this in a fixed fee way so that it doesn't have scope creep and cost creep and all those other pieces. We kind of agree what we're trying to achieve, what the goal is, and then we get people across the goal line to the addressable market. So that's what we do in a nutshell with regard to trying to move this through. I will say the name of this webinar is about the FedRAMP High being the new standard, FedHIVE has held that the high is an easier sell to the government because there's no issue with either the procurement folks, any acquisition specialists or the program folks where they're having to figure out what is the characterization of the data. This makes it much easier. And the cost differential between the two, even prior to all of the things that are going on now, the cost differential was minimal going from moderate to high, and it was just easier to do that.
So I think that Christine's dead on with FedRAMP High being the new standard, and I think even more so now with the new FedRAMP requirements. So okay, I've said enough about what we do, so I'll give it back to Christine and we can move on.
Christine Owen:
Yeah, you have one more slide. I think this is a fun slide too. I think this shows the value that you bring today.
Michael Cardaci:
So one of the things FedHIVE's, just like 1Kosmos's core business is their SaaS application for the government, ours is this compliance. And so I took an excerpt, Carahsoft was a sponsor of the ATO summit last week, and then this is a public discourse, you guys can go find this out on LinkedIn. Brian Conrad, who was the former acting PMO for FedRAMP and John Riddle who was an auditor in what was Lunarline, which is now Motorola. So they both have extensive understanding of these situations and this discussion came out after the ATO summit, and it's talking about in essence the gray areas and the transition between the FedRAMP 20X issues and the REV-5 paths that are going on.
And I've gone, and I've talked to Christine about these issues so that she's aware because she's my liaison with 1Kosmos, but the fact of the matter is she doesn't need to worry about those things because it's my job to make sure that as we transition from whatever happens in 20X and how that migrates to the new FedRAMP from REV-5 to 20X rather, that we're there in lockstep to make sure that they get there because there are a lot of changes. The key indicators for the conmon, the continuous monitoring, the POAMs and how they're going to be registered, the timelines for vulnerability fixes, that's all on us to make sure that her organization understands how that goes.
And the fog of war is what I wanted to point out here. These are two very seasoned experienced people in the compliance area and these are the discussions that we're having. We're talking to the PMO and we're talking to the government, we're talking to DoD to try and make sure that everybody is on track. So I just thought this was an interesting interaction. This was on the 28th, I think it was the day after we had that ATO summit. So I think it's very, very interesting.
Christine Owen:
Yeah. So to piggyback on what Mike is saying, the one thing that I think is really important, and we're going to talk about this later too, but when it comes to deciding whether to do FedRAMP on your own or to use a platform is to do you have that understanding that you need to be able to make it through the FedRAMP process? And then also do you have the resources to be able to continuously follow on rule changes, legal changes, regulatory changes? There's a lot that goes into FedRAMP. FedRAMP started out as a legal statute and then it tailors down. There's some regulations in place, there's some rules in place, and then there's the policy around the office. And then on top of that, there's all of the different agencies and how they operate with FedRAMP.
FedRAMP's, not like, "You're done. It's super easy." There's a lot more to it. There's all the continuous monitoring. We're constantly working on the vulnerability management. And then on top of that, every time we are building new features for our clients, we have to decide is this something that's going to affect the security of the overall platform? And if it is, then okay, we need to go get an assessment. Mike is very excited because he's going to get a very big assessment coming soon. He's going to be like, "This is a lot." But we're doing that because it's really important for us to stay ahead of what our customer's needs are. So there's a lot to it. And I will say I feel like in some days, and I think in the past two weeks, one of the 1Kosmos team members has really just taken a lot of FedHIVE's time because he wanted to fully understand all of the procedures on their side and on the government side and what the new regulations could mean to us.
And the good news is that FedHIVE took a lot of time and taught us that so that we are ready when those changes are made. And we'll talk about that a little bit more. So I'm going to go super simple on the first question. And so for those of you who don't know, I am probably not going to use a lot of these slides. They're very pretty and we like to have slides in the background and we are going to hit on all of these points, but one of the things is there's so many different levels of federating, so there's low, moderate, high, and then after that there's IL4, five, six. I'm fairly certain there's no seven, but I'm sure there is. It's probably an 11 and I don't know about it. What do all of those different things means? What's the difference between the FedRAMP and the IL levels and how do you from build your way up from one to another?
Michael Cardaci:
The good question is you can look at it as kind of stair step. Low is we're just making sure that the data is clean. That moderate is, we don't have any PII or CUI or anything that's sensitive really in the moderate. It's just that our system is secure. And then you get to the high where you have data that in addition to PII, it could be government data and CUI, and then that's on the federal side. And then a lot of folks ask, "Okay, I want to jump over and I want to get into the DoD space." And really what happens is everything just tightens down the amount of time. For instance, how long before your login screen turns black and you have to re-login. So it's that time that you're allowed to have that window, that vulnerability window open gets smaller and smaller and smaller.
And then once you get into the IL4 and IL5, the DoD specific areas also, you're no longer allowed to just go out on the regular internet. You now have to connect to the government directly. And so some of those kinds of things. And then the bridge between IL5 and IL6, that's where you get clear data and then you have all sorts of facility requirements associated people with guns and that kind of thing. And then there is higher levels, Christine, that you alluded to, but those are really on the government space. They don't really allow those outside of the facilities typically from the government.
So yeah, those are those difference, and that's our job is to help you navigate. And you talked about earlier the commercial side too, having a commercial than the federal. And what we've been seeing from our customers, and I think this is true with you guys too, is having that compliant environment for the commercial side acts as a differentiator also going the other direction with the commercial folks so that you can say, "Hey, we are not only minimally hitting this as a requirement, but we are continuously monitoring it. So it's not just internal. It is we have external monitoring going on." And I don't know, you would know that better, but that's the information that we're getting back from that.
Christine Owen:
Yeah, you're exactly right. Talking about it with our commercial customers is really helpful because they do know about what FedRAMP is. Sometimes we explain it a little more, but they do understand in theory what FedRAMP, and what they do understand about FedRAMP is it's hard and it's pretty secure. So when we talk about it in the context of we are FedRAMP High, so that's the highest security that you could get within FedCiv. And on top of that, all of those encryption modules, because of course we use a lot of encryption within our product blow down to the commercial side, and so we're using government grade encryption because FIPS 140-3 isn't always the easiest also to implement. So we're doing that on both sides and that really gives a boost to the thought of not only are we privacy by design, but we're also security by design. I think that those two things together really tell a good story.
The thing that I really want to pick up on that you said though is that FedRAMP High is where you want to go if you have PII that you're protecting. So why is it that high is better for PII than moderate?
Michael Cardaci:
Well, one of the main reasons is if you think about it from the government standpoint, the government is giving you data. They're giving you their PII data and moderate meets the requirements, but doesn't have the continuous monitoring requirement associated. So at the end of the day, the FedRAMP High gives the government that warm and fuzzy feeling because, we're talking to the government twice a month, but at least on a monthly basis, they get what your continuous monitoring is, what your vulnerabilities are, what your POAMs are, and if you're meeting those on a regular basis and if they have any vulnerabilities. So that really becomes the difference between those two is the government gets a feedback loop where they don't necessarily get that from a moderate standpoint.
Christine Owen:
Yeah. No, I think that makes sense. I think internally we appreciate the continuous monitoring because it allows us to put vulnerability management within our sprints, and so that's very helpful. I think moving forward, we're going to talk about this soon too, but I think that that's an important thing to think about when people might be commenting on FedRAMP rules coming up is companies have sprints, and so making sure that vulnerabilities are done within a sprint time period is pretty good management. So your platform is High, and then you also have an IL4 and an IL5 environment.
Michael Cardaci:
That's correct.
Christine Owen:
You do not have moderate or below. Why did you choose those three environments?
Michael Cardaci:
And it goes back to the question that you asked just previous. We went through and we did the economics of what it was going to cost for us to move to the FedRAMP High, and we also had the DoD, so we had to get to IL4 and IL5, so that was also part of our goal. And what we found was the cost differential to go directly to the FedRAMP High was nominal compared to going to moderate and then going to high. There's a much bigger cost lift with that. And since again, we had our goal as being in the DoD space, we wanted to, how's the fastest path to there? And then we could do the highest level. You can always go backwards. I can have moderate data inside my high. It's just a subset of that FedRAMP High environment. That is really what we want do.
Not to mention the fact that it's more intricate, there's more controls. It goes from, forgive me, the REV-4 was 325 and 421. I think it's gone down, it's changed a little bit. I think it's 328 and 410 for the REV-5, the idea was there are more controls associated, they're a little bit more intricate, there's a little bit more scrutiny. There's definitely more scrutiny from the 3PAO for what our business model was going to be. People were going to have a more difficult time going to that standpoint of the FedRAMP High.
