Navigating the Clouds: Decoding FedRAMP with LaunchDarkly and Schellman | The Pair Program Ep49 - The Pair Program

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Tim Winkler (00:04):
Welcome to The Pair Program from hatchpad, the podcast that gives you
a front row seat to candid conversationswith tech leaders from the startup world.
I'm your host, Tim Winkler,the creator of hatchpad.
And I'm your other host, Mike Gruen.
Join us each episode as we bringtogether two guests to dissect topics
at the intersection of technology,startups, and career growth.

(00:32):
Hey everyone, welcomeback to The Pair Program.
Tim Winkler here with Mike Gruen.
Uh, Mike, my wife is a big fan of theseNational Calendar Day, uh, items, so.
You know what I'm talking about with that?
I mean, I know that there are

Mike Gruen (00:46):
national calendar days, but National days.
Yeah, but I don't know.
So every day

is some national day to celebrate.
Is every day something?
Yeah, they've come up withsomething for every day.
So for example, todayis national avocado day.
And, um, so I'm gonnaask you an avocado guy.
Are you big, big guacamole

Mike Gruen (01:04):
guy?
So I like avocados, but I'mnot a big guacamole guy.
Um, usually got too muchgarlic in it for me.
And, uh, the garlic justdoesn't sit well with me.
So.
Um, it's not that I don't likethe taste of garlic, it's just
that it does bad things to me.

Yeah, so, so, F.
Mary, kill, uh, guac,queso, guac, queso, salsa.
Oh, it's

Mike Gruen (01:28):
Mary salsa, FK, so kill, uh, kill the guac, kill the guac.
Okay.
We're going to make a littlesound bite of that for you.
Not at

all.
The most awkward beginning,just awkward, awkward start.
Um, all right, we'lltransition from, from there.
Uh, I'm excited for today's episode.
So today we are kind of divinginto the world of government
compliance and cloud technology.
A special focus on FedRAMP.
So FedRAMP is short for the Federal Riskand Authorization Management Program.

(02:05):
And joining us are two experts whoare pretty deeply entrenched in the
FedRAMP ecosystem from, uh, a coupleof different unique vantage points.
So first we have Sarah Maser, thefederal CTO at LaunchDarkly, a software
company specializing in featuremanagement for development teams.
Uh, also note that Sarah is a cofounder of the Federal Cloud Advisory

(02:28):
Board, uh, which is a non profitdedicated to making the FedRAMP
authorization process easier for all.
Uh, and accompanying her is Nick, uh,Runog, a managing director at Shellman.
A company providing complianceand attestation services globally.
Nick's also an expert FedRAMP assessor.
Uh, and so together we're going toexplore what FedRAMP really means

(02:50):
for companies, kind of that intricatejourney of getting certified and why
this is crucial for any software providerthat's working with the U S government.
So Sarah, Nick, thank you both forjoining us today on the pair program.

Sara Mazer (03:05):
Yeah.
Thank you for having us.
Of

course.
All right.
Now, before we dive in, we're going tokick off with our pair me up segment.
Uh, here's where we all kind ofgo around the room and spitball a
complimentary pairing of our choice.
Mike, you lead us off what,what's your pairing for today?
So.

Mike Gruen (03:19):
Again, try and go back to some food.
Uh, I'm going with, um, tuna salad witha hard boiled egg, uh, mixed into it.
And it's, uh, my grandmother usedto make it for me when I was a kid.
It's just like, it's just a favorite.
Um, toasted rye if you have to, or pita.
But, uh, but yeah, the, um, eggsalad and a hard boiled egg.

(03:44):
That's my pairing.
Oh, what do you say?
Tuna salad.
Oh, sorry.
Tuna salad.
Yes.
Tuna salad.
Yeah.
Yeah.
I had chicken salad for lunch.
That's what made me think of it.

Uh, I'm right there with you, man.
Tuna.
Tuna salad's one of my go tos, but if youdon't have that hard boiled egg in there,
I feel like it's not a complete salad.
There you go.
Yeah.
Yeah, big, big, uh, hard boiled egg fan.
Awesome.
Cool.
Um, all right, I'm goingto deviate from food.
Uh, and this is just going to beprobably a pairing for myself.

(04:14):
Not, not many people will understand,but I'm going to go with solo
parenting and documentaries.
Um, so last night my wife went out todinner with some of her, her girlfriends.
So I, I played the single dad.
Uh, you know, watching my daughter,uh, Alice and we always have a great
time when I'm, when I'm, we're justkind of one on one with each other.

(04:36):
So we did, we did dinnerand read some books.
And then when I put her down for, forbed and it's just me, I always find
like, that's like the perfect time forme to get locked into a documentary.
Documentaries, I feel likeyou just, you got to be really
tuned in with no distractions.
Uh, so this is kind of likemy time to do just that.
So that's, that's my parent.

(04:57):
I got locked into a pretty wild oneon political conspiracies last night.
Um, I won't go too, too into detailon it, but, uh, I'll shout it out.
It was called everythingis a rich man's trick.
Uh, and you can.
It was only finding on YouTube,um, but, uh, went down this whole
Reddit rabbit hole to find, uh,some interesting documentaries.

(05:18):
So Reddit's another one.
Reddit's another one.
You could probably pair Reddit withsome good conspiracy theories, but, uh,
that's my, that's my pairing for today.
Uh, let's kick it over to ourguest, uh, Sarah, about yourself,
quick intro and your pairing.

Sara Mazer (05:35):
Yeah.
So, uh, you intro'd me just very well.
So I am the federal CTO of LaunchDarklyand been with the company over four years.
I've taken the company through FedRAMPauthorization from the very beginning,
all the way through the end and continuousmonitoring and that sort of thing, uh,
looking at maybe doing it all over again.
So a lot of this isreally fresh in my mind.

(05:57):
Um, and then I would liketo say my pairing is.
A dog and another dog.
So I am an animal lover.
I rescued dogs.
I think that they're like potato chips.
You can't have one.
If you have one, it's not thatbig of a deal to get another one.
So consider adoptionand their pack animals.

(06:21):
They love to just hang out in packsand makes you feel less guilty
if you leave them at home alone.
So I think, uh, I'd like to justshout out having multiple dogs.

Mike Gruen (06:31):
We, uh, I grew up with dogs, our dogs were outside dogs, uh,
and having, we always had at leasttwo, usually three, sometimes four,
uh, cause they're a pack animal and,uh, they want to hang out together.
Awesome pairing.

