Blog

How to know if your SaaS product is ready for defense use

Software as a Service (SaaS) offerings provide boundless opportunities to scale with demand, offer competitive pricing, and simplify the user experience.

Dylan Sims

07.01.2022 / 2 years ago

5 minute read

Software as a Service (SaaS) offerings provide boundless opportunities to scale with demand, offer competitive pricing, and simplify the user experience. While the private sector has fully embraced the use of SaaS, public sector adoption has been slow. When FedRAMP launched in 2011, it opened a new pathway for businesses to offer SaaS products to the federal government. Over time the process has improved and there are now 250 unique offerings in the FedRAMP marketplace as well as others available through alternative accreditation pathways.

But how do you know if your product is ready for defense use?

Ask yourself, “What problem does my software solve?” Now consider if that problem is applicable to missions within the defense industry. Defense organizations have many of the same business functions that commercial companies do, while also containing subsets of whole industries such as healthcare, aviation, and software development. Military installations can even be compared to small cities, complete with grocery stores, gas stations, restaurants, and hospitals. Chances are that your product could solve the same problem it does today within the Department of Defense (DoD).

Products that are applicable to both public and private sectors are known as “dual-use”. One example of such a product is “SkySchedule,” built by OpsLab. OpsLab’s commercial software helps airline companies quickly resolve irregular operations scheduling challenges around aircraft, crew, and work shift management. Identifying a similar need in the defense space, the product was adapted to improve squadron operations, mission planning, and airspace management for flying units within the U.S. Air Force.

To help prepare your SaaS application to launch in the defense market, let’s take a look at different methods of engaging with the government, the requirements for software accreditation, and some software architecture recommendations that will save you time and money in the long run.

Government Engagement

There are several pathways to engage in business with the government such as partnering with a prime contract holder or reseller, searching opportunities on sam.gov, or pursuing the SBIR program. However, let’s take a look at a few of the most popular options for commercial and dual-use tech companies.

Defense Innovation Unit (DIU)
– Other Transaction Authority (OTA)-based Commercial Solutions Opening (CSO)

DIU solicits for commercial tech solutions to solve DoD problems relating to cyber, artificial intelligence, energy, human systems, and space. OTAs “allow for successful prototypes to transition into large volume defense contracts.”

Learn more at https://www.diu.mil/work-with-us/commercial

– Small Business Innovation Research & Small Business Technology Transfer (SBIR/STTR)

“Through a competitive awards-based program, SBIR and STTR enable small businesses to explore their technological potential and provide the incentive to profit from its commercialization.” SBIR Phase I is ideal for early stage research and development (R&D) efforts, and market research. If you already have a working prototype, consider seeking Direct to Phase II opportunities.

Available opportunities can be found at https://www.sbir.gov/sbirsearch/topic/current

Receiving a contract award is often the first step towards working with DoD; and over time, it can provide your business a lucrative and stable revenue stream.

Software Accreditation

Achieving an Authority to Operate (ATO) is a necessary hurdle to overcome for software products used in defense. For SaaS platforms, this step can include migrating your application to a customer environment, adding cybersecurity and compliance experts to your team, enforcing compliance with the DoD Cloud Computing Security Requirements Guide (CC-SRG), and paying for third party cybersecurity assessments.

Your first government sponsor will help you hone in on your product’s target audience and their unique accreditation requirements. One of the first questions you’ll need to ask is “what classification of data will my application need to process?” Secret and Top Secret will limit your hosting options, and even within the unclassified category there are separate classifications known as impact levels that each have their own unique requirements.

SaaS Application Preparedness

Here are three tips that will save you time and complexity when it comes time to host your SaaS application in a DoD production environment. This architecture will not fit with every platform or government customer, but it is broadly applicable for companies looking to ease their transition into the government market.

1. Containerize it

Per DevOpsDigest,  “(Containers) are lightweight software components that bundle an application—including its dependencies and its configuration—in a single image, offering IT organizations a dedicated space to build, test, and deploy new applications… Gartner predicts that by 2022, more than 75% of global organizations will be running containerized applications in production, up from less than 30% today.”

Packaging the components or microservices of your application into containers such as docker or podman offers a myriad of benefits including horizontal scalability, enhanced security, and reduced cost.

2. Appropriately limit external services

External services and integrations (including cloud services) are strictly limited in IL4+ production environments. Incorporating required dependencies into your containerized application will reduce complexity when it comes time to deploy your app, and offer you more control over configuration.

An example of this would be replacing a Postgres RDS cluster with a local deployment of Postgres within a container.

If your SaaS product is cloud-based, research the services available in your anticipated production environments early in the process to discover any incompatible dependencies such as:

3. Make it cloud agnostic

Cloud agnostic means that your application can run anywhere regardless of cloud service provider or underlying infrastructure. That could mean running your application on a cloud-hosted virtual machine or a Dell server on-premise.

Kubernetes has grown in popularity largely due to this feature. It supports AWS, Azure, GCP and on-premise deployments while balancing standardization of your platform with the flexibility to more easily move workloads.

Some DoD customers may levy specific hosting requirements on software vendors. You may need to deploy the application at your customer’s site or use a predetermined cloud provider. By designing a cloud (or vendor) agnostic SaaS application, you’ll be able to support a wide range of DoD customers.

Launching a dual-use product can be a daunting task. Armed with market research and knowledge of flexible contracting pathways like OTAs and SBIR/STTR, even the most entrenched commercial product can make an impact in the federal space. Familiarization with the software accreditation process will help you determine your go-to-market strategy while preparing your application for defense use.

Your success is our mission.