There's nothing quite like hearing your proposal for a new contract has been awarded and you've made your first big leap into the government market. And after all the time and energy put into your Small Business Innovation Research (SBIR) application, you should certainly be proud. It's a major accomplishment!
Before long, service members and government employees will use your software to level up their capabilities and rave about the difference it has made in their day-to-day jobs.
But before that, there are a few more precarious steps you'll need to take. Read on to get a snapshot of what's to come and what you can do to accelerate your delivery.
SBIR At A Glance
As you know well enough by now, the SBIR program is a pathway the Department of Defense (DoD) uses to attract, fund, and scale innovative technologies within the service. In order to accomplish this, companies make their way through the following three phases:
- Phase I: Market Research
- Phase II: Prototyping
- Phase III: Fielding
Market Research: Finding Your Sponsor
Companies pursuing a SBIR award will either need to identify a suitable topic with an existing sponsor or propose a novel solution through an “open topic,” an innovative approach pioneered by AFWERX targeted specifically at commercial companies with solutions the wider Air Force had not yet envisioned.
In this case, an Air Force or other DoD sponsor will need to endorse your R&D initiative with a memorandum of understanding (MOU) in order to submit a Phase II proposal – Check out this AFVentures webinar to learn more.
Prototyping & Fielding: Delivering Software to Government
Companies can find this ‘customer discovery’ requirement to be a challenge. However, particularly for software companies, the real challenge is often getting your product into the hands of your users—which usually means on a government network with access to government data and other systems. This will require you to achieve an Authority to Operate (ATO) for your software and the system it is deployed to. There are multiple paths to field software, each with their own hurdles to overcome.
“Many software or cloud providers aren’t thinking of compliance first—they’re thinking about their technology. FedRAMP certification can easily take 12 to 18 months, and it draws engineers away from improving the product because they’re trying to retrofit compliance into that product.”
Adam Kerns
Managing Principal for Coalfire (Source)
Let’s take a look at four different methods to field software in government.
Note — Many of the figures we cite are estimates or ranges as the cost and timeline of accreditation varies incredibly widely (at times by an order of magnitude). This uncertainty has been one of the enduring challenges of bringing modern commercial software to the public sector.
Pathways to Accreditation
Traditional ATO & Certification to Field (CTF)
The legacy process for fielding software is referred to as an ATO or CTF. This is a largely manual process where your system’s compliance with Risk Management Framework (RMF) controls based on standards such as NIST 800-53 must be assessed and submitted as a package along with supporting documentation. This process includes extensive configuration, documentation, and testing, and may include variable criteria depending on the sponsoring organization.
This method is frequently used for on-premise systems hosted in DoD data centers, and requires finding a hosting environment for your software. It is built around older approaches to certifying and accrediting software and can be largely incompatible with modern software development best practices like DevSecOps and Continuous Integration and Continuous Delivery (CI/CD). This process has historically been known to take more than 6 months, although 18F has since shown it is at least possible to do so in as little as 30 days.
Estimated time to accredit: 30 - 180+ Days
FedRAMP
FedRAMP was launched to help address this process and capture more of the benefits that cloud-based platforms had to offer. FedRAMP is specific to cloud service offerings, and provides a path for companies to authorize their cloud environment for controlled unclassified information (CUI). Similar to the traditional ATO path, this method includes building authorization packages and compliance with industry standards such as NIST 800-171 and CIS Benchmarks.
According to the FedRAMP website, “There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an ATO will work with the agency throughout the FedRAMP Authorization process.”
Notoriously slow and costly (our own conversations with industry have indicated costs that vary by almost an order of magnitude and regularly exceed $1 million), FedRAMP has made significant changes in recent years to speed transition and reduce cost for companies. The “FedRAMP Accelerated” case study highlights recent changes that have been made to speed up the decision making process, with some companies receiving authorization in as little as 12 weeks.
Estimated time to accredit: 3-18 months
Platform One Ecosystem
Platform One is an Air Force Organization dedicated to providing DoD enterprise-wide DevSecOps software and managed services. Iron Bank is a Platform One service that enables DevSecOps across military branches by providing git repositories and a pipeline to build, scan, and authorize hardened containerized applications for use on DoD systems. Applications that have gone through this process can be found in Registry One and are available and approved for use on many DoD platforms. Visit repo1.dso.mil/dsop/dccscr/-/blob/master/CHECKLIST.md to learn more about Iron Bank’s onboarding and approval process.
Platform One also offers a hosting service called Party Bus that runs mission and enterprise applications. Iron Bank is an excellent accreditation path for containerized applications that must be used within several different hosting environments across DoD. Party Bus is a cost-effective hosting option comparatively, but has the drawback of requiring funds to be sent from a government sponsor to Platform One before onboarding. Additionally there is a selection process for applications chosen to be hosted on Party Bus, there are no guarantees that finding a sponsor and funding will secure your spot on the platform. Registration is open for Party Bus onboarding workshops at p1.dso.mil/#/products/party-bus/onboarding.
Estimated time to accredit: <90 Days
Game Warden
Building on top of lessons learned from Platform One and top DoD software factories, our team at Second Front Systems™ (2F) set out to design a platform that could accelerate software delivery into government for companies of all sizes. 2F’s B2B model scales rapidly without the budget constraints and contracting requirements of a government agency.
Enter Game Warden®, a commercial DevSecOps Platform as a Service (PaaS) that can scan, harden, authorize, and host containerized applications in production environments that are accessible to government end users. Game Warden is a dual-use product that follows a traditional licensing model and is ideal for SaaS companies and software development organizations looking to expand rapidly within the public sector. The platform includes infrastructure and platform management, in addition to ensuring that your application and hosting environments meet or exceed government security standards.
Estimated time to accredit: <90 Days
ATO Comparison Chart
Use this breakdown to compare four ATO pathways at a glance.
For software developers, delivering real value to DoD users and building a constituency for your capability almost always requires some combination of being on a government network, connecting to government data (which resides on those networks), and/or connecting to other government systems of record.
Phase I and II are funded by the SBIR budget itself, but Phase III requires a user in DoD to buy your capability directly, so Phase II can be an impactful time to make the leap and invest in the ATO process. Understanding the available options is the first step toward launching your product.
Learn how Game Warden can provide your team an expedited software delivery path at www.secondfront.com/game-warden.