I like the analogy of the like potato chips can't have
just one that's that was creative.
We, we had two dogs, um,for, for a few years.
We lost one, this guy, Griffin, uh,behind me here, we had a little, little
painting, but we, we got, um, a puppywhen Griffin was about seven years old.

(07:07):
And I, I always found it reallyhelpful to have a, you know, a puppy
with a more mature dogs, it kindof, they follow suit helps with
like training and stuff like that.
So, um, Well said, I think greatpairing, uh, all right, let's pack
it, pass it over to, uh, Nick, butquick intro and, uh, your pairing.

Nick Rundaug (07:26):
Yeah, thanks Tim.
Um, and like Sarah, uh, good, goodintro already, but, uh, Necronomic
Managing Director at Shulman.
Now our federal service line leader,um, amongst others here, uh, for
pairings, um, as you can tell behindme, I do enjoy some retro video games,
uh, video games with my daughter.
Um, she's 13 and of that, uh,age and generation where they

(07:51):
like phones, they like games.
So it's a perfect way to connect.
Um, recently, uh, within the pastyear or so she was playing Fortnite.
And I've never won a game.
Um, I pride myself on a lot of, uh, thebattle royales that I've won a game.
Number one, and she gotme my first win on there.
I think I killed, got one kill.

(08:12):
She had like eight, but I'll take it.
A win's a win's a win.
Uh, so yeah, video games and my daughter.
It's a good pairing.

Mike Gruen (08:19):
Awesome.
That's a good pairing.

That's solid.
Does she play some of yourold school retro games?
And it's like, what, what amI, what are we doing here?

Absolutely.
Yeah.
She appreciates all of them.
Uh, and, and they've been good aboutporting a lot of those to Switch.
So we do, we probablyplay Switch more than.
More than PC games, but, um, yeah,she, she does appreciate some of the
old ones at Mario's classic and time.
Yeah.

Yeah.
Nice.
Yeah.
Love the switch.
All right.
Uh, that's a, that's a wrapon the pair me up segment.
So, um, let's go ahead and,uh, transition into the, the
heart of our discussion here.
So, as I mentioned, we're going to betalking about fed ramp, uh, and covering,
you know, like the definition of, offed ramp, the certification process.

(09:04):
Um, some of the associated costchallenges and advice for companies
that are considering the process.
Uh, so in true pair program form,we're going to be able to approach
this from both sides of the coin.
Sarah, taking the perspectiveof a company getting certified.
Uh, Nick, with the perspective of,uh, a three PAO or a third party

(09:25):
assessment organization, uh, workingwith a company getting certified.
So let's, let's dive into it.
Sarah, how about you maybe kick us offwith an explanation more on what FedRAMP
is and its significance to companies?

Sara Mazer (09:40):
Sure.
So FedRAMP is an authorizationprogram that is managed out of the
GSA's program management office.
So GSA for short.
And it is a way that companies suchas LaunchDarkly or other providers
that have something to do with thecloud are able to get authorization

(10:03):
to work with government agencies.
Theoretically, it makes iteasier for government agencies
to purchase your software.
It means that your software hasbeen vetted as More secure than
it otherwise would have been.
So it means that you're compliantwith certain government regulations.
And the goal on the governmentside is really to share that work.

(10:25):
So instead of every single agencygoing through and vetting, A CSP or
cloud service provider, which we are,um, and making sure that it's secure
and it means certain regulations.
Now you have one organization thatstandardizes that practice and all
the government agencies can kindof take advantage of the work of

(10:47):
maybe your sponsor or the job in thepast, there was a job and, and then.
That work can be shared amongst allagencies and it makes it easier and cause
it saves costs for the agencies as well.

Awesome.
Can, um, so before we pass it overto Nick, can you tell us a little bit
more about your launch dark, please?
Like evaluation andinitiation into FedRAMP.

Sara Mazer (11:14):
Yeah.
So it took us some time toactually go through that process.
There's a lot that happensupfront, even before we start
working with somebody like a 3PAO.
And that is, do we evenwant to make that effort?
And so there's analysis of lookingat your pipeline, looking at your

(11:34):
product, trying to figure out how muchchange would need to happen and putting
together a proposal for the board.
And so there's a lot of work thatgoes into it before you even start
talking to 3PALS or the GSA on whetheror not you're going to go through it.
And then once you start talking.

(11:55):
To the PMO, they expect you to prettymuch do everything in about a year.
So start to finish for LaunchDarkly,it was about three years.
Uh, but starting from the point ofworking with the GSA on forward,
that was just over a year.

And maybe for some helpful context, what's the size of
LaunchDarkly or what was the sizeof it to like when you all first
started going down the process?

Sara Mazer (12:23):
So we were about 500 employees.
And we are fully SAS.
We run in the cloud andrequire cloud components.
We did have a on prem version, whichmeans that we're actually running at
another government agency's cloud.
So we started.
We started with a little bitof an advantage and that we, we

(12:46):
knew what kind of regulationswe had to comply with already.
So we had an idea of the level of workfor creating a federal instance that
some companies may not be able to takeadvantage of, but, uh, yeah, so we already
had a couple of different versions oflunch darkly running in different places.

(13:06):
And the decision was, do we want tomigrate over to a federal instance?
Where we can then bring on othergovernment agencies at that time.

And your background specifically, maybe it's, it's helpful
to paint the picture of where you kindof came from and where you specifically
brought on, uh, to the team atLaunchDarkly with this initiative in
mind, or was there other areas thatyou were satisfying and then this kind
of came onto the, onto your plate?

Sara Mazer (13:36):
So we were a small team at the time and I came in as the
first, uh, Technical, uh, expert forthe federal team at lunch darkly.
And at the time we werenot considering FedRAMP.
So I had worked with theaccounting executive to start
building a case for FedRAMP.
So it wasn't a done deal.

(13:56):
We had to go and convince the board.
We had to look at the pipeline.
We had to look at all the companiesthat have approached us in the past
and look at the deals lost becausewe weren't FedRAMP authorized.
And so I started with that AEfrom day one to build a case
and it, it did take some time.

And then when you were going through selecting these different vendors,
you know, what is it, what was it thatyou were kind of looking into, or maybe
some of these challenges that you ran intowhen you were kind of deciding or vetting
through some of these three PAO firms?

