Delivering Software as a Service (SaaS) applications to Department of Defense (DoD) users can present unique challenges for a company looking to expand into this market. Whether it be facing a steep learning curve, mitigating the risk of highly variable cost, or navigating different accreditation requirements per customer, confronting these challenges are daunting at first. When it comes to authorizing and deploying your software for DoD use, understanding all options at your disposal will be key to navigating this process successfully.

4 Ways to Deploy SaaS applications

Finding the best SaaS accreditation pathway for your organization will depend on defense customer requirements, the maturity of your organization and product teams, and funding available. Physical server space, containerization, and intellectual property needs should also be considered when choosing a pathway for accreditation.

Traditional Authority to Operate (ATO) & Certification to Field (CTF)

The legacy process for deploying software into a government environment requires an Authority to Operate (ATO) or Certification to Field, and can be granted by a specific government agency or organization for their own network. This is a largely manual process where your system’s compliance with the National Institute of Standards and Technology (NIST)’s Risk Management Framework (RMF) based on standards such as NIST 800-53 must be assessed and submitted as a package along with supporting documentation. This process includes extensive configuration, documentation, and testing, and may include additional criteria depending on the sponsoring organization. 

This method is frequently used for on-premise systems hosted in DoD data centers and requires finding a hosting environment for your software. It is built around older approaches to certifying and accrediting software and can be largely incompatible with modern software development best practices like DevSecOps and Continuous Integration and Continuous Delivery (CI/CD). This process has historically been known to take more than 6 months, although 18F has since shown it is at least possible to do so in as little as 30 days.

Who is a Traditional ATO best for?

The ATO process is primarily used when security or operational integrity are concerns for on-premise technology. The ATO process is commonly used if the software being scanned is relatively static, requires server space within DoD areas, or if the company is looking to accredit a bundle of applications that are paired with hardware. Due to the extensive testing and documentation necessary for an ATO, companies with longer timelines and flexible funding are more likely to be able to successfully navigate this pathway. 

Companies developing software or creating SaaS apps that need to be accessible to the DoD in one or more classifications can also benefit from the traditional ATO pathway. In addition, the ATO process may be mandatory for some DoD customers based on the unique needs communicated by their Authorizing Official (AO).

What are the key benefits?

An ATO allows DoD personnel to use specific software in a specific environment. Through a security compliance and assessment process, an ATO validates that your software has met the government’s security standards and is ready for use. For SaaS providers, this means you can get software in the hands of DoD users for testing and mission purposes.

Estimated time to accredit: 30-180+ days

FedRAMP

FedRAMP was launched in 2011 to streamline the accreditation process and enable the government to capture the benefits cloud-based solutions have to offer. FedRAMP is specific to cloud service offerings and provides a path for companies to authorize their cloud environment for controlled unclassified information (CUI). Similar to the traditional ATO path, this method includes building authorization packages and compliance with industry standards such as NIST 800-171 and CIS Benchmarks. 

According to the FedRAMP website, “There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. To briefly describe the Joint Authorization Board, it is the governing body for FedRAMP that works with DoD, the Department of Homeland Security (DHS), and the General Services Administration (GSA). The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO), which can then be accepted on an agency-by-agency basis. In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an ATO will work with the agency throughout the FedRAMP Authorization process.”

Though historically notoriously slow and costly (our own conversations with industry professionals have indicated costs that vary significantly and regularly exceed $1 million), FedRAMP has made significant changes in recent years to speed transition and reduce cost for companies. The “FedRAMP Accelerated” case study highlights recent changes that have been made to speed up the decision-making process, with some companies receiving authorization in as little as 12 weeks.

Who is FedRAMP best for?

FedRAMP is best for medium to large SaaS companies that are looking to work with the federal government and accredit their entire SaaS platform. If the application is built on and/or integrated with a public cloud provider, companies can use the FedRAMP process and baselines to authorize their platform. Most companies use FedRAMP due to the security assurance from FedRAMP screening, in addition to its prominence within civilian agencies.

What are the key benefits?