The other piece of it is we found that there was a big value for us. We have customers that do their own moderate and we do their high because they had a tough time making that jump. They made that interim level. And because we are a pure outsourced model, we are time slicing everybody and giving this out to folks. There's about a 43% cost over the life cycle of a software for us to do it, an outsourcing method rather than somebody doing it themselves with getting the right people and the compliance folks and they're expensive and they have to do these things on ongoing basis and then tracking all of the issues which you brought up previously.
So those are kind of the issues. I do want to ask you one question, Christine. I'm going to throw it back on you and I'm going to put myself at risk a little bit here, but I think I'm okay.
Christine Owen:
You're a very bad attorney. You never ask a question that you don't already know the answer to.
Michael Cardaci:
That's true
Christine Owen:
Love law.
Michael Cardaci:
That's true. And I do kind of know the answer. So I touted all of these things that we are doing on your behalf. And I'd like to ask the question from your standpoint, because you've got a lot of experience even prior to 1Kosmos with doing compliance work, understanding controls, and a lot of these kinds of things. I'm going to ask about the benefit of A, having somebody who's looking out for these things and then feeding them back to you as an organization and B, that liaison part with working with the agencies themselves to help kind of bridge that gap. So those two pieces I'd like to publicly ask you.
Christine Owen:
Yeah, no, that's good. So the first off the bat, the one thing I want to say is I hate doing controls work. I mean I still have to, we still have controls that we have to work on and I and other team members are constantly looking at the controls and making sure that they are the right answers. But I do hate controls work. But the reality is a lot of things that you already laid out. One thing that was really important for us is the fact that it is very costly to build your own FedRAMP program within an organization. There are bigger SaaS vendors out there in the cybersecurity space who are amazing at it, and they have some of the best experts who I am sure are really well paid as they should be because they are so good at what they do. But we didn't really have the time to be able to go out and find those people and build that program.
And that's pretty costly, if you thought about how much it would cost to build the program in-house versus how much it costs to get a platform, it was a no-brainer. And so that's the reality of it because the monthly spend that we give you guys to be able to manage everything is significantly less than what we would have had to do. The second piece of this is that we decided to go, you didn't ask this question, but I'm still going to answer. So I guess I'm an A2 I guess, but we decided to go FedRAMP High and consequently on your platform because we were looking for a stronger security controls because we understood that we were going to be holding citizen data and we wanted to make sure that we had the strongest security controls within the federal civilian.
And on top of that, we knew that we would likely also want to do some work within the DoD. And in that case, we would need to get to aisle four just by way of their policies as well. So in theory is an easy hop between high and four. I don't know. I still think there's going to be tears. We haven't started it yet, but if we do, we will figure out. But I can see a little bit crying on my part before we get there. And then your last question, what was your last question?
Michael Cardaci:
Yeah, working, having us act as the intermediary between the agency and your alls.
Christine Owen:
Well, you're not just the intermediary between the agency and us, you're also the intermediary between us and the 3PAO.
Michael Cardaci:
Yes.
Christine Owen:
And number one, right off the bat, thankful. I am so grateful to have an intermediary because like you said, I have done a lot of compliance work in the past, and when I had to sit in on audits and work with auditors, I was trained and I also trained newbies on how to respond to those answers. But it's not always fun to be in an audit environment and that I've definitely sat through a lot of very boring audits, and I don't have to do that in these cases. It's really quick because you guys understand what it is that we do. You understand our platform, you understand what we're trying to do. And before we even get to the 3PAO, I think your team and our team have come together to discuss what the most secure way to be able to do X thing is. And I think that's really helpful because we get a sounding board and you guys too.
But then when it comes to interfacing with the agencies, that's another one that can be hard. We actually had an agency ask us some questions because they needed to be educated on the idea of a platform provider for FedRAMP. And we do see this time and time again where people ask us, 'Well, we looked on the FedRAMP website and we didn't see your name on there. And I said, well, you did because you definitely Googled us and then something came up, you just didn't click through." So in clicking through to the FedHIVE, you see our name on there, but the reason why it gets confusing I think, is that the platform providers are the ones that hold the entire authorization, whereas we hold a small piece of the controls within that greater control set.
So we would get questions like, "Well, are you guys reporting POAMs?" And I said, "Well, me? No, but yeah, we are. It's through FedHIVE because this is how we do it." And so we talked through that. I think having someone to be able to sit down with us and talk through the vulnerabilities and what they're seeing is also helpful because sometimes something spits out things that don't make any sense. And so you have some pretty good experts on your team now and having them explain to us, "Oh no, this is what it was," or even saying, "Oh, you're right, this is not right, let's go back and fix this," it's been very helpful because we see you more as a partner than the platform provider. We obviously have other platform providers for various things that we do, and I would say this is much more of a partnership, which we really enjoy.
Michael Cardaci:
Oh, love, hear that.
Christine Owen:
So we started this journey, if you recall, I know I do, we had to have a lot of hand holding, right? Because I knew that this was going to happen because we had to get through our first round of 3PAO. I think why don't, I wouldn't say we have a down pat yet, but we definitely have a better understanding of what we are going to go through the next time we go to the 3PAO. So are we a special snowflake in that we were the most uneducated customers you've had, or is this something normal where you have to constantly say like, "No, it's okay. Let me tell you how it works. It's going to be okay. Just breathe a little harder. It's going to be fine."
Michael Cardaci:
Yeah. The fact of the matter is, I kind of said this in my opening is your job is to do your core business. You understand controls the basics of it, but my job is this is what we do and to explain to you within the structure of what 1Kosmos does on how I'm going to get you from point A to point B is what I need to do. And of course, anytime you have folks that are developing stuff, they have curious minds and they want more information, and like you had mentioned, you'd asked for a meeting not too long ago to go over all of the things in all of the world of all compliant stuff. And we sat down and we went through all those questions because not only the folks that are in your organization that are running the product leadership has to understand where are we? What's going on? What's coming in the future? What are the costs associated that I can expect in the next one, two, three years, etc?
So no, you're not a snowflake. Most people don't understand this, understandably. There are not a lot of compliance people out there. There's a lot of misinformation, there's a lot of misunderstanding. I try and be as transparent as possible and work through. And by the way, it goes both ways. We try and be a true partner with you guys, but we ask you to be as transparent with all of the creepy crawlies that you have, and so we can understand them so that we can mitigate those risks. Because at the end of the day, agencies want their missions to have the tools they need. My job is to help you get there and mitigate security issues, remediate those security issues, and then walk through so that the agency has a good idea of what the issues are.
So my job, and I think we did this quite a bit, there's a lot of details. Some of it's more detailed, "Hey, is this right or wrong?" It's not right or wrong, it needs to be set a certain way. And I think some people get that, "It's an audit. Oh my gosh, we're going to die." Right? And it's not. It's really about showing your security posture in a real way. Because here's the other thing, remember, you're signing off and your leadership is signing off that this is what you're doing. So everybody's on the hook for it, and we want to make sure that we're not putting you on the hook for something that you can't do or didn't do or that sort of thing.
So we are on your side and we're on the government side. Our job is to make sure that no matter how new you are to compliance and 1Kosmos , their thing is not compliance. Your thing is your core business about the identity, et cetera, et cetera. So that's my job. My job is to help you be comfortable and help your leadership be comfortable understanding all of the hurdles. I'm not going to say, "It's awesome. No problem. Everything's going to be perfect." As you remember in our meetings, I'm like, "Okay, so we need to have an answer for this. How do you toggle this?" And sometimes there is a little bit of development, but for the most part it's really try and just make sure.
Again, we're a partner. We benefit if you do better. That's a good thing for us too, because it is like a law firm or an accounting firm or all that. We look at us as the security firm, the compliance firm for you that all organizations are going to have in the future. They have no choice. This is part of doing business going forward. Because even in the commercial space, more and more people are becoming aware of it, state and local, et cetera, et cetera. Yeah. But you are by no means unique in your need for information or shepherding. That's our whole reason for being.
Christine Owen:
Yeah. So I think the one good thing that we had going for us is that we actually had had a lot of audits behind us from the commercial side. So we had ISO 27001, we had SOC2, type two Kantara certification, which is an audit, not necessarily security, but it's definitely an audit based on federal regs. But that still didn't give us enough of a ready for what we were getting into FedRAMP. So what's the one or two things that you think that anyone before they start out their FedRAMP journey should understand to be able to help them make that decision better?