Sara Mazer (14:38):
Yeah, I, I have a whole bunch to say on lessons
learned and best practices thatI'm sure we're gonna get into.
I think at the time though, ourcompany was so new to FedRAMP
in general, I was new to it.
It was a learningexperience for everybody.
So I think, you know, we, we knew theprocess, we knew about the timeline.

(14:59):
We knew a little bit about the product.
We didn't know much about the three PAOs.
Um, and so vetting them was at the timejust talking to them and getting prices
and figuring out how long it will takeand their expertise on, you know, taking
companies through that and um, and nowlooking back and trying to decide if we're

(15:23):
going to go through this all over again.
There's, there's so manylessons learned there.
Um, I think we did a decent job, butthere's always room for improvement
and that's what I wanted to do whena few of us got together in industry
to start the federal plant advisoryboard, because there's really wasn't
anybody to go call up and say,Hey, you went through this before.

(15:45):
Who should we hire?
Why?
You know, tell me some horrorstories or give me invite.
There wasn't any of that forlike the smaller and size CSPs.
So a bunch of us through LinkedInmet and got together, and there
were four co founders at the timeto kind of help each other out.
We were all in different stages of goingthrough federal authorization, but it

(16:08):
was such a painful procedure that we alljust want to help each other out now.
And so we have that nonprofit thatwe started to kind of hold other
people's hands and give them advice.
And And, um, we're very blunt internallyabout, you know, who's, who's a
good three PAO and who's not, andhere's why, and, and talking about
all the issues and change that aregoing on at the GSA office right now.

That's great.
It's what, this seems like a veryhelpful, uh, organization to.
To, to identify with when you're goingthrough the process and we'll be sure
to, uh, shout out all the, the terriblethree PAs on this podcast as well,
uh, but no, it's, it's, it's sound.
Let's talk about a good one.
So you had a good experience herewith, with Shaman and Nick, let's

(16:56):
pass it over to you at this point.
Um, maybe start with, youknow, a little bit more of.
Overview on like, you know, Shelman, howyou all operate as as an organization,
and then, um, uh, maybe a little bitmore detail into, you know, coming to
three PAO and, and then how you all kindof got intertwined with LaunchDarkly.

Yeah, no, absolutely.
Um, one of the terms that, that youhear a lot is three three PAO three pal,
uh, third party assessment organizationand, you know, a critical piece of
the FedRAMP process because the thirdparty portion of that, um, prior.
It'd be FISMA reports, and we just goright to the federal agency using it.
Um, that's, that's good.

(17:35):
It works on a small scale.
So, FedRAMP is leverageable, soit's scalable, meaning you get that
one report, and it can go to asmany authorizations as, um, federal
agencies want to use their product.
So, LaunchDarkly, They can have multipleauthorizations now, one report, so it
saved time and money on everyone's side.
Um, the third party part comesinto play because now someone

(17:57):
else who's independent comes in.
It's not a self assessment, um, bythe cloud service provider, so by and
large, it's not the federal agencythat might not have the expertise.
So third party, that's us, um, uh, forFedRAMP, three PAOs are accredited.
So there's a short list and shockinglyover the years, it's only gotten shorter.

(18:18):
So, um, that list, if you really go onthere and it's all, it's all public, go
on the marketplace and take a look, thatlist has gotten shorter over the years.
Um, because there's anaccreditation process to it.
So A2LA is an organizationthat comes through and kind of
audits the auditor, so to speak.
So on a yearly basis, they checkus, check our work and all that.
Um, that's how one becomes a 3PAO.

(18:39):
So Shellman, um, starting as a, anaccounting firm, uh, doing non finance,
we focus on security assessments.
Uh, saw this as a, as a, you know, amarket that is developing and we got
our, um, accreditation and have beenone of the first, uh, to, to do that.
So we've grown over the years.
Um, We, you have a choice andyou can be, um, have consulting

(19:02):
advising services as well, or youcould be pure play assessment.
We are pretty much the only one on thatlist that's pure play assessment only.
We don't offer consulting advising.
Um, that's helped us expand quite a bit inthat, um, FedRAMP prohibits you from ever.
Doing work and assessing your own work.
Um, so that's one of those things thatwhen folks are looking, looking at

(19:26):
those that they have to kind of makethat decision to want one or the other.
Um, it's made us have that expertisespecifically on assessing and so
our assessors get very good atparticularly FedRAMP assessing.
So that's why you've seen the,uh, the growth in those numbers
or anyone that has seen that.
Um, That comes through onthe on the marketplace.
So that's how we kindof got in that business.
And, um, we've expanded that quite a bit.

(19:48):
And now we're the one in the marketplace,probably for one of those reasons, there
is a pen test portion of that as well.
So we also not only do we haveassessors part of our assessment team.
Are penetration testers as wellas FedRAMP does require that.
So it's kind of an all encompassing thing.
Um, that's what every threePAO that you're hearing does.
Um, and that that's what we do.

(20:09):
We got introduced, um, launch darkly.
I believe I remember correctly waskind of looking around at assessors.
We did not do their initial assessment,but they were looking at, um, changing.
So we spoke with them, um, kind oftalked through how we would do things.
Um, any, any, uh, Thing that they wantto see differently how we would address
that and see if there's a right fit.

(20:30):
It was, and we've continuedto do their annual assessment.
From then on out and with fed ramp.
That's kind of the other piecethat was put into place when
the program is developed is.
It wasn't a 1 time report.
There's a continuous monitoring aspect.
Part of that umbrellacontinuous monitoring.
Is an annual report that has to be doneby a 3rd party assessment organization.

(20:52):
So we come in and checkthem on an annual basis.
Thanks.
Um, and look at all sorts of stuff,but we basically look at a subset
of controls every single year.

Mike Gruen (21:00):
I think 1 of the things that you touched on it, but I think it's
important to point out is the fact thatthere's that separation between doing
the work and assessing the work, havinggone through any number of assessments
for various things over the years.
There was always there were there'splenty of certifications you can get where
the company that's doing the assessmentis also the one that's helping you and

(21:20):
miraculously they have a 100 percentsuccess rate if you just pay them.
Um, so, um, so I like that about FedRAMP.
I, um, Like from my perspective,I at one of the companies I
started the process, I left thatcompany before we sort of did it.
But we went, we started goingthrough the whole FedRAMP, um, like
looking at it and assessing it.
And we didn't get to the point where Igot to pick an assessor, but, um, did get

(21:44):
through like, so there is a lot of tools.
I think, um, Sarah, back to your pointof like, there's a lot of tools you can
use To do pre assessment and early stuffto sort of get an idea of how much work
this is going to be, because that's whenyou're talking about, you know, like going
to the board and getting approval, notonly do you need to know what the pipeline
is, but you also have to have someconcept of what the cost is going to be.