FedRAMP ensures consistent levels of security throughout government cloud services—and consistency in evaluating and monitoring the product. The process is well-known across government and within the private sector, giving it credibility. FedRAMP also secures a singular standard for government agencies and all cloud providers. This security transparency gives everyone—federal agencies, critical infrastructure, or other commercial companies—more confidence in both the cloud solution and the CSP providing it.

Estimated time to accredit: 3-18 months

Platform One Ecosystem

Platform One is an Air Force organization dedicated to providing DoD enterprise-wide DevSecOps software and managed services. Iron Bank is a Platform One service that enables DevSecOps across military branches by providing git repositories and a pipeline to build, scan, and authorize hardened containerized applications for use on DoD systems. Applications that have gone through this process can be found in Registry One and are available and approved for use on many DoD platforms. Visit the Iron Bank checklist to learn more about the onboarding and approval process.

Platform One also offers a hosting service called Party Bus that runs mission and enterprise applications. Iron Bank is an excellent accreditation path for containerized applications that must be used within several different hosting environments across DoD. Party Bus is a cost-effective hosting option comparatively, but it has the drawback of requiring funds to be sent from a government sponsor to Platform One before onboarding. Additionally, there is a selection process for applications chosen to be hosted on Party Bus with no guarantee that finding a sponsor and funding will secure your spot on the platform. Party Bus onboarding workshops are available to anyone who wants to explore this pathway.

Who is Platform One best for?

Platform One brings in the best aspects of DevSecOps to software developers by utilizing Platform One’s built-in continuous Authority to Operate (cATO). It is best for applications that are already containerized and are looking to speed up the process of development for and streamline acquisition of their software while maintaining high levels of security.

What are the key benefits?

The key benefits to Platform One include its ability to enable DevSecOps and CI/CD practices in addition to its cATO, enabling quick reauthorization as a result of robust system-level continuous monitoring programs. Without the constraints of having to go through the traditional ATO process multiple times, the cATO can alleviate time and funding stressors on a company and allow for continuous development and reauthorization. 

Estimated time to accredit:  <90 Days

Game Warden

Building on lessons learned from Platform One and innovations pioneered by DoD software factories, our team at Second Front Systems™ (2F) set out to build a platform that could accelerate software delivery into DoD networks for companies of all sizes. 2F’s B2B model scales rapidly without the budget constraints and contracting requirements government agencies face. 

‍Game Warden® is a DoD-authorized DevSecOps Platform as a Service (PaaS) that can scan, harden, authorize, and host containerized applications in production environments that are accessible to defense end users. Game Warden follows a traditional licensing model and integrates a company’s Cloud Native Computing Foundation (CNCF) compliant containers into Game Warden’s container repository. From there, Game Warden continues to look for security weaknesses through functional testing, container security scans, container hardening, and test deployments. The platform includes infrastructure and platform management, in addition to ensuring your application and hosting environments meet or exceed government security standards.

Who is Game Warden best for?

Game Warden is ideal for SaaS companies looking to expand rapidly within the defense sector and for government organizations wanting to rapidly leverage commercial software for their missions. Companies looking to speed up their deployment process using DevSecOps methods are great fits for this pathway, especially if they have been containerized using Platform One’s Iron Bank or an other third-party containerization system which prepares an app for Game Warden’s technical requirements. Game Warden also includes a mutual non-disclosure agreement and strict access controls to prevent intellectual property theft.

What are the key benefits?

Game Warden accelerates the delivery and accreditation of commercial software for DoD environments. Game Warden is built to significantly reduce the barrier to entry for software vendors new to the defense space trying to get their products into the hands of DoD end-users and preparing for scale. The fully managed DevSecOps platform provides a secure, authorized hosting environment for your applications with a simple, user-friendly interface and dedicated support. Game Warden enables both commercial and government solutions to increase speed, security, and scalability for testing, evaluating, procuring, and hosting SaaS applications.

Estimated time to accredit: <90 Days

Takeaway

Entering the defense market as a software company isn’t easy. To make your delivery as streamlined as possible, it’ll be key to align your company’s development and deployment processes with your customer’s needs and accreditation requirements. Understanding each pathway and working with your DoD customer to choose which is best for you will greatly reduce overhead and obstacles faced when deploying to users.

‍