Michael Cardaci:
Yeah. Well, honestly, I'll say the same thing that I said to you guys is where's the data go? At the end of the day, it's really where does the government data go? Not telemetry data for your system, not these ancillary things for health checks of the system, but the government data, because that's what I need to track. That's what I need to explain to the government agencies. And if you don't understand that or if it goes out of the boundary or wherever you have it, where does it go? Why does it go there? Does it have to go there? And those kinds of things. Those are the things that took the most time that we had to redirect. If something went outside the boundary, we had to redirect it to inside of the boundary so the government data, I want to make sure I'm clear, government data did not go where it shouldn't go. That's the biggest thing.
Christine Owen:
I agree. I think it probably took us three hours to understand, because our data that we collect actually is not government data because it doesn't touch the government before we collect it. It's collected straight from the end users. So therefore the data is not government. But then at some point, the data actually does get turned into government data. So then once that occurs, then we have to make sure that we are very clear and very controlled with what that data does. So I think that was the piece that I think both sides for us, especially because of that data piece, we really understood how to explain to the FedRAMP PMO and to the 3PAO what it is 1Kosmos is doing.
Michael Cardaci:
I think you had a good point earlier in this discussion where you're like, "Hey, this is a true partnership," because we're not being consultative here and just saying, "Okay, here's your gap analysis. Come back when you fixed all your problems," and you have no idea what to do. It's really a dialogue and a conversation of what are you trying to do with the data? Where are the limits of data? Where does things sit? What does it so that we can then help you with our experience about how do we do this so it is secure? You don't have vulnerabilities. And we can honestly say that to the government about where the data goes. Because they're going to ask us where the data goes, and we want to be able to do that.
So it's a two-way street. We're saying, "Hey, these are the things that you need to think about." You're saying, "Okay, this is how we're going to do it," and then we could formulate. Because each one of these is different. Every organization is different because you have differentiation in the marketplace about what you do for the government. So it is really that relationship of how do we not lower the bar, but get you across the line? That's really the partnership aspect.
Christine Owen:
Yeah, no, I totally agree. I previously was an attorney, I'm a recovering attorney. And I think when you're in law school, because you're just learning the rules and you're not understanding the real world application of the rules, you are quick to say no to things when clients are asking questions when you're first out of law school. And then when you realize that you can't be so yes and no, there's so much gray in the world, getting to a yes or some sort of way to get to a yes is really important, and you definitely helped us do that, which was important as well. So we'll do one more-
Michael Cardaci:
Can I make one comment on that? Because I think that is huge, and I think that a lot of folks out in the world think that the government is there, or the FedRAMP function is there to say, "No, you can't come in." It's really to get what is your stance on security? This is what we want as a baseline, and it's how do we adjust so that we can get this to the agencies and their mission? So that's really what our job is at FedHIVE is to interpret that we don't see them as a gateway that's a go, no go. We see them as, "Let us check your papers. You're allowed to come in. We want these products, but we need to make sure you're just doing it right. So we're consuming it correctly." And that's what our job is.
Christine Owen:
In some cases, you're teaching people how to do things slightly differently. So one thing that I think is a really important function is I actually think we're meeting weekly with you guys right now on vulnerability management with the continuous monitoring function that you do after you get FedRAMP authorized. And I think that that piece is extremely beneficial for us because we have someone else who's also monitoring what we're seeing, so we can check our results. But I think it's beneficial for us because we had a lot of questions about the rules around vulnerability management when it came to FedRAMP. So for example, there are strict timelines on when high, critical, moderate and lows have to be addressed. And then on top of that, there's also other guidelines that are likely coming, we'll talk about that in the next slide.
But there's a lot to that. I think it's been very nice and very helpful for you guys to give us that time and attention as we start to really ramp up our continuous monitoring program internally. So how did you guys decide to do this? And then I'm sure you're constantly improving it. How are you working towards improvement on that as well?
Michael Cardaci:
Yeah, so what we found was we don't want surprises. So again, if you look at it from a partnership rather than just kind of a consultative where we could just drop this and say, "Hey, this is what you need to do. Let us know when you do it. And by the way, here are the rules. You've got 30, 90, 180 days and don't miss it because otherwise you're in trouble." Because it's a partnership, we want to more continuously engage with you and make sure that, "Hey, we see this vulnerability now." I know that we're going to be telling you we're going to be running these scans or going through this at the end of the month on our monthly date, but, "Hey, we're doing this every week and we saw this. You want to fix this now because let's just get ahead of it." Because something always happens just before, whether it's Patch Tuesday or some vulnerabilities come out or whatever happens, you're going to have enough work to do.
So if we can do this on an ongoing basis, what we found was that now you're more secure, you have less vulnerabilities. We look better to the government because we're doing this ahead of time and they're seeing less, and they're going, "Oh, okay, so these guys are on top of it." So now you get that benefit from that. And the more that we do that, and the more we automate and get that tighter and tighter, the more time you have to fix before you have in essence a gun to your head. Now your homework is, "I got a term paper and a test and a quiz and all this other stuff." Instead, you can do that as you're going, and then really focus on those things that you need to. You can prioritize things the way they need to be, et cetera, et cetera. So this has been an evolution, not just with you, but overall with what we're doing.
Our first focus was get you through the compliance. The next focus is how do we make it easier for you to address your market better so you can make more money faster? So if I can turn around and we can show you have less vulnerabilities, you fix them on time or faster than on time and all that stuff, then when you go to your program and say, "We're awesome," we go to the security guys and say, "Hey, here are their POAMs specifically for this SaaS. Look, they're way ahead of what they needed to do," because the history's there. Now you look like you're taking it seriously. So now they're getting their box checked faster. That means program can do it so your acquisition to go through faster, and it's all about making money for you. The more you make money, you'll never leave home without me. That's our viewpoint. That's the quality of service that we're trying for. So we've talked about, we've added portals, we've done all of these things so it makes it easier for you guys to consume the information we're giving you so you can solve the problems faster.
Christine Owen:
Yeah, no, I think it's definitely very helpful and I think, yeah, I really appreciate it. So now we have the last slide, which is a fun slide. It's a future slide. We have so much going on right now with FedRAMP. So when the administration changed, really one of the first things that happened was FedRAMP started changing quickly as well. And so there have been a lot of changes. And then on top of that, there's a lot of future changes. So let's talk about the changes that have definitely occurred first. So what did you see as the biggest difference between last administration, this administration when it comes to FedRAMP?
Michael Cardaci:
Yes. So there's a philosophical difference that they've changed. They want to have the optics of FedRAMP not being the blocker. They want to get people through the quote/unquote FedRAMP hurdle. So that just shifts. So everybody's heard the horror stories takes 18 months, takes 24 months, could take forever to get this done. So yes, FedRAMP was slow in getting their things through the process. So they have now streamlined that so they can get you through the process. Problem is, you still have to go through the compliance piece and the 3PAO piece, and you still have to meet those requirements, especially for FedRAMP High, because what 20X attacked first was FedRAMP Low. Next they're going to look at FedRAMP Moderate, and then finally, obviously FedRAMP High. So I think it's great what they're trying to do. They want to move it faster.
The idea of 2011, 2012 FedRAMP is different than it is today. We have AI. We have folks, you know this, that your cadence for adding new value for your software is much faster. You're doing things, you got multiple teams and you have a CICD pipeline that is much different than it was 12 years ago. So they felt that FedRAMP did not keep up with that, which is accurate because it's a snapshot as opposed to now.
That's great. Things are moving faster. Unfortunately, the downside of that is things are going to move faster. That means they're trying to speed up the time for conmons. Instead of once every 30 days, they're trying to bring that down so it's more often. They're looking at key indicators rather than all of the controls and where they stand. They're looking at specific key indicators. So that's going to change. They want things to be fixed within three days instead of 30 days. And so they're changing the focus. Instead of the vulnerability is a high or it's a low or it's a moderate, they're now shifting, is it an internet facing vulnerability or is it an internal facing vulnerability? So this is a good thing, right?
Christine Owen:
Yeah, very good.
Michael Cardaci:
Because this is a vulnerability that's buried three layers deep inside a Kubernetes pod that no human ever gets to, then that vulnerability is pretty nominal as far as a functional vulnerability, whereas a more moderate vulnerability that's facing the internet may actually be a higher vulnerability. So they are shifting how the focus is. So I think that's a good evolution. But now we've got two pieces. We have just what those gentlemen were talking about, we have the Rev-5, the NIST 800-53 Rev-5, which is the old style FedRAMP, and that's still the law for moderate and high. And then you have the 20X that's coming up, and when is that transition and how do you do it and how do you meet both? So those are the things that make things very, very complicated, intricate. And so I think we're moving to a more security-based rather than compliance checklist-y type thing.