(22:04):
Um, so, um, so I've gone through a littlebit of it, but not the whole thing,
but, uh, I did, I was, I'll wrap it up.
I was, uh, happy to see that the, the,they keep it separated, that you can't
do the work and assess your own work.
Oh, that's cool.

Let's, let's dive deeper into the cost of it.
Um, I'd love to, you know, try to get astransparent as possible for some of those.
Folks out there thatmight be considering this.
So, um, yeah, Nick, what, what are someof the typical assessment calls for
companies wanting to become certified?

Yeah.
And we can kind of break it downreally into there's everything
before the assessment, um, Sarah'sprobably gonna come in on that.
Uh, so there's architecting, right.
Standing it up.
Um, and all of that is, uh, possiblyconsulting, advising work that goes
into that, getting someone's expertexpertise as to, Hey, what is fits
140 dash two or dash three mean?
And what are the currentmodules that do that?

(22:58):
That's all that pre work, right?
Then there's the assessmentpiece, that's us.
There is an ongoing piece after thatthat's worth mentioning, we have a
part of that, but, um, it's, it'salways good to, to recognize that a
CSP is going to have regular costsprobably as part of that, right?
Like, there's, there's increased scanningrequirements, there's certain logging and

(23:19):
instance response, and all that does comewith a cost, um, that Sarah will probably
be able to answer better than I can.
As for actual assessment costs,um, it's it's fairly transparent.
It's a level of effort thing.
Um, it is The, uh, as an assessmentfirm, it is the most expensive, most
expansive, uh, most, uh, technically,um, you know, uh, complicated assessment.

(23:46):
We do most of the time.
That means we, um, have a pre periodwhere, um, there's some deliverables
federal requires like a SAP securityassessment plan, and then the actual
SAR package security assessment report.
All of that kind of gets bundled in aswell as with a pen test, penetration test.
Uh, up to six vectors that includeseverything inside that bubble of a

(24:06):
boundary and, and, uh, any mobile appsand other type of things they want to
authorize all that means we know thenumber of weeks and a lot of times
just comes out to number of weeks aswell as that kind of review afterwards,
a standard, um, as of 2024, a, uh,moderate initial assessment, 260,
000 is about what it costs a quartermail ballpark right on in there.

(24:29):
That's just that assessmentpiece on an annual basis.
Think around 200.
Um, other costs that can come intoplay from an assessor is if you have
changes that are ad hoc throughoutthe year, those have to be tested.
So, once again, level of effort onnumber of weeks and if a pen test,
but those are some ballpark pricingjust on the assessment piece.

(24:49):
But then you take that and add it to, uh,throw it over to Sarah on probably what
a lot of that cost is rolling up to that.
Um, and it goes up quite a bit.

Yeah, Sarah, what kind of additional cost, uh, kind
of came into play on, on your end?

Sara Mazer (25:06):
It's interesting because I was just looking at the numbers because we're
trying to figure out where we go next.
And we look back at the ROI ofthe better at moderate instance.
And I looked at how we were doingaccounting for that federal instance.
And, um, it was, it was pretty interestingcause that's not necessarily my world.

(25:29):
Um, I would say, you know, itreally depends on your product
and the company and Where you'reat in the process, how much it's
going to be, um, for lunch darkly.
I, I think it's safe to say that, youknow, it's over seven figures to do
the whole thing that includes a lot of,you know, infrastructure costs because

(25:51):
you're standing up a completely newinstance and some other region of Amazon.
And.
It also includes product changes, sothere's going to be engineering effort to
swap out components of your architecturewith things that are FedRAMPable.
So there are, and so that's goingto differ from company to company.

(26:13):
Not everything is bedrampable, soyou have to then figure out, like
CDNs are a good example, right?
There's, you know, our commercial instanceuses Fastly and they're not bedramped.
So then what do we do, right?
And so there's all thesedecisions that you have to make.
And so there's the engineering hours justto change the architecture, which then

(26:33):
are people hours, plus you're buying newsoftware, new components, potentially.
Right.
And then there's compliance costs.
So there's all the way down to theoperating system level where we
switch to like canonicals, BIPs.
Um, bunch of pro, which is, you know,fed rampable because it has got the

(26:54):
encryption in a, um, all the way upto like higher level, um, types of
services that we take advantage of.
So, you know, that, that whole acrossthe board from really low level to higher
level components that may need to bereplaced and then on the flip side, it's
not really cost, but you could lose.
Capabilities in your product, and doesthat hurt your market share because

(27:18):
you don't have all the capabilitiesyour commercial version does because
things just can't be compliantwith FedRAMP as things stand today.
And so there's kind of thatloss that doesn't show up on,
you know, the P& L sheets.
For it, but it certainly plays a factorin the decision of whether somebody
would want to go through FedRAMP or not.

(27:39):
So, and then just the general, as Nickmentioned, you know, the Kanban meetings,
all the paperwork that you have to gothrough all the time, a significant change
or class that all takes time and eatsup engineering and security team hours.
So it does end up being prettysignificant for all of the CSPs.

Mike Gruen (27:57):
I'm curious, did you, um, have like a separate team that was sort
of responsible for this or was it justpart of broad engineering responsibility
to maintain essentially both versions?
I'm just sort of curious.
And did you experiment with both?
What was sort of your experience?

Sara Mazer (28:15):
We kind of had a tiger team that did the migration.
So we did take it, our instance that wasposted at a federal agency and move it.
And so the tiger team were theexperts in the migration effort.
But right now, all of engineering isexpected to be able to understand the
federal instance and go in and, uh, anddeal with incidents and all of that.

(28:36):
There's another component, which wemade the decision at the time not
to do, but it's whether you shouldrun in a GovCloud region or not.
That's independent of FedRAMP andyou have to look at your pipeline
and your potential customersto be able to make that call.
Um, but that is another change wherethen maybe you do have to start isolating

(28:57):
out who's going to work on the federalinstance because they have to be U.
S.
citizens and so all the way from supportpersonnel to, uh, security to developers.
And so That's another organizationalchange that you might have to
think about if you're going to gothrough and install in GovCloud.

