Hoops And Hurdles: Standards, Requirements For Selling To The Government
Information technology suppliers face a number of technology standards when selling to the government. They also must contend with a particular environment created by policy directives. For example, one of the Fed's key technology focuses is security for networks, data and end-user devices, all of which in government fall under the umbrella term of cybersecurity.
What follows is an abbreviated list of some important prerequisites that companies might come across. How many of these hurdles you'll have to jump over depends on what your federal business is like. You may not need to go through FedRAMP or you may not be required to deal with Section 508. In that case, concentrate on the imperatives most relevant to you. Still, a passing knowledge of all of it can come in handy when selling to the government.
FISMA
The risk-based framework the government applies to the cybersecurity of its own systems was mandated in the Federal Information Security Management Act of 2002 (FISMA). The law designated the National Institute of Standards and Technologies (NIST) to develop the standards and controls that are applied to government information systems. From a private-sector technology vendor perspective, FISMA is frustrating because it requires agency assessment and authorization of systems, not products or solutions. Thus, there is no such thing as a FISMA product certification.
FedRAMP
The idea behind FedRAMP is to meet the FISMA requirement by testing a cloud service once, so each customer agency doesn't have to repeat the process. Sellers of cloud computing services rated as low or moderate risk under the NIST risk management framework undergo a security baseline certification through the Federal Risk and Authorization Management Program (FedRAMP). Companies whose offerings meet FedRAMP security controls gain "provisional authorization" for that offering. That provisional authorization should be valid across the entire government, although individual agencies can still require companies to add agency-specific controls before granting the service the authority to operate on their networks.
Companies get FedRAMP certification by a private-sector third-party assessment organization (3PAO). Anytime a cloud service undergoes a significant change, it must gain recertification. An obvious example of a significant change is the addition of a new service on top of an existing one -- for example, if an infrastructure-as-a-service (IaaS) provider were to add software-as-a-service (SaaS). If the IaaS infrastructure itself has not changed significantly, the provisional authorization process for a new combined IaaS and SaaS could leverage the documentation from the previous IaaS provisional authorization.
FIPS 140-2
NIST also publishes a slew of federal computing guidelines known as Federal Information Processing Standards, or FIPS. A common one today for vendors is the standard for cryptographic modules, FIPS 140-2. It has become a widely known control in federal IT anywhere unclassified data is supposed to be encrypted. (Cryptographic specifications for use in classified systems are maintained by the National Security Agency, which tends not to discuss them publicly.) Certification can be a competitive advantage if you happen to be in a niche in which most companies aren't certified.
As the government continues to mandate more cybersecurity standards and best practices, it's a pretty safe bet NIST will be playing a leading role in bringing all the stakeholders to map out an implementation plan and update that plan periodically.
NEXT: APL And Section 508
Approved Products List
Network device and security companies wanting to do business with the Department of Defense might find an additional hurdle in their path: the Approved Products List (APL). The APL, managed centrally on behalf of all military services by the Defense Information Systems Agency (DISA), is a list of network infrastructure and voice, video and data services that have gone through testing for interoperability, as well as security.
The APL is a bit of a barrier not only because testing is long and expensive, which it is, but also because companies can't initiate the process on their own. Instead, a DoD sponsor must do so. The key is finding an effective sponsor willing to stick his or her neck out for you.
Section 508
When people refer to Section 508, they're talking about rules surrounding accessibility of information and communication technology for people with disabilities. The goal is for disabled users to have access to IT functions comparable to those that nondisabled users have. The name comes from an amendment added in 1986 to the Rehabilitation Act of 1972 requiring contracting officers to buy the most accessible technology available. National security systems are exempt from Section 508, as are products located in places frequented only by service personnel for maintenance, repair or occasional monitoring. You can find current accessibility standards on the website of the Access Board, an independent federal agency.
While government prime contractors are typically aware of these mandates and policies, many leading technology manufacturers and software developers are not. As a government channel partner, always try to point manufacturers to solid information about these and other government requirements and encourage them to get involved in the standard setting processes because the government wants to take advantage of the best commercial technology and practices.
The preceding information was adapted and digested from the book "The Inside Guide to the Federal IT Market," published by Management Concepts Press. For more information, visit www.insideguidetofederalit.com. Steve Charles is a co-founder of immixGroup, which helps technology companies do business with government. He is a frequent speaker and lecturer on technology and the federal procurement process. He can be reached at [email protected].
PUBLISHED MAY 21, 2013