Innovating within a Salesforce environment (and also within FedRAMP)
If you sell software to the government, you probably have feelings about the FedRAMP program. I'll give you a second or two to compose yourself.
For everyone else, the FedRAMP program provides a form of centralized security approval for cloud services across the federal government. And as with just about anything that is centralized, there's an upside and a downside. The upside is that, once a product is approved on FedRAMP, the cost of security authorizations for cloud services across the government goes down. The downside is that, if a product is not already approved by FedRAMP, people are going to want it to be approved by FedRAMP!
A consequence of the way FedRAMP has practically worked over time is that many cloud-service providers offer "government-only clouds" that are FedRAMP approved separate from commercial cloud offerings.[1] Whether you like this or not is sort of irrelevant. It just is.
Another consequence is that some cloud-service providers may choose to only include some of their services approved by FedRAMP. For example, imagine that AmaMicroGoogacle Cloud rolls out a new killer AI feature[2] that the commercial sector is just raving about! Well, unless that feature is FedRAMP approved (and it probably isn't, sorry), you likely won't be able to use that feature for government purposes.
Meanwhile, getting things approved in FedRAMP is a chore. It's effectively a rite of passage for cloud service providers to blog about how they achieved FedRAMP. It requires investment of time, money, and effort. And it involves lots of paperwork. Also time. Also money. Effort.
With this in mind, let's turn to a recent GAO protest by New Generation Solution, LLC ("NewGen"). In NewGen, FEMA issued an RFQ for Salesforce development support.[3] Among other things, FEMA required that bidders have the "knowledge and ability to innovate within a Salesforce environment" and specified that "consideration will be given to clear understanding of Salesforce software and available products and FedRamp government cloud plus configuration and enterprise."
In other words, FEMA wanted a company that could do innovative things in a Salesforce environment. But FEMA didn't want innovative things in just any old Salesforce environment. It wanted innovation in the Salesforce government cloud environment.
And that's where NewGen ran into problems. According to FEMA, as part of its proposal, NewGen provided "a sample list of possible innovative applications, however, it is unclear if these are FedRAMP approved."
Whoops!
Now, to be clear, as NewGen noted in its protest, "nothing in the solicitation required bidders to propose only innovations that were already FedRAMP approved." Still, FEMA and GAO weren't having it.
As the FEMA evaluators wrote: "pursuing approval via the FedRamp process would require reallocation of resources potentially jeopardizing maturing the system to that of focusing on FedRamp approval for each application which lowers the government's confidence in this solution."
The point here was that, even if existing FedRAMP approval isn't a requirement, any solution that's going to involve additional FedRAMP approval would require time, money, and effort. Remember? Time, money, and effort!
And GAO agreed with FEMA:
[W]hile the protester does not dispute that FedRamp approval is necessary, the record reflects that NewGen's quotation neither explained that its proposed tools are FedRamp-approved nor included adequate discussion of how approval can be achieved while also allocating sufficient resources to mature the system.
So, NewGen lost and them's the breaks.
And yet, it does raise the question of what innovation in a Salesforce environment can practically look like if that innovation would require FedRAMP approval?
Unfortunately, the protest doesn't give us a glimpse into the winning bidder's proposal. But, if I were to guess, whatever innovation they offered, the winning bidder tried to steer clear of FedRAMP concerns.
And perhaps that's a lesson of NewGen? The vendors that have the "clearest understanding" of FedRamp government cloud know to stay comfortably away from additional approvals.
[1] A lovely secondary effect of a government-only cloud is that it makes it easier to for cloud service providers to engage in price discrimination (or "third-degree price differentiation" if you prefer a little less edge).
[2] Not that kind of killer AI feature.
[3] Here's how GAO describes it: "The RFQ seeks IT services for the continued implementation and enhancement of the enterprise‑wide Federal Insurance Customer Relationship Management (FICRM) Tool Salesforce platform and establishment of management system services and support for components in the Federal Insurance and Mitigation Administration (FIMA)." But basically, it's Salesforce development.