Yeah.
I mean, I think you were saying in the,in those early stages, when you're kind
of got getting the key stakeholdersand onboard with this, you know,
you're probably really looking at thatopportunity pipeline, you know, some
of those opportunities that you lostout on, uh, yeah, one or two of those.
It's an easy justify the cost of.
You know, this type of implementationand the value add there.

(29:41):
So, um, yeah, it's, it's, you know,it's not a drop in the bucket and, and
I, this is kind of leads me to anotherquestion too, is, you know, um, you know,
there's this list of assessors, these,these three pals that you all reference.
Um, is it pretty standardpricing across the board or is

(30:02):
there, you know, uh, I guess youmentioned level of effort, right?
So if it's a smaller organization,do you find that the cost is
going to fluctuate, um, you know,based on the size of that org?

I can answer, I can answer first.
Um, a lot of times we don't entirelyknow, um, you know, what, what, uh,
our competitors are charging, but, butwe do hear quite a bit, you know, um,
We'll be higher than than quite a few.
But once again, um, a decision wemade on on talent retention, focusing
on that and hoping that that thatcomes through, um, it's also several

(30:38):
different models that folks have.
I know we we approach things and tryand provide value that way going.
It's not going over that.
And others will kind of take a differentapproach and go, well, we'll charge you
for support meetings and things like that.
Whereas, um, we'd rather, um, folks kindof know that going in, but prices, I,
I would be, um, surprised, especiallybecause when I said that shrunk, a lot

(31:00):
of them could not find a model at work.
So, you know, we've been doing this agood 10 years, um, really came out 2011.
I think.
You know, we're doing it closeto the beginning of that.
So, um, that list that waswell over 100 or maybe approach
100, but it's quite a bit.
Um, it's down to really, in my opinion,about 30 active, of which, um, only
about 10 of those have double digits.

(31:21):
So, um, some of thosepricing models that were.
Very low.
Uh, I think to try and get thefoot in the door have gone away.
So, um, they're probably all withinabout the same, um, certain percentage,
maybe 20%, I know that's a prettybig percentage, but, um, yeah.
And then I'm not sure Sarahhas any insight there as well.

Sara Mazer (31:39):
I do.
Since I talked to quite a few of themand we got quotes from a bunch, maybe
this is a good time where I could goover, um, my list of tips for vetting.

Yeah.

Sara Mazer (31:53):
But for, uh, so.
I'll start out with saying thatprice should be really on the
bottom of your list, right?
So they're all somewhat inthe same ballpark and it
really matters who you choose.
The first thing that you should dois ask other people, their experience

(32:14):
of working with companies and thereare now organizations such as my
nonprofit, but there are others.
But it's really, really important toget feedback on which are good and which
aren't, because there are some that arepretty well known to be not so good.
And some that are.
You know, there's, there's aboutfour of them in my mind that I've
heard nothing but positive things.

(32:35):
And you know, another trickything is people move around too.
So it doesn't matter.
It's like, who is theperson doing the work?
It's not just the sales guythat's giving you the quote.
Um, you really need to make surethat they have a good team of people
that know what they're doing andretention is really important.
Some of them have a lot more turnover,and so you don't know that unless you
talk to others in the industry thathave potentially gone through this, but

(32:59):
that's the first thing is really justdo background checks on them and reach
out to people that have gone through it.
I think almost everybody that has gonethrough the process, if you even find them
on LinkedIn and say, Hey, I just have afew questions, they'd be more than happy.
To tell you their experience becauseit's, it's such a painful procedure,

(33:21):
but there's other things that youmight want to consider, um, related
to, uh, whether they've got experiencewith companies in your space.
So they may not have experience with acompany that does exactly what you do.
It may be on the database side, or itmay be on, you know, the, the higher
level, uh, software as a service sidethat's, you know, fully application based.

(33:42):
And so somebody that has a littlebit of an experience and, and what
you do or understands your industryand our space is really important.
Um, and I would say also they understandthe agency that you've worked with and
they've got authorizations with the, uh,sponsoring agency because, for example,
CMS is our sponsoring agency and on topof the FedRAMP regulations, they've got

(34:07):
something called ARS, A R S, um, that areadditional compliance regulations that
we have to adhere to to get that ATO.
So if your assessor knows thatand is familiar with that, then it
just makes it a little bit easier.
Thanks.
And then there's thecontracting side as well.
So you want to make sure that if youcontract with one, that you want to

(34:29):
ask for some way to do weekly statusupdates or monitor their progress.
Um, because we've seen issues with otherthree POs where they're, they could just
go radio silent or things get delayedand you want to stay on top of it and you
want to put that right in your contract.
Another one, I was like anearly termination class.

(34:49):
Um, sad to say that that does happensometimes is that, uh, for whatever reason
you want to get out of your contractand work with a different 3PO, um, you
want to make sure that you have theright clauses in, you know, up front and
you've thought of that ahead of time.
And then I also think in terms of goingback to pricing, there are companies

(35:11):
out there that offer FedRAMP in a box.
And And they do a similar thing, right?
And they, they kind of promise thatyou'll go through a FedRAMP authorization
and some of them help you do 3PO work.
Um, but then it kind of limitsthe architecture and limits the
control that you have in makingchanges to your architecture.

(35:33):
So there are a lot of trade offs there.
So the prices on those are not applesto oranges and those, but you want to
be very wary of the FedRAMP in the box.
Type of, um, services out there.
And my experience, uh, some of them are,you know, have had really good positive
customer, um, outcomes, but other onesthat I've heard frustration from as well.

Yeah.
Uh, well said Tara on all those points.
I, uh, the one key thing that shesaid, I think is very important.
I always say, if, if, youknow, You get on a sales call,
people can tell you anything.
How do you know they're lying?
Go on that marketplace.
The cool thing FedRAMP did, theymade all that information public.
Reach out to one of thosethat is a client, pick
randomly, pick randomly, right?

(36:22):
And see what they say.
Like, that's a true test right there.
Uh, and say, Hey, how was your experience?
I put a lot of stock behind that andthink that, um, everyone should do that.