And as you know from when we talked at the very beginning, we looked at operational compliance and operational security as opposed to just going through doing a gap analysis and what you told me and what you didn't, right? Because we are operationally talking to the agencies. So I think that moves more in line with what we're looking at from a compliance security aspect for how we can help you be better. I think it's going to be a painful road for folks that are not doing this. I have three people who are just focusing on what are the changes, what's going on, what are the changes that are going on? And they're folks that came out of FedRAMP. So these are guys who understand it, engage with it. So there's a lot of stuff going on. I'm personally on the board of ADI. I'm with CSPAB, so I'm talking with the Googles and AWS and the Azures of the world, and we're looking at how these regulations affect us.
So we are trying to be a bigger voice for the 1Kosmoses rather than you saying, "Hey, this is going to hurt. We are going to need this kind of a runway to do this stuff." I've got 25 organizations that are under us that I am saying, "Hey, I'm speaking for these 25 in this larger group," and saying, "We need to slow this down, or we need to change this, or we need to have a phased implementation," or those kinds of things so that we don't put in place something that affects you where you have to all of a sudden have a very big capital investment because you have to change what you're doing. So we don't know when all these pieces are going to come into play, arguably next year, next couple of years, whatever. But if you want to be doing work, you have to go through whatever the current one is, current FedRAMP High, so that you can get business so then you can change as things change. So that's the biggest issue.
Christine Owen:
Yeah, I think change is always hard. I will say we had meetings with the new administration in the early days, and one of the things that really stuck out was they were really open to hearing about from the industry about FedRamp, about how long it took us to get through FedRAMP, about what our pain points were. And I think that those pieces are really important, especially, this was before 20X came out, so they were definitely listening.
I am a heavy commenter for rules and other things within the federal government, so this is definitely one that we will be commenting on. And I am very excited that you guys, and also ADI and other ADI companies will be commenting you on too, because there's definitely going to be a lot of really smart people who live and breathe this that are going to be working to be able to make sure that the right decisions are made when it comes to the changes within FedRAMP.
Now, all that being said, the one thing that we haven't talked about is the number one buzzword right now, which is AI. Especially I think that this is something that those in the FedRAMP office are really thinking through as well. How can AI, how can automation help secure those SaaS products that are providing services to the federal government? My assumption is you've thought about this before. I know I sometimes think about it, but I don't think about it that hard. So how do you think that that would work for not just the vendors themselves, but also is there a way that it would be able to help the FedRAMP office or 3PAOs or even the AOs in the individual federal agencies?
Michael Cardaci:
I think there's kind of two questions there, frankly. Yeah. One question. How does it help the government itself do government stuff? And then number one, the other question or 1B would be how do we get AI things through these processes from a compliance standpoint? And I think that first of all, the government, they're trying to get faster and faster with being contemporary with industry and commercial space and that sort of thing. As with the administration saying, "Hey, we don't want to make a special thing. We want to use what folks are using out in the commercial area." And I will use an example. So Kubernetes came out, everybody was like, "How do we Kubernetes in and get it compliant?" Because it does all of these weird things. It spits out stuff and then it takes things down. It's just something that take questions. And so there's this machination, which does not fit with all of the stuff we need to do because we need to monitor, we need to make sure it's compliant.
And so how do you make sure all of those things happen? And so there was tools that came out for that. And then so with AI, they have those issues plus bias issues, et cetera, et cetera. Where's the data go? All of these pieces. So there's going to be some things that need to catch up, and in order for the government to use it, then the government will have to figure out a way to get it compliant or allow it to be compliant or accept the liabilities associated, which is what they do in the past. That's really what they do. They go, "Okay, we know it doesn't meet these criteria because the criteria hasn't caught up with Kubernetes for example. But what we're going to do is we're going to stick it inside of this so we can mitigate whatever issues there are until we can figure this out."
And that's kind of how they went about it. And that's kind of what you're seeing now is they're like, "Okay, we're going to take this large language model and we're going to put it inside here." Well, it loses stuff. It doesn't go out to the world. Well, yeah, well, we're going to do it just internal to the government. So it's slightly more vanilla than you would get from the learning that it would do, but it's going in the right direction, and it gives us the time to experience it and find out what the downsides are and gives the government a couple pieces of information and then tools associated so then we can look at it. And so those are the things that you're seeing. CDAO has done a lot of AI stuff and try to bring more AI things in and sequestering these. It's not all large language models, it's all these AI pieces.
So if the government is willing that, if you can basically stick it in the basement of something and put concrete around it so that if it just stays right there and doesn't really do any damage, they tend to be willing to do those kinds of experiments with the full knowledge that they don't know all of those things that can occur. They accept the liability that we need to use it, and this is exciting, so we're going to do this in this way. So I see that happening more and more with the AI. I mean all of these buzzwords, right? Cloud, containerization, zero trust, AI, all of these. FedHIVE AI, and now all of a sudden will take on a whole different trajectory. But you get what I'm saying is they are starting to tease that stuff out too. The government is like, "Yeah, that's not really AI. That's just some automation."
Christine Owen:
Machine learning. It's something we've had.
Michael Cardaci:
It's machine learning. It's something that's not quite AI yet or that sort of thing. So yeah, I think that's the trajectory that we will see. Now that's just my personal opinion. I'm not paid by any AI folks or anything. Just what I'm seeing as we kind of traverse the world.
Christine Owen:
Yeah, it's an interesting time that we live. Well, I think we are at time. That was a really fun conversation. So thank you for joining me on this webinar today. I really enjoyed talking about FedRAMP and where we're going to go maybe with FedRAMP or where we're not going to go, but it was so much fun. So thank you so much for spending time with us.
Michael Cardaci:
I loved it. I appreciate you giving me the opportunity to chat, and like I said, it's a great partnership that we have with 1Kosmos and also with Carahsoft, so I am happy to do these things anytime and anybody's happy to ask me any questions when this goes out. I'm happy to answer any of these questions. My job is to try and make everybody feel comfortable about compliance.
Christine Owen:
All right, Abby.
Abby:
Well, I want to thank everyone again for your participation, and we hope that everyone found this podcast very informative and helpful to you in your organization.
Hello, and thank you for joining us. On behalf of 1Kosmos and Carahsoft, I'd like to welcome you to today's webinar, why FedRAMP High is a new standard for secure digital identity. And at this time, I would like to introduce our speakers for today, Christine Owen, field CTO at 1Kosmos, and Michael Cardaci, CEO at FedHIVE. And Christine, I will give you the floor.
Christine Owen:
Thank you. All right, let me share my screen real quick. Which one do I want to show? Let me present.
Michael Cardaci:
I can see you.
Christine Owen:
I know it's because I'm trying to present this. Oh my gosh, let me try this again. You can't see it or can you see?
Michael Cardaci:
No, I see it. No, I see it. It's up.
Christine Owen:
I don't know why I've got a brain fart on presenting. Use presenter. Perfect. It's down here. This is why. Boom. There we go. All right. So thank you very much everybody for joining us. As you can see, I'm technologically disadvantaged today for some reason. I'm Christine Owen. I am the field CTO at 1Kosmos, as Abby said. And we are going to talk about FedRAMP High, which in my opinion is really the new standard for secure digital identity or really any kind of product out there.
So I actually invited Mike to come speak with us today. And the reason is because we at 1Kosmos use FedHIVE as our FedRAMP platform. So I think it's a very advantageous way to be able to get to FedRAMP High. And Mike is very, very well versed in FedRAMP in general and in the other areas of security like IL-IV, et cetera. And I think that he's just an amazing resource when it comes to anyone understanding what it means to be FedRAMP High, but also to anyone who's out there looking to see whether they should even try this journey because sometimes there's a lot of tears.
So I'm just going to go straight into what it is we do at 1Kosmos and then I'll let Mike talk a little bit about what he does at FedHIVE. So at 1Kosmos, we are the only FedRAMP High Kantara-certified credential service provider. So what does that mean? So it means that the first thing that we do is we identify end users. So we do identity verification. We are certified by Kantara to do NS863A-3 IAL2 remote verification. So how do we do that? We get a selfie, we get live NIST pictures of either driver's license, a passport, what have you. We triangulate the data, we make sure that the picture on the driver's license or the identity evidence matches the picture from the biometric, and then we also make sure that the identity evidence is authentic. And then we also verify the evidence that's on the face of the identity evidence.
So there's a lot that we do. Once we do all of that, we can actually hash it and wrap it in data and we can put it into a user-controlled digital identity wallet. In that case, we would take the information and we would wrap it in encryption, give the private key back to the end user, and then we would wrap it in additional encryption in a private and permission ledger. The last thing that we can do as well, once we have this verified identity, we can tie it to a strong credential. We have a lot of different credential types that we can tie it to. These are three. The authenticate and transact piece of our platform is actually quite large, usually on the slide, but I tried to condense it because we also wanted to show that not only are we FedRAMP High authorized, but our encryption standards do meet FIPS 140-3 because Mike made us know because they are very important. We have Kantara certification at IAL2, AAL2, and we also have our customer controlled keys.
