Hoops And Hurdles: Standards, Requirements For Selling To The Government

Printer-friendly version Email this CRN article


Steve Charles
Steve Charles

Information technology suppliers face a number of technology standards when selling to the government. They also must contend with a particular environment created by policy directives. For example, one of the Fed's key technology focuses is security for networks, data and end-user devices, all of which in government fall under the umbrella term of cybersecurity.

What follows is an abbreviated list of some important prerequisites that companies might come across. How many of these hurdles you'll have to jump over depends on what your federal business is like. You may not need to go through FedRAMP or you may not be required to deal with Section 508. In that case, concentrate on the imperatives most relevant to you. Still, a passing knowledge of all of it can come in handy when selling to the government.


The risk-based framework the government applies to the cybersecurity of its own systems was mandated in the Federal Information Security Management Act of 2002 (FISMA). The law designated the National Institute of Standards and Technologies (NIST) to develop the standards and controls that are applied to government information systems. From a private-sector technology vendor perspective, FISMA is frustrating because it requires agency assessment and authorization of systems, not products or solutions. Thus, there is no such thing as a FISMA product certification.


The idea behind FedRAMP is to meet the FISMA requirement by testing a cloud service once, so each customer agency doesn't have to repeat the process. Sellers of cloud computing services rated as low or moderate risk under the NIST risk management framework undergo a security baseline certification through the Federal Risk and Authorization Management Program (FedRAMP). Companies whose offerings meet FedRAMP security controls gain "provisional authorization" for that offering. That provisional authorization should be valid across the entire government, although individual agencies can still require companies to add agency-specific controls before granting the service the authority to operate on their networks.

Companies get FedRAMP certification by a private-sector third-party assessment organization (3PAO). Anytime a cloud service undergoes a significant change, it must gain recertification. An obvious example of a significant change is the addition of a new service on top of an existing one -- for example, if an infrastructure-as-a-service (IaaS) provider were to add software-as-a-service (SaaS). If the IaaS infrastructure itself has not changed significantly, the provisional authorization process for a new combined IaaS and SaaS could leverage the documentation from the previous IaaS provisional authorization.

FIPS 140-2

NIST also publishes a slew of federal computing guidelines known as Federal Information Processing Standards, or FIPS. A common one today for vendors is the standard for cryptographic modules, FIPS 140-2. It has become a widely known control in federal IT anywhere unclassified data is supposed to be encrypted. (Cryptographic specifications for use in classified systems are maintained by the National Security Agency, which tends not to discuss them publicly.) Certification can be a competitive advantage if you happen to be in a niche in which most companies aren't certified.

As the government continues to mandate more cybersecurity standards and best practices, it's a pretty safe bet NIST will be playing a leading role in bringing all the stakeholders to map out an implementation plan and update that plan periodically.

NEXT: APL And Section 508

Printer-friendly version Email this CRN article