Mike Gruen (36:30):
Yeah, that's awesome advice in 20.
So I, when I was goingthrough it, it was 2012.
Uh, it wasn't a lot of people to talk to.
There were a lot of companies offeringthat there are a lot of, and it was the
way we got hooked up with the companythat I think we ultimately ended up using.
Um, it was, it was all justconnections, people knew people
and they're, and they really pushedhard on how well connected they were

(36:54):
with the agency we were going with.
And I don't know, I neverreally felt great about them.
I'm not going to throw any shade, butI'd be surprised if they're still around,
but it is, it's nice to hearthough, that, I mean, that is
part of it is that relationshipis important that they understand.
Um, so maybe, maybe my read on thatsituation was, was a little off.

(37:15):
Maybe that was an important aspectthat I, uh, didn't pick up on.
Um, but yeah, those arereally helpful tips.

Yeah.
Super helpful on the, onthe three PAO vetting.
And I guess to kind of put a bow on the,on the discussion at large, any advice
for just companies considering FedRAMP atlarge, like the when and the why that you
would, Just want to point out and closing.

Yeah, I can, I can start.
Um, we, we get a surprisingly largeamount of CSPs, cloud service providers
that come to us, find us first.
They're actually probably lookingfor consultants, advisors.
Um, and then we also see throughthat and those initial kind of steps
of as well as the actual assessmentand we see a lot of items that stop.

(38:01):
You know, kind of ashowstopper or cause issues.
Um, one is just kind of what Sarah issaying is just get familiar with it.
You know, a lot, a lot of that, that stuffis out there, um, on the FedRAMP website.
There's a lot that's not right.
A lot of the guidance that's, that'smissing and you have to kind of learn
it, but there's a lot that's outthere that shockingly, Folks just
don't know even though it's ready.

(38:22):
It's ready there.
So, um, there's a thing called areadiness assessment report and it's,
uh, the templates are out there.
So is the system securityplan template within that is
essentially an open book test.
Everything you need to do is out there.
There's items that they've evendesignated mandates, right?
So encryption, it's 140 2, 140 3,as well as scanning requirements.

(38:47):
Those are the two biggest issues thatwe run into as far as the technical
implementations that cause a delay.
And time is money, right?
Because you want those federalcontracts, the quicker you can get
them, the quicker this pays off andyour return investment comes through.
So, focusing on that early and buildingit and architecting it into the
system early is absolutely critical.

(39:09):
So, being familiar with thoserequirements and distilling them down
to the technical requirements andthe mechanisms you can do to employ.
Um, Huge pride, pride.
Number one thing.
I think that, um, I think, uh,CSPs could do early with their
engineers is just plan for that.
No, they have to do it andget familiar with those.

Mike Gruen (39:27):
It's funny that sorry, just to jump in.
It's funny that you mentioned theencryption 1 because that was 1
that when we were doing our selfassessment, we're doing all of the
readiness and bubble on all the scans.
Our, it came back that our, well, wewere using one that wasn't compliant,
but it was actually higher that likewe were doing more than what was in
the standard and that tripped us upa lot because it was like, how do,
how are we going to navigate this?

(39:48):
We weren't really sure.
And, uh, eventually we figured itall out, but it's, it's these weird
things that you don't even, youthink, Oh yeah, we're, we're great.
We're fine.
And then it's like, Ohno, actually you're not.
And

the

scanning, I mean,

there's requirements on, you know, CVS is three Oh scoring and
a high has to be remedied in 30 days.
That's hard to do on a reyou know, and repeat that.
So knowing that ahead of time, get yourteams ready, having a few practice months.
Looking at your DNSSEC, making sure ithas all those parameters in there that
you don't wait till the last minutebecause sometimes that can take months to

(40:23):
deploy and that's an item that you haveto have in place in order to proceed.
So there's these gates in place.
So, yeah.

Yeah, really helpful.
Sarah, anything thatyou would add to that?

Sara Mazer (40:33):
Oh, absolutely.
I have a lot of advice is the firstthing I'd advise on is finding an
advisor, somebody who has before maybea fractional CTO, somebody out there
that's just a mentor, somebody thatyou can ask questions to, there's
a lot of changes that are going onright now in the FedRAMP office.
The OMB wrote a draft memo on October23 and they just updated it for,

(40:59):
um, I think on the 26th of July forchanges to the FedRAMP program, one
of which is removing the JAB, whichis the DOD side of authorization.
So, what that means is, The FedRAMP officeis a little bit overwhelmed right now.
So it is possible to getFedRAMP authorized, but it's
going to take even longer.

(41:20):
So just finding somebody who's kind ofconnected to that world to be able to
figure out how to take advantage of thesituation or get to the front of the line
or get advice on how to work with thePMO is really critical, but then there's
like internal advice that I have as well.
Which just you need to learn howto set the appropriate expectations

(41:44):
with your own executive leadershipand board that can cause a lot of
friction if everybody's not aligned.
And there's always friction betweensales and engineering or security, but
it just seems to increase when you'retalking FedRAMP and there's a lot
of money that's been invested and atstake and you've got customers waiting.

(42:05):
So learning how to set thoseexpectations and that's where an
advisor could potentially help.
Um, that's really going to get yougoing like out of the gate really
well, uh, in a good position.
But then also looking at the marketfit of your product, like, do
you even really want to do that?
Do you want to targetcivilian agencies over DOD?

(42:27):
Maybe FedRAMP isn't the way to go.
Maybe you want to go right to DODand do something that's more on prem
and focus on their impact level, uh,accreditations instead of FedRAMP.
There's a lot of pros and cons, and that'swhat we talk a lot about internally, as
well as the Federal Cloud Advisory Board.

(42:47):
Um, not everybody is, uh, seeingROI on FedRAMP, to be honest.
Don't assume that if youbuild it, people will come.
There are people, if you go on themarketplace and you see they're
in FedRAMP ready stage, they'vebeen there a while and they have
not found a sponsoring agency.
And with the removal of the jab, nowyou really do need an agency sponsor.

(43:10):
And a lot of agencies are beingasked to sponsor and they're
kind of overwhelmed as well.
And it's much harder to find a sponsor.
So you need to make sure thatyou've really got that down.
And you found a sponsor.
You're pretty sure you're going to get asponsor before you think about investing
such a huge amount of money into.
Yeah,

it's really sound feedback.
And I love the, like the fractional, youknow, CTO concept, you know, a lot of
the listeners from our community are.
Startups are, you know, verysmall businesses, right?
Where, you know, it costs iseverything in a lot of ways.
And the idea of biting off more thanyou can chew before, uh, really getting
a good picture and make it a littlebit more of an investment up front

(43:52):
with a fractional CTO to give yousome, some guidance and advisor or
some sort of a mentor in that space.
I think that's, that's fantastic.
Uh, fantastic idea and great feedbackfor a company that's either short on a
runway or what have you, when it comes to.
You know, expenses.
So, um, Yeah, really, really great Intel.