Now the other piece of this that I think is really important is that our FedRAMP High environment and our commercial environments are the same. And when I mean by that is while our FedRAMP High environment is within GovCloud, so there are stronger controls around that cloud provider, our stacks are actually the same. We use the same encryption modules in both the commercial and the government side, and we use the same principles that we're going to talk about that are required under the FedRAMP program throughout the rest of our product stack as well. So I think that piece is really important to understand when it comes to 1Kosmos, we have a FedRAMP High environment and we have a commercial environment and that commercial environment is built to that government grade FedRAMP High environment. So how did we get here? Well, there was a lot of tears. It seemed like it took forever, but we made it and we made it thanks to Mike. So I'm going to pass it over to Mike to talk a little bit about the FedHIVE platform and how he works with clients.
Michael Cardaci:
Christine, I appreciate you inviting me here and I always love having our conversations about compliance. Sometimes they go down rabbit holes that are unnecessary, but it just adds to the overall color of the conversations. I will tell the folks here that are watching, we have had long conversations to understand what all of the individual controls are. Christine's been great as far as wanting to understand that information. My name's Michael Cardaci. I'm the CEO for FedHIVE. We've got a great relationship with 1Kosmos and a lot of the Carahsoft folks. Our primary duty is a compliance as a service organization. We are what is commonly called an accelerator for FedRAMP. We move folks through the process for the DoD requirements. The FedRAMP requirements are now the upcoming CMMC requirements. And the idea is that organizations like 1Kosmos, they have their core ability and they have somebody who is championing the compliance piece. And our job is to liaison with them and make sure that they're on the right tracks.
And then post getting through the compliance. We really look at helping the organization work with agency security and AOs to make sure that there's a smooth process. So Christine and her teams are going out and selling products to the government. We're there to work with the security part while they're working with the program part to make sure that the acquisition can go through and that whatever the requirements are for the agency, because remember, the FedRAMP baseline is a baseline and each agency may have some particulars that they want to see. And so we act as that liaison with those AOs.
And we'll talk a little bit more about the FedRAMP and how things are changing, but that's becoming more and more of a particular value because then we can speak the correct language and then point out all of the things, whether it's just in the SaaS product or whether it's the platform or in the infrastructure that the agency wants to see. So we try and make it easy. I know Christine had mentioned some tears, but there weren't a lot of tears. There were less tears than if they tried to do it themselves. She'll admit that I hope.
Christine Owen:
Definitely, definitely.
Michael Cardaci:
And then the other piece of that is we bring the ATO and the sponsor, so that eliminates having to go hunt that down on your own. And then finally we try and do this in a fixed fee way so that it doesn't have scope creep and cost creep and all those other pieces. We kind of agree what we're trying to achieve, what the goal is, and then we get people across the goal line to the addressable market. So that's what we do in a nutshell with regard to trying to move this through. I will say the name of this webinar is about the FedRAMP High being the new standard, FedHIVE has held that the high is an easier sell to the government because there's no issue with either the procurement folks, any acquisition specialists or the program folks where they're having to figure out what is the characterization of the data. This makes it much easier. And the cost differential between the two, even prior to all of the things that are going on now, the cost differential was minimal going from moderate to high, and it was just easier to do that.
So I think that Christine's dead on with FedRAMP High being the new standard, and I think even more so now with the new FedRAMP requirements. So okay, I've said enough about what we do, so I'll give it back to Christine and we can move on.
Christine Owen:
Yeah, you have one more slide. I think this is a fun slide too. I think this shows the value that you bring today.
Michael Cardaci:
So one of the things FedHIVE's, just like 1Kosmos's core business is their SaaS application for the government, ours is this compliance. And so I took an excerpt, Carahsoft was a sponsor of the ATO summit last week, and then this is a public discourse, you guys can go find this out on LinkedIn. Brian Conrad, who was the former acting PMO for FedRAMP and John Riddle who was an auditor in what was Lunarline, which is now Motorola. So they both have extensive understanding of these situations and this discussion came out after the ATO summit, and it's talking about in essence the gray areas and the transition between the FedRAMP 20X issues and the REV-5 paths that are going on.
And I've gone, and I've talked to Christine about these issues so that she's aware because she's my liaison with 1Kosmos, but the fact of the matter is she doesn't need to worry about those things because it's my job to make sure that as we transition from whatever happens in 20X and how that migrates to the new FedRAMP from REV-5 to 20X rather, that we're there in lockstep to make sure that they get there because there are a lot of changes. The key indicators for the conmon, the continuous monitoring, the POAMs and how they're going to be registered, the timelines for vulnerability fixes, that's all on us to make sure that her organization understands how that goes.
And the fog of war is what I wanted to point out here. These are two very seasoned experienced people in the compliance area and these are the discussions that we're having. We're talking to the PMO and we're talking to the government, we're talking to DoD to try and make sure that everybody is on track. So I just thought this was an interesting interaction. This was on the 28th, I think it was the day after we had that ATO summit. So I think it's very, very interesting.
Christine Owen:
Yeah. So to piggyback on what Mike is saying, the one thing that I think is really important, and we're going to talk about this later too, but when it comes to deciding whether to do FedRAMP on your own or to use a platform is to do you have that understanding that you need to be able to make it through the FedRAMP process? And then also do you have the resources to be able to continuously follow on rule changes, legal changes, regulatory changes? There's a lot that goes into FedRAMP. FedRAMP started out as a legal statute and then it tailors down. There's some regulations in place, there's some rules in place, and then there's the policy around the office. And then on top of that, there's all of the different agencies and how they operate with FedRAMP.
FedRAMP's, not like, "You're done. It's super easy." There's a lot more to it. There's all the continuous monitoring. We're constantly working on the vulnerability management. And then on top of that, every time we are building new features for our clients, we have to decide is this something that's going to affect the security of the overall platform? And if it is, then okay, we need to go get an assessment. Mike is very excited because he's going to get a very big assessment coming soon. He's going to be like, "This is a lot." But we're doing that because it's really important for us to stay ahead of what our customer's needs are. So there's a lot to it. And I will say I feel like in some days, and I think in the past two weeks, one of the 1Kosmos team members has really just taken a lot of FedHIVE's time because he wanted to fully understand all of the procedures on their side and on the government side and what the new regulations could mean to us.
And the good news is that FedHIVE took a lot of time and taught us that so that we are ready when those changes are made. And we'll talk about that a little bit more. So I'm going to go super simple on the first question. And so for those of you who don't know, I am probably not going to use a lot of these slides. They're very pretty and we like to have slides in the background and we are going to hit on all of these points, but one of the things is there's so many different levels of federating, so there's low, moderate, high, and then after that there's IL4, five, six. I'm fairly certain there's no seven, but I'm sure there is. It's probably an 11 and I don't know about it. What do all of those different things means? What's the difference between the FedRAMP and the IL levels and how do you from build your way up from one to another?
Michael Cardaci:
The good question is you can look at it as kind of stair step. Low is we're just making sure that the data is clean. That moderate is, we don't have any PII or CUI or anything that's sensitive really in the moderate. It's just that our system is secure. And then you get to the high where you have data that in addition to PII, it could be government data and CUI, and then that's on the federal side. And then a lot of folks ask, "Okay, I want to jump over and I want to get into the DoD space." And really what happens is everything just tightens down the amount of time. For instance, how long before your login screen turns black and you have to re-login. So it's that time that you're allowed to have that window, that vulnerability window open gets smaller and smaller and smaller.
And then once you get into the IL4 and IL5, the DoD specific areas also, you're no longer allowed to just go out on the regular internet. You now have to connect to the government directly. And so some of those kinds of things. And then the bridge between IL5 and IL6, that's where you get clear data and then you have all sorts of facility requirements associated people with guns and that kind of thing. And then there is higher levels, Christine, that you alluded to, but those are really on the government space. They don't really allow those outside of the facilities typically from the government.
So yeah, those are those difference, and that's our job is to help you navigate. And you talked about earlier the commercial side too, having a commercial than the federal. And what we've been seeing from our customers, and I think this is true with you guys too, is having that compliant environment for the commercial side acts as a differentiator also going the other direction with the commercial folks so that you can say, "Hey, we are not only minimally hitting this as a requirement, but we are continuously monitoring it. So it's not just internal. It is we have external monitoring going on." And I don't know, you would know that better, but that's the information that we're getting back from that.
