Zero to FedRAMP in Months

Why cybersecurity company Manifest partnered with Palantir FedStart

When cybersecurity company Manifest secured a contract with the U.S. Department of Homeland Security that required federal accreditation, it turned to Palantir.

Typically, the processes to obtain the requisite accreditation from the Federal Risk and Authorization Management Program (FedRAMP) and the Defense Information Systems Agency’s Impact Level programs are onerous and costly, often taking more than a year and require hiring outside firms which can cost upwards of one million dollars.

Manifest, a quickly growing startup that is actively working with agencies across the U.S. Government, sought a different approach — Palantir FedStart — to cut through the red tape.

Fedstart allows companies to quickly accredit their software-as-a-service (SaaS) solutions (a requirement for selling to U.S. government agencies) by running their products within Palantir’s secure and accredited environment, significantly accelerating time to value, and reducing paperwork and overhead.

In this blog post, Manifest CEO Marc Frankel shares why Manifest signed up as a Palantir FedStart partner and describes the experience of joining the Palantir ecosystem.

Palantir: Tell us about your company.

CEO Marc Frankel: Manifest is a cybersecurity company focused on helping organizations and the U.S. government secure their software supply chains by providing and analyzing the software bill of materials (known as SBOMs) for the products that they build and buy.

Software is essentially the only thing that’s bought without consumer insight into what’s in it. When Fortune 500s and the U.S. Government buy software, it’s often installed without transparency or further scrutiny. Software supply chain attacks like Log4shell and Apache Struts have increased 1300% in the past few years, representing a major threat vector, and 68% of security professionals consider the software supply chain to be their biggest blind spot. In light of these massive threat vectors, the way enterprises assess the risks posed by software is beginning to change.

There’s significant legislative and regulatory pressure on vendors to comply with SBOM mandates. In the United States, there’s Executive Order 14028 and other directives, as well as the Food and Drug Administration’s new SBOM requirements for software-enabled medical devices. The European Union recently passed the Cyber Resilience Act requiring software manufacturers to provide SBOMs, and even the United Nations Economic Commission for Europe (UNECE) has UNECE R155 covering cybersecurity for the automotive industry. Similar requirements are emerging in Japan, Korea, and elsewhere.

At Manifest, we are busy building the world’s first all-in-one SBOM management platform to automate SBOM management for software manufacturers and SBOM consumption and analysis for regulators and third-party risk teams.

Palantir: Why were FedRAMP and Impact Level accreditations important?

Marc: Even though Manifest is a small company, our platform is dual use and the supply chain visibility tools DHS contracted us to deliver required us to be FedRAMP certified.

We see massive opportunity in the federal civilian, DoD, and defense industrial base verticals as they require SBOMs from their third parties. Being both FedRAMP certified and IL5 compliant is a key part of serving those communities.

Palantir: Why choose FedStart to become FedRAMP accredited?

Marc: Getting FedRAMP certified was not an optional thing for us — it was a hard and fast requirement in our Department of Homeland Security contract and a stipulation to work with a Fortune 500 defense contractor, so we made the decision to dedicate a meaningful percentage of our team to this undertaking.

We chose Palantir because we had confidence in the Palantir team getting us through the federal accreditation process. We wanted that “white glove treatment” we knew we would receive with its dedicated team of deltas (forward deployed software engineers) and echos (deployment strategists) that would guide us through each step of the complex process.

Palantir: What was your experience like onboarding as a FedStart partner?

Marc: The same day we signed on as a FedStart partner, we received incredibly comprehensive documentation detailing each step that would be required in the process, including which steps had already been accomplished. We also were introduced to the team that would help us get it right.

We relied on and worked incredibly closely with the FedStart team. We ended up with a contractual requirement from a defense contractor to speed up our FedRAMP certification process, so we set aggressive deadlines to get to the audit kick off point within a few short months. There were a lot of late nights and early mornings as we ran toward getting up and running on the Palantir FedStart instance. We felt confident having committed guides alongside us.

The process calls for very close coordination. When we had to do some modifications, for example, it was only by working in close concert with one another that we were able make adjustments seamlessly.

Palantir: What advice would you offer others considering FedStart?

Marc: Pursuing FedRAMP certification is an investment. For us at Manifest, it wasn’t optional. I knew we had to pursue it and that doing so — investing heavily in it because of its central role in our GTM strategy — would come at a cost of other investments: feature and backend development velocity, and the opportunity cost for delivering new integrations and product capabilities.

The best time to get FedRAMP certified is five years ago. The second best time to do it is today.

If your company has a validated business need — perhaps as a milestone requirement in a contract — do it as soon as you can. Don’t do this on the margins, and don’t think you can chip away yourself at the requirements over the course of a year. Just get it done.

Palantir: How has FedStart benefited your business?

Marc: Thanks to FedStart, we are now FedRAMP compliant and we’re beginning to benefit from that validation already. Some of our defense contractor customers have made FedRAMP part of vendor due diligence, and we’ve unlocked that credibility and been able to meet that need.

While we are small, our Fortune 500 and public sector customers demand that we comport ourselves with the most stringent deployment certifications.

We’re able to meet our DHS contractual security requirements and FedStart enables us to go after additional federal opportunities. Our FedRAMP accreditation, combined with a future sole source justification and industry-leading AIBOM vision, will mean that Manifest is uniquely positioned to serve USG, the defense industry, and other critical infrastructure categories.

Learn more about Palantir FedStart
To learn about becoming a Palantir FedStart partner, reach out to fedstart@palantir.com or visit our website.

Learn more about Manifest
To learn about Manifest and its SBOM and AIBOM management capabilities, reach out to info@manifestcyber.com or visit manifestcyber.com.


Zero to FedRAMP in Months was originally published in Palantir Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.