(44:13):
All right.
Well, I think, uh, that kind of, uh,puts a wrap on, on the main discussion.
So we're going to pivot to our finalsegment, uh, the five second scramble.
Uh, we're just going to do a littlebit of a rapid fire Q and a, um, some
business, some, some personal, not,we're not getting too personal here.
Uh, Mikey, why don't you lead us off withNick and then I will, uh, get to Sarah.

(44:37):
Sounds good.

Mike Gruen (44:37):
All right.
And also, these questions are goingto be different for both of you.
So, Sarah, don't bother.
I mean, some of them might might repeat,but no, no, no need to take notes.
All right, so here we go.
What's the most commonmisconception about FedRAMP?

Common misconception about FedRAMP?
Um, I think It would probably be on,uh, sponsors and, uh, kind of a lot to
what Sarah just said, but, um, that ifyou build it, that you'll, they'll come.
Um, finding a sponsor isone of the hardest things

(45:17):
that, that CSP seem to have.
And, um, luckily there has been a littlebit of traction of FedRAMP is coming
up with, uh, kind of a job replacementas well as DOD on their own, and, uh,
Issued a memo where there's a FedRAMPequivalency for contractors, um, so
that they can, uh, go that route ifthey don't have a sponsor, but their,

(45:38):
their products being used by actual,you know, contractor to subcontractor.
So, we just, we've been hearing a lot,really 2023, 2024, trouble finding
sponsors, like Sarah was saying,I think a lot of the sponsors out
there, they're kind of at the limit.
And bedroom kind of needs to addressthat because you have a bunch of kind of
a top five, in my opinion, of sponsors,and they got a lot that they sponsor.

(46:01):
So that's a lot of checkins they have to do.
And I think they're a little overwhelmed.
So I think the 1 of big misconceptionsis that it is easy to find it
if your product is that good.
And that's not always the case.
Sometimes it's first to market.

Mike Gruen (46:12):
Uh, what's your favorite type of, uh, CSP to work with?
Ooh,

man.
Um, I've actually worked withquite a bit of, yeah, the, the
ones that upload evidence early.
How about that?

I

love it.
But, but, but yeah, but yeah, Sarah,they, um, if we can get onsite and, uh,
or onsite, uh, we start our interviewportion, which is like the, kind of
the main, main portion we're goingthrough all those 18 control families.
And we have, I mean, I'llsay even approach it 70%.
I'd love a hundred percent centers.
Those are my favorite ones.
Cause we will finish likely on timeand, uh, everyone will be happy.

(46:52):
So, uh,

Mike Gruen (46:54):
what's the best piece of advice you've ever been given?

Oh, man.
Um, Uh, a quote from Bruce Lee and, andit was, uh, to hell with opportunity.
I create my own opportunity, um,to, to just essentially to just
go in and do it yourself, right?
Like go in, like open a NISTspecial pub, read the whole thing,
go and figure it out yourself.
Don't, you don't have to rely onother people to give you that answer.

(47:21):
Answers are out there.
Uh, experience is out there.
Everything's out there.
Just go find it,

Mike Gruen (47:26):
you know?
Awesome.
Uh, what problems is Shellman solving?
Uh, we

single single source for all assessments.
Uh, really, uh, trying, tryingto make it easier for folks to
just reduce that audit fatigue.
I hear it all the time.
Right?
We're constantly inassessments that we can.
We can make it and work with youto make it to submit 1 piece of
evidence, and we can look at itfor all your different frameworks.

(47:55):
That's that's where a lot of thatvalue comes in along with, um.
You know, same people thatjust same faces every year.

Mike Gruen (48:01):
Uh, favorite company value,
uh, say what's your favorite companyvalue, like value that we have.
Yeah.
Cultural value.
Yeah.

Yeah.
Yeah.
I mean, uh, I think investing inyour people, like a company is it's
people that that's the product, right?
Is, um, you know, there, thereis, there is always technology
before professional services.
It's the people, um, are going glass door.
You'll see really high ratings for us.
And I think that's reflectedlike investing in the people that
they stay develop that expertise.

(48:35):
Uh, good leadership means thatit flows down, down to the
assessor all the way to the top.
And, uh, uh, company reflects that,uh, what was your dream job as a kid?
Oh, man, I think I wanted tobe a, a chef or a ninja, but
I don't think ninjas pay well.
Um, so, uh, uh, I, I don't cookat all, but I think that was it.

(49:00):
I think it was chef

Mike Gruen (49:01):
something with knives.
What's the large speaking of what'sthe largest land animal you think
you could take in a street fight?
No weapons, just bare hands

and I'll probably just a dog, but man, not too big of a dog.
I see that some of those, thosepit bulls are like pure muscle.
I don't know.
I could take out pit bull, butyou know, a smallish dog, maybe
bring it back to that pairing.
Okay.
Uh, I hope I don't have to testit out, but I used to run a lot
and I remember being chased.

(49:35):
I can outrun dogs at a certain amountof distance, but they're close enough.
No way.

Mike Gruen (49:39):
Um, what's something you love to do, but are really bad at?

Oh yeah.
Some of the, some of the, Ilove, I'm a big video gamer.
So some of the new, new games, Ijust can't, I can't keep up, man.
I tried that Fortnite.
That was impossible.
You have to build.
I can't build.
You know, I can, I'm a doomWolfenstein kind of a guy.
I

Mike Gruen (50:01):
don't build in my first person shooter, so I wish I was better at that.
Um, I'm going to jumpahead because it's tied in.
What's the worst video gameyou've, uh, you've played worst?
Oh, man,

uh, the, uh, Superman for Nintendo 64, anyone that knows, knows it.
It's one of the worst ones.
I still, to this day, though,I'm not a big Battletoads fan.
I think it's, it's impossible.
Um, so I'll also go with Battletoads.
All right.
Controversial.

Mike Gruen (50:29):
Last one.
Uh, what's a charity or corporatephilanthropy that's near and dear to you?