Christine Owen:
Yeah, you're exactly right. Talking about it with our commercial customers is really helpful because they do know about what FedRAMP is. Sometimes we explain it a little more, but they do understand in theory what FedRAMP, and what they do understand about FedRAMP is it's hard and it's pretty secure. So when we talk about it in the context of we are FedRAMP High, so that's the highest security that you could get within FedCiv. And on top of that, all of those encryption modules, because of course we use a lot of encryption within our product blow down to the commercial side, and so we're using government grade encryption because FIPS 140-3 isn't always the easiest also to implement. So we're doing that on both sides and that really gives a boost to the thought of not only are we privacy by design, but we're also security by design. I think that those two things together really tell a good story.
The thing that I really want to pick up on that you said though is that FedRAMP High is where you want to go if you have PII that you're protecting. So why is it that high is better for PII than moderate?
Michael Cardaci:
Well, one of the main reasons is if you think about it from the government standpoint, the government is giving you data. They're giving you their PII data and moderate meets the requirements, but doesn't have the continuous monitoring requirement associated. So at the end of the day, the FedRAMP High gives the government that warm and fuzzy feeling because, we're talking to the government twice a month, but at least on a monthly basis, they get what your continuous monitoring is, what your vulnerabilities are, what your POAMs are, and if you're meeting those on a regular basis and if they have any vulnerabilities. So that really becomes the difference between those two is the government gets a feedback loop where they don't necessarily get that from a moderate standpoint.
Christine Owen:
Yeah. No, I think that makes sense. I think internally we appreciate the continuous monitoring because it allows us to put vulnerability management within our sprints, and so that's very helpful. I think moving forward, we're going to talk about this soon too, but I think that that's an important thing to think about when people might be commenting on FedRAMP rules coming up is companies have sprints, and so making sure that vulnerabilities are done within a sprint time period is pretty good management. So your platform is High, and then you also have an IL4 and an IL5 environment.
Michael Cardaci:
That's correct.
Christine Owen:
You do not have moderate or below. Why did you choose those three environments?
Michael Cardaci:
And it goes back to the question that you asked just previous. We went through and we did the economics of what it was going to cost for us to move to the FedRAMP High, and we also had the DoD, so we had to get to IL4 and IL5, so that was also part of our goal. And what we found was the cost differential to go directly to the FedRAMP High was nominal compared to going to moderate and then going to high. There's a much bigger cost lift with that. And since again, we had our goal as being in the DoD space, we wanted to, how's the fastest path to there? And then we could do the highest level. You can always go backwards. I can have moderate data inside my high. It's just a subset of that FedRAMP High environment. That is really what we want do.
Not to mention the fact that it's more intricate, there's more controls. It goes from, forgive me, the REV-4 was 325 and 421. I think it's gone down, it's changed a little bit. I think it's 328 and 410 for the REV-5, the idea was there are more controls associated, they're a little bit more intricate, there's a little bit more scrutiny. There's definitely more scrutiny from the 3PAO for what our business model was going to be. People were going to have a more difficult time going to that standpoint of the FedRAMP High.
The other piece of it is we found that there was a big value for us. We have customers that do their own moderate and we do their high because they had a tough time making that jump. They made that interim level. And because we are a pure outsourced model, we are time slicing everybody and giving this out to folks. There's about a 43% cost over the life cycle of a software for us to do it, an outsourcing method rather than somebody doing it themselves with getting the right people and the compliance folks and they're expensive and they have to do these things on ongoing basis and then tracking all of the issues which you brought up previously.
So those are kind of the issues. I do want to ask you one question, Christine. I'm going to throw it back on you and I'm going to put myself at risk a little bit here, but I think I'm okay.
Christine Owen:
You're a very bad attorney. You never ask a question that you don't already know the answer to.
Michael Cardaci:
That's true
Christine Owen:
Love law.
Michael Cardaci:
That's true. And I do kind of know the answer. So I touted all of these things that we are doing on your behalf. And I'd like to ask the question from your standpoint, because you've got a lot of experience even prior to 1Kosmos with doing compliance work, understanding controls, and a lot of these kinds of things. I'm going to ask about the benefit of A, having somebody who's looking out for these things and then feeding them back to you as an organization and B, that liaison part with working with the agencies themselves to help kind of bridge that gap. So those two pieces I'd like to publicly ask you.
Christine Owen:
Yeah, no, that's good. So the first off the bat, the one thing I want to say is I hate doing controls work. I mean I still have to, we still have controls that we have to work on and I and other team members are constantly looking at the controls and making sure that they are the right answers. But I do hate controls work. But the reality is a lot of things that you already laid out. One thing that was really important for us is the fact that it is very costly to build your own FedRAMP program within an organization. There are bigger SaaS vendors out there in the cybersecurity space who are amazing at it, and they have some of the best experts who I am sure are really well paid as they should be because they are so good at what they do. But we didn't really have the time to be able to go out and find those people and build that program.
And that's pretty costly, if you thought about how much it would cost to build the program in-house versus how much it costs to get a platform, it was a no-brainer. And so that's the reality of it because the monthly spend that we give you guys to be able to manage everything is significantly less than what we would have had to do. The second piece of this is that we decided to go, you didn't ask this question, but I'm still going to answer. So I guess I'm an A2 I guess, but we decided to go FedRAMP High and consequently on your platform because we were looking for a stronger security controls because we understood that we were going to be holding citizen data and we wanted to make sure that we had the strongest security controls within the federal civilian.
And on top of that, we knew that we would likely also want to do some work within the DoD. And in that case, we would need to get to aisle four just by way of their policies as well. So in theory is an easy hop between high and four. I don't know. I still think there's going to be tears. We haven't started it yet, but if we do, we will figure out. But I can see a little bit crying on my part before we get there. And then your last question, what was your last question?
Michael Cardaci:
Yeah, working, having us act as the intermediary between the agency and your alls.
Christine Owen:
Well, you're not just the intermediary between the agency and us, you're also the intermediary between us and the 3PAO.
Michael Cardaci:
Yes.
Christine Owen:
And number one, right off the bat, thankful. I am so grateful to have an intermediary because like you said, I have done a lot of compliance work in the past, and when I had to sit in on audits and work with auditors, I was trained and I also trained newbies on how to respond to those answers. But it's not always fun to be in an audit environment and that I've definitely sat through a lot of very boring audits, and I don't have to do that in these cases. It's really quick because you guys understand what it is that we do. You understand our platform, you understand what we're trying to do. And before we even get to the 3PAO, I think your team and our team have come together to discuss what the most secure way to be able to do X thing is. And I think that's really helpful because we get a sounding board and you guys too.
But then when it comes to interfacing with the agencies, that's another one that can be hard. We actually had an agency ask us some questions because they needed to be educated on the idea of a platform provider for FedRAMP. And we do see this time and time again where people ask us, 'Well, we looked on the FedRAMP website and we didn't see your name on there. And I said, well, you did because you definitely Googled us and then something came up, you just didn't click through." So in clicking through to the FedHIVE, you see our name on there, but the reason why it gets confusing I think, is that the platform providers are the ones that hold the entire authorization, whereas we hold a small piece of the controls within that greater control set.
So we would get questions like, "Well, are you guys reporting POAMs?" And I said, "Well, me? No, but yeah, we are. It's through FedHIVE because this is how we do it." And so we talked through that. I think having someone to be able to sit down with us and talk through the vulnerabilities and what they're seeing is also helpful because sometimes something spits out things that don't make any sense. And so you have some pretty good experts on your team now and having them explain to us, "Oh no, this is what it was," or even saying, "Oh, you're right, this is not right, let's go back and fix this," it's been very helpful because we see you more as a partner than the platform provider. We obviously have other platform providers for various things that we do, and I would say this is much more of a partnership, which we really enjoy.
Michael Cardaci:
Oh, love, hear that.
Christine Owen:
So we started this journey, if you recall, I know I do, we had to have a lot of hand holding, right? Because I knew that this was going to happen because we had to get through our first round of 3PAO. I think why don't, I wouldn't say we have a down pat yet, but we definitely have a better understanding of what we are going to go through the next time we go to the 3PAO. So are we a special snowflake in that we were the most uneducated customers you've had, or is this something normal where you have to constantly say like, "No, it's okay. Let me tell you how it works. It's going to be okay. Just breathe a little harder. It's going to be fine."
Michael Cardaci:
Yeah. The fact of the matter is, I kind of said this in my opening is your job is to do your core business. You understand controls the basics of it, but my job is this is what we do and to explain to you within the structure of what 1Kosmos does on how I'm going to get you from point A to point B is what I need to do. And of course, anytime you have folks that are developing stuff, they have curious minds and they want more information, and like you had mentioned, you'd asked for a meeting not too long ago to go over all of the things in all of the world of all compliant stuff. And we sat down and we went through all those questions because not only the folks that are in your organization that are running the product leadership has to understand where are we? What's going on? What's coming in the future? What are the costs associated that I can expect in the next one, two, three years, etc?
