Why the U.S. needs ready access to cyber innovation
Cyberthreats are increasing and the U.S. needs to empower more private companies to provide solutions.
BY David Phelps
For decades, the United States has been widely recognized as the most sophisticated nation in terms of cybersecurity, holding titles such as top cyber power and the most cyber-capable nation in the world. However, in recent years countries like China and Russia have been leapfrogging up these lists, thanks in part to rapid access to cyber innovation, and they pose a credible threat of surpassing our capabilities in the very near future.
It is also clear from the onslaught of cyberattacks—many of which are successful—that our security posture and resilience has room for improvement if we’re going to keep our governments, critical infrastructure, and private sector safe from threats. The reasons behind these shortcomings must be acknowledged, studied, and addressed. Otherwise we risk falling behind and allowing adversaries to gain the upper hand.
Access and adoption challenges
The most understated challenge the U.S. faces on the cybersecurity front is not a lack of innovation and technical capability. Rather, it is a lack of access to and adoption of such innovation and capability. Because of the highly sensitive data and national secrets various departments are responsible for, government organizations require a higher-than-normal degree of confidence in the cybersecurity solutions they rely on. But this also slows the process of identifying and adopting the latest technologies.
In past decades, when the best cyber innovations originated within the U.S. government, it was much easier to adopt and spread those innovations to other departments. Today, however, the bulk of advanced cybersecurity innovations are developed by commercial companies, with a more difficult path to government agency adoption. Case in point: There are literally thousands of available software-as-a-service (SaaS) offerings that could be making a meaningful impact in the U.S. government, and yet only around 300 have been authorized for U.S. government use.
The federal government is the largest cybersecurity market in the world. In 2024, the U.S. federal government proposes spending $74 billion on IT for civilian agencies alone. In 2022, the Department of Defense awarded an up-to $9 billion contract for cloud-based solutions, to run through 2028. Despite this, cybersecurity companies are reluctant to bring their solutions to the government and other regulated markets because of the notoriously complex and expensive process. The government evaluation criteria and requirements also generally favor incumbents, which can deter early-stage companies from trying to compete, even if they have superior offerings.
FedRAMP (Federal Risk and Authorization Management Program) is often one of the first hurdles cyber companies must overcome before they can sell to the federal government. Achieving FedRAMP authorization can cost upwards of $2 million and take more than two years to achieve. This is a significant investment not just of capital, but precious personnel and other resources, which are scarce for many companies. This commitment also comes with no guaranteed return—it only enables companies to begin to try and sell their solutions to the government.
After FedRAMP authorization, these companies still need to position themselves in the market, track competitors, shape RFPs, and hire and train sales and marketing teams to support government market expansion.
How to reduce friction in the FedRAMP process
To address these challenges and pave the way for faster, seamless adoption of the latest cyber innovations by government agencies, the entire ecosystem must break down existing siloes. For example, venture capitalists (VCs) need to get more involved with their portfolio companies and provide guidance on early decisions that would help grease the wheels toward StateRAMP or FedRAMP authorization down the road.
This doesn’t mean VCs need to steer their portfolio companies only down a path of selling into the government while ignoring commercial sales. But without this guidance, promising startups could unknowingly make product development decisions that will ultimately shut them out of government sales as well as other large, heavily regulated industries with similar requirements.
Not only does this reduce a startup’s market growth opportunities, but the government misses out on those innovative solutions. VCs can also advise their portfolio companies on routes to the federal government, such as potentially first pursuing StateRAMP authorization. It is faster and less expensive to sell into state and local government agencies, before moving into federal.
Improve the FedRAMP process
The FedRAMP process itself also must be improved. To some extent this is already underway. FedRAMP authorization is being trusted more to third-party commercial entities with government oversight, but not managed entirely by the government. Currently, one of the most common ways cyber vendors can achieve FedRAMP authorization is when a government agency identifies their solution as one they want to adopt, then serving as a sponsor to help achieve this authorization. However, securing a government sponsor is one of the biggest hurdles to overcome—and even if this is achieved, it’s still an incredibly time-intensive process.
Allowing third parties to assist with FedRAMP certification will significantly help speed up the process, reduce friction and frustrations for government agencies as well as the vendors, and ensure that more innovative tools can get approved. These third parties know the types of solutions government agencies need, and can help identify new and innovative technologies, whether they’re offered by startups or tech giants.
All players in the ecosystem must fully embrace public-private partnership to make more cyber innovations more quickly accessible to the U.S. government. This includes government agencies, vendors (large, established companies as well as small startups), VCs, and third-party partners/distributors. This is imperative to help the U.S. maintain its cyber leadership position and keep government agencies, systems, and data safe.
David Phelps is chairman and CEO of Merlin.
(7)