Yeah.
Uh, I'm a, I'm a veteran.
Um, I've worked, um, with woundedwarrior, uh, a few different times,
uh, really liked them and, uh,had a friend that, that worked
directly for them, uh, as well.
So I always give a shout out to WDP.
Awesome.
Good job.
All right.

All right.
Great answers.
Minus the Battletoads answers.
I agree though.
It is near impossible.
Isn't it?
Like, have you ever, didyou ever beat Battletoads?
No, no,

maybe, maybe with a game genie, but no.

Awesome.
Uh, all right, Sarah, are you ready?
Sure.
All right, let's do it.
Can you describe theculture at LaunchDarkly?
The

Sara Mazer (51:19):
culture is developer first.
And so that includes just supportingour own developers, but then we eat our
own dog food and we produce a productthat really does support developers over
anybody else, which is pretty cool to see.
So we do things that compete withother companies out there, um,

(51:41):
say with experimentation that aregeared towards more marketing.
Roles, but we're always developer firstand that's just core to our philosophy.
And we try to make our own lives better.
And then by doing that, we makeour customers lives better.

So what kind of technologist thrives at LaunchDarkly?

Sara Mazer (52:04):
I think people that really care about the user
experience for our product.
So it's not just writing cool features,but actually seeing the excitement from
our customers and getting that feedbackand going back again, if we make a mistake
and making sure that we get it right.

(52:24):
And so the whole feedback loop andhearing and celebrating success.
So we've got a lot of internal feeds wherewe have somebody, you know, It has a good
comment out there on Twitter about lunchdarkly or on our own support channel.
We celebrate that internally.

What kind of tech roles are you all usually hiring for?

Sara Mazer (52:47):
So there's many different tech roles from on the presale
side, solutions engineering toprofessional services to engineering.
Um, I know we've had a couple of rolesopen for reliability engineers in past.
Just, um, making sure that our customershave the best experience at all times.

(53:10):
And platform engineers.
So typical SAS organization type growth.

What's an area of GovTech modernization that you're most
excited to see in the next five years?

Sara Mazer (53:27):
I'm excited to see where AI takes government and technology.
So we're already seeing some peoplepilot AI within the government agencies.
We're building features in our productto help people use ai, um, and kind
of feature test or switch betweendifferent types of AI models or prompts.

(53:49):
And I think that's really taking offand it's gonna help the government
agencies in so many ways, just writecode faster, do things with less people.
Um, and it's gonna be anexciting, you know, five years.

Can you describe your morning routine?

Sara Mazer (54:08):
Oh, um, morning routine.
I get woken up by my dogs and have totake them out and go for a walk, usually
a mile around the block because ittakes forever for my one dog to decide
to go to the bathroom and then, uh,get back in and eat breakfast and then
get online and get ready for the day.

(54:29):
Um, and then I do a series of meetingswith, um, Talking to customers about
potentially using LaunchDarkly or solvingheart problems or talking about FedRAMP,
trying to decide where we're going.
Going from here, um, talking aboutveteran pie as an example and
working with DoD organizationsand how are we going to do that?

(54:51):
So, um, it takes me through theevening and then I chill out watching
some YouTube before I go to bed.

Nice.
How do you handle, uh, your dogs whenthey get into a street fight with Nick?
Um, uh, moving on.
What is your favorite app on your phone?

Sara Mazer (55:13):
It's got to be YouTube or Tik TOK.
I admit that, like, you know, if I'm,if I have some downtime, even five
minutes, I'm like scrolling through TikTOK, seeing what's, what's happening.
I, I heard Mike's question about the,the thing that you'd love to do, but
you really are horrible at, for me, it'slike Tik TOK dances, like a breakdance

(55:38):
through way back in the eighties.
And like, I, my, my brain thinksthat I can do that, but yeah,

some of those dances are super impressive.
Um, what's a charity or a corporatephilanthropy that's near and dear to you?

Sara Mazer (55:55):
Yeah, there's one is speaking of dogs and pets.
There's one in Gaithersburg, Maryland.
It's called house with a heart.
And it's for senior dogs, and so it's awoman who has like tons and tons of little
dogs and in her home and people come andvolunteer, send her donations, and they're
all very senior dogs, last stages of theirlives, but it's just heartwarming to see

(56:21):
that there are people like that out hereon the planet that have such a heart to
take care of dogs and need like that.

Very cool.
If you could have dinnerwith any celebrity past or
present, who would it be with?

Sara Mazer (56:38):
Uh, I think probably Oprah comes to mind.
I just think she might be fun tohang out with and certainly has met
so many interesting people and Icould chill out on her fancy yacht.

Good answer.
What is the worst fashion trendthat you've ever followed?

Sara Mazer (57:03):
Oh man, there's been so many.
I think I used to, I used to be abig Madonna lover back in the 80s.
Now you guys know how old I am, butI used to dress like Madonna with the
gloves, the lace gloves and all thebeads around my neck and everything.
I don't think there's thatmany pictures of me like that.
Thank goodness.
But yeah,

Mike Gruen (57:24):
pre pre tick tock.
It's it works out.
Yeah.

Uh, all right.
Last one.
What is one thing that isstill on your bucket list?

Sara Mazer (57:37):
Oh, I want, um, I want to go to Svalbard, which is one of
the islands, um, north of Norwaythat just seems so cool to me.
It's like they have, um, polarwinter and like, During the winter,
there's no sun for months, and thenin the summertime, it's just constant

(57:58):
sun and beautiful landscapes, andso I want to go there someday.
It's on my bucket list.
Yeah.
S P A L B A R D.

Oh, very cool.
Yeah.
I have a friend that went to Norway andsome of the pictures were just incredible.
Um, cool.
All right.
That is a wrap.
That wasn't too difficult.
Was it?
But quick, quick and easy.
Thank you both so much for joining us.
Uh, you both been really fantasticguests and sharing your knowledge
and the, uh, the FedRAMP space.

(58:31):
I'm sure it's going to be veryhelpful for, for any of those software
companies out there looking towork with the, with the government.
So thank you both forjoining us on the pod.

All Episodes

Navigating the Clouds: Decoding FedRAMP with LaunchDarkly and Schellman | The Pair Program Ep49

Episode Transcript

Popular Podcasts

Stuff You Should Know

New Heights with Jason & Travis Kelce

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Navigating the Clouds: Decoding FedRAMP with LaunchDarkly and Schellman | The Pair Program Ep49