So no, you're not a snowflake. Most people don't understand this, understandably. There are not a lot of compliance people out there. There's a lot of misinformation, there's a lot of misunderstanding. I try and be as transparent as possible and work through. And by the way, it goes both ways. We try and be a true partner with you guys, but we ask you to be as transparent with all of the creepy crawlies that you have, and so we can understand them so that we can mitigate those risks. Because at the end of the day, agencies want their missions to have the tools they need. My job is to help you get there and mitigate security issues, remediate those security issues, and then walk through so that the agency has a good idea of what the issues are.
So my job, and I think we did this quite a bit, there's a lot of details. Some of it's more detailed, "Hey, is this right or wrong?" It's not right or wrong, it needs to be set a certain way. And I think some people get that, "It's an audit. Oh my gosh, we're going to die." Right? And it's not. It's really about showing your security posture in a real way. Because here's the other thing, remember, you're signing off and your leadership is signing off that this is what you're doing. So everybody's on the hook for it, and we want to make sure that we're not putting you on the hook for something that you can't do or didn't do or that sort of thing.
So we are on your side and we're on the government side. Our job is to make sure that no matter how new you are to compliance and 1Kosmos , their thing is not compliance. Your thing is your core business about the identity, et cetera, et cetera. So that's my job. My job is to help you be comfortable and help your leadership be comfortable understanding all of the hurdles. I'm not going to say, "It's awesome. No problem. Everything's going to be perfect." As you remember in our meetings, I'm like, "Okay, so we need to have an answer for this. How do you toggle this?" And sometimes there is a little bit of development, but for the most part it's really try and just make sure.
Again, we're a partner. We benefit if you do better. That's a good thing for us too, because it is like a law firm or an accounting firm or all that. We look at us as the security firm, the compliance firm for you that all organizations are going to have in the future. They have no choice. This is part of doing business going forward. Because even in the commercial space, more and more people are becoming aware of it, state and local, et cetera, et cetera. Yeah. But you are by no means unique in your need for information or shepherding. That's our whole reason for being.
Christine Owen:
Yeah. So I think the one good thing that we had going for us is that we actually had had a lot of audits behind us from the commercial side. So we had ISO 27001, we had SOC2, type two Kantara certification, which is an audit, not necessarily security, but it's definitely an audit based on federal regs. But that still didn't give us enough of a ready for what we were getting into FedRAMP. So what's the one or two things that you think that anyone before they start out their FedRAMP journey should understand to be able to help them make that decision better?
Michael Cardaci:
Yeah. Well, honestly, I'll say the same thing that I said to you guys is where's the data go? At the end of the day, it's really where does the government data go? Not telemetry data for your system, not these ancillary things for health checks of the system, but the government data, because that's what I need to track. That's what I need to explain to the government agencies. And if you don't understand that or if it goes out of the boundary or wherever you have it, where does it go? Why does it go there? Does it have to go there? And those kinds of things. Those are the things that took the most time that we had to redirect. If something went outside the boundary, we had to redirect it to inside of the boundary so the government data, I want to make sure I'm clear, government data did not go where it shouldn't go. That's the biggest thing.
Christine Owen:
I agree. I think it probably took us three hours to understand, because our data that we collect actually is not government data because it doesn't touch the government before we collect it. It's collected straight from the end users. So therefore the data is not government. But then at some point, the data actually does get turned into government data. So then once that occurs, then we have to make sure that we are very clear and very controlled with what that data does. So I think that was the piece that I think both sides for us, especially because of that data piece, we really understood how to explain to the FedRAMP PMO and to the 3PAO what it is 1Kosmos is doing.
Michael Cardaci:
I think you had a good point earlier in this discussion where you're like, "Hey, this is a true partnership," because we're not being consultative here and just saying, "Okay, here's your gap analysis. Come back when you fixed all your problems," and you have no idea what to do. It's really a dialogue and a conversation of what are you trying to do with the data? Where are the limits of data? Where does things sit? What does it so that we can then help you with our experience about how do we do this so it is secure? You don't have vulnerabilities. And we can honestly say that to the government about where the data goes. Because they're going to ask us where the data goes, and we want to be able to do that.
So it's a two-way street. We're saying, "Hey, these are the things that you need to think about." You're saying, "Okay, this is how we're going to do it," and then we could formulate. Because each one of these is different. Every organization is different because you have differentiation in the marketplace about what you do for the government. So it is really that relationship of how do we not lower the bar, but get you across the line? That's really the partnership aspect.
Christine Owen:
Yeah, no, I totally agree. I previously was an attorney, I'm a recovering attorney. And I think when you're in law school, because you're just learning the rules and you're not understanding the real world application of the rules, you are quick to say no to things when clients are asking questions when you're first out of law school. And then when you realize that you can't be so yes and no, there's so much gray in the world, getting to a yes or some sort of way to get to a yes is really important, and you definitely helped us do that, which was important as well. So we'll do one more-
Michael Cardaci:
Can I make one comment on that? Because I think that is huge, and I think that a lot of folks out in the world think that the government is there, or the FedRAMP function is there to say, "No, you can't come in." It's really to get what is your stance on security? This is what we want as a baseline, and it's how do we adjust so that we can get this to the agencies and their mission? So that's really what our job is at FedHIVE is to interpret that we don't see them as a gateway that's a go, no go. We see them as, "Let us check your papers. You're allowed to come in. We want these products, but we need to make sure you're just doing it right. So we're consuming it correctly." And that's what our job is.
Christine Owen:
In some cases, you're teaching people how to do things slightly differently. So one thing that I think is a really important function is I actually think we're meeting weekly with you guys right now on vulnerability management with the continuous monitoring function that you do after you get FedRAMP authorized. And I think that that piece is extremely beneficial for us because we have someone else who's also monitoring what we're seeing, so we can check our results. But I think it's beneficial for us because we had a lot of questions about the rules around vulnerability management when it came to FedRAMP. So for example, there are strict timelines on when high, critical, moderate and lows have to be addressed. And then on top of that, there's also other guidelines that are likely coming, we'll talk about that in the next slide.
But there's a lot to that. I think it's been very nice and very helpful for you guys to give us that time and attention as we start to really ramp up our continuous monitoring program internally. So how did you guys decide to do this? And then I'm sure you're constantly improving it. How are you working towards improvement on that as well?
Michael Cardaci:
Yeah, so what we found was we don't want surprises. So again, if you look at it from a partnership rather than just kind of a consultative where we could just drop this and say, "Hey, this is what you need to do. Let us know when you do it. And by the way, here are the rules. You've got 30, 90, 180 days and don't miss it because otherwise you're in trouble." Because it's a partnership, we want to more continuously engage with you and make sure that, "Hey, we see this vulnerability now." I know that we're going to be telling you we're going to be running these scans or going through this at the end of the month on our monthly date, but, "Hey, we're doing this every week and we saw this. You want to fix this now because let's just get ahead of it." Because something always happens just before, whether it's Patch Tuesday or some vulnerabilities come out or whatever happens, you're going to have enough work to do.
So if we can do this on an ongoing basis, what we found was that now you're more secure, you have less vulnerabilities. We look better to the government because we're doing this ahead of time and they're seeing less, and they're going, "Oh, okay, so these guys are on top of it." So now you get that benefit from that. And the more that we do that, and the more we automate and get that tighter and tighter, the more time you have to fix before you have in essence a gun to your head. Now your homework is, "I got a term paper and a test and a quiz and all this other stuff." Instead, you can do that as you're going, and then really focus on those things that you need to. You can prioritize things the way they need to be, et cetera, et cetera. So this has been an evolution, not just with you, but overall with what we're doing.
Our first focus was get you through the compliance. The next focus is how do we make it easier for you to address your market better so you can make more money faster? So if I can turn around and we can show you have less vulnerabilities, you fix them on time or faster than on time and all that stuff, then when you go to your program and say, "We're awesome," we go to the security guys and say, "Hey, here are their POAMs specifically for this SaaS. Look, they're way ahead of what they needed to do," because the history's there. Now you look like you're taking it seriously. So now they're getting their box checked faster. That means program can do it so your acquisition to go through faster, and it's all about making money for you. The more you make money, you'll never leave home without me. That's our viewpoint. That's the quality of service that we're trying for. So we've talked about, we've added portals, we've done all of these things so it makes it easier for you guys to consume the information we're giving you so you can solve the problems faster.
Christine Owen:
Yeah, no, I think it's definitely very helpful and I think, yeah, I really appreciate it. So now we have the last slide, which is a fun slide. It's a future slide. We have so much going on right now with FedRAMP. So when the administration changed, really one of the first things that happened was FedRAMP started changing quickly as well. And so there have been a lot of changes. And then on top of that, there's a lot of future changes. So let's talk about the changes that have definitely occurred first. So what did you see as the biggest difference between last administration, this administration when it comes to FedRAMP?
Michael Cardaci:
Yes. So there's a philosophical difference that they've changed. They want to have the optics of FedRAMP not being the blocker. They want to get people through the quote/unquote FedRAMP hurdle. So that just shifts. So everybody's heard the horror stories takes 18 months, takes 24 months, could take forever to get this done. So yes, FedRAMP was slow in getting their things through the process. So they have now streamlined that so they can get you through the process. Problem is, you still have to go through the compliance piece and the 3PAO piece, and you still have to meet those requirements, especially for FedRAMP High, because what 20X attacked first was FedRAMP Low. Next they're going to look at FedRAMP Moderate, and then finally, obviously FedRAMP High. So I think it's great what they're trying to do. They want to move it faster.
The idea of 2011, 2012 FedRAMP is different than it is today. We have AI. We have folks, you know this, that your cadence for adding new value for your software is much faster. You're doing things, you got multiple teams and you have a CICD pipeline that is much different than it was 12 years ago. So they felt that FedRAMP did not keep up with that, which is accurate because it's a snapshot as opposed to now.
That's great. Things are moving faster. Unfortunately, the downside of that is things are going to move faster. That means they're trying to speed up the time for conmons. Instead of once every 30 days, they're trying to bring that down so it's more often. They're looking at key indicators rather than all of the controls and where they stand. They're looking at specific key indicators. So that's going to change. They want things to be fixed within three days instead of 30 days. And so they're changing the focus. Instead of the vulnerability is a high or it's a low or it's a moderate, they're now shifting, is it an internet facing vulnerability or is it an internal facing vulnerability? So this is a good thing, right?
Christine Owen:
Yeah, very good.
Michael Cardaci:
Because this is a vulnerability that's buried three layers deep inside a Kubernetes pod that no human ever gets to, then that vulnerability is pretty nominal as far as a functional vulnerability, whereas a more moderate vulnerability that's facing the internet may actually be a higher vulnerability. So they are shifting how the focus is. So I think that's a good evolution. But now we've got two pieces. We have just what those gentlemen were talking about, we have the Rev-5, the NIST 800-53 Rev-5, which is the old style FedRAMP, and that's still the law for moderate and high. And then you have the 20X that's coming up, and when is that transition and how do you do it and how do you meet both? So those are the things that make things very, very complicated, intricate. And so I think we're moving to a more security-based rather than compliance checklist-y type thing.
And as you know from when we talked at the very beginning, we looked at operational compliance and operational security as opposed to just going through doing a gap analysis and what you told me and what you didn't, right? Because we are operationally talking to the agencies. So I think that moves more in line with what we're looking at from a compliance security aspect for how we can help you be better. I think it's going to be a painful road for folks that are not doing this. I have three people who are just focusing on what are the changes, what's going on, what are the changes that are going on? And they're folks that came out of FedRAMP. So these are guys who understand it, engage with it. So there's a lot of stuff going on. I'm personally on the board of ADI. I'm with CSPAB, so I'm talking with the Googles and AWS and the Azures of the world, and we're looking at how these regulations affect us.
So we are trying to be a bigger voice for the 1Kosmoses rather than you saying, "Hey, this is going to hurt. We are going to need this kind of a runway to do this stuff." I've got 25 organizations that are under us that I am saying, "Hey, I'm speaking for these 25 in this larger group," and saying, "We need to slow this down, or we need to change this, or we need to have a phased implementation," or those kinds of things so that we don't put in place something that affects you where you have to all of a sudden have a very big capital investment because you have to change what you're doing. So we don't know when all these pieces are going to come into play, arguably next year, next couple of years, whatever. But if you want to be doing work, you have to go through whatever the current one is, current FedRAMP High, so that you can get business so then you can change as things change. So that's the biggest issue.
Christine Owen:
Yeah, I think change is always hard. I will say we had meetings with the new administration in the early days, and one of the things that really stuck out was they were really open to hearing about from the industry about FedRamp, about how long it took us to get through FedRAMP, about what our pain points were. And I think that those pieces are really important, especially, this was before 20X came out, so they were definitely listening.
I am a heavy commenter for rules and other things within the federal government, so this is definitely one that we will be commenting on. And I am very excited that you guys, and also ADI and other ADI companies will be commenting you on too, because there's definitely going to be a lot of really smart people who live and breathe this that are going to be working to be able to make sure that the right decisions are made when it comes to the changes within FedRAMP.
Now, all that being said, the one thing that we haven't talked about is the number one buzzword right now, which is AI. Especially I think that this is something that those in the FedRAMP office are really thinking through as well. How can AI, how can automation help secure those SaaS products that are providing services to the federal government? My assumption is you've thought about this before. I know I sometimes think about it, but I don't think about it that hard. So how do you think that that would work for not just the vendors themselves, but also is there a way that it would be able to help the FedRAMP office or 3PAOs or even the AOs in the individual federal agencies?
Michael Cardaci:
I think there's kind of two questions there, frankly. Yeah. One question. How does it help the government itself do government stuff? And then number one, the other question or 1B would be how do we get AI things through these processes from a compliance standpoint? And I think that first of all, the government, they're trying to get faster and faster with being contemporary with industry and commercial space and that sort of thing. As with the administration saying, "Hey, we don't want to make a special thing. We want to use what folks are using out in the commercial area." And I will use an example. So Kubernetes came out, everybody was like, "How do we Kubernetes in and get it compliant?" Because it does all of these weird things. It spits out stuff and then it takes things down. It's just something that take questions. And so there's this machination, which does not fit with all of the stuff we need to do because we need to monitor, we need to make sure it's compliant.
And so how do you make sure all of those things happen? And so there was tools that came out for that. And then so with AI, they have those issues plus bias issues, et cetera, et cetera. Where's the data go? All of these pieces. So there's going to be some things that need to catch up, and in order for the government to use it, then the government will have to figure out a way to get it compliant or allow it to be compliant or accept the liabilities associated, which is what they do in the past. That's really what they do. They go, "Okay, we know it doesn't meet these criteria because the criteria hasn't caught up with Kubernetes for example. But what we're going to do is we're going to stick it inside of this so we can mitigate whatever issues there are until we can figure this out."
And that's kind of how they went about it. And that's kind of what you're seeing now is they're like, "Okay, we're going to take this large language model and we're going to put it inside here." Well, it loses stuff. It doesn't go out to the world. Well, yeah, well, we're going to do it just internal to the government. So it's slightly more vanilla than you would get from the learning that it would do, but it's going in the right direction, and it gives us the time to experience it and find out what the downsides are and gives the government a couple pieces of information and then tools associated so then we can look at it. And so those are the things that you're seeing. CDAO has done a lot of AI stuff and try to bring more AI things in and sequestering these. It's not all large language models, it's all these AI pieces.
So if the government is willing that, if you can basically stick it in the basement of something and put concrete around it so that if it just stays right there and doesn't really do any damage, they tend to be willing to do those kinds of experiments with the full knowledge that they don't know all of those things that can occur. They accept the liability that we need to use it, and this is exciting, so we're going to do this in this way. So I see that happening more and more with the AI. I mean all of these buzzwords, right? Cloud, containerization, zero trust, AI, all of these. FedHIVE AI, and now all of a sudden will take on a whole different trajectory. But you get what I'm saying is they are starting to tease that stuff out too. The government is like, "Yeah, that's not really AI. That's just some automation."
Christine Owen:
Machine learning. It's something we've had.
Michael Cardaci:
It's machine learning. It's something that's not quite AI yet or that sort of thing. So yeah, I think that's the trajectory that we will see. Now that's just my personal opinion. I'm not paid by any AI folks or anything. Just what I'm seeing as we kind of traverse the world.
Christine Owen:
Yeah, it's an interesting time that we live. Well, I think we are at time. That was a really fun conversation. So thank you for joining me on this webinar today. I really enjoyed talking about FedRAMP and where we're going to go maybe with FedRAMP or where we're not going to go, but it was so much fun. So thank you so much for spending time with us.
Michael Cardaci:
I loved it. I appreciate you giving me the opportunity to chat, and like I said, it's a great partnership that we have with 1Kosmos and also with Carahsoft, so I am happy to do these things anytime and anybody's happy to ask me any questions when this goes out. I'm happy to answer any of these questions. My job is to try and make everybody feel comfortable about compliance.
Christine Owen:
All right, Abby.
Abby:
Well, I want to thank everyone again for your participation, and we hope that everyone found this podcast very informative and helpful to you in your organization.