• August 11, 2022
  • Steve Carter

Nucleus x FedRAMP: Our Full-Circle Journey in Federal Security

Here at Nucleus, federal security is woven deep into the DNA of who we are and the problems that we solve. 

That may come as a surprise to those who have watched Nucleus closely over the last couple of years, as we helped enterprise organizations from financial services to technology solve the complexities of vulnerability management.  

But, before we were helping enterprise organizations get their arms around the challenges of vulnerability management, we had spent many years in the trenches helping large federal agencies streamline, prioritize, and remediate their vulnerabilities. In fact, our initial funding and inception came out of a call from one of the U.S.’s largest federal agencies looking for innovative cybersecurity ideas. 

That’s why when Nucleus recently achieved FedRAMP “in process” status with sponsorship by the Center for Medicine and Medicaid Services (CMS), one of the most innovative and forward-leaning civilian agencies in the U.S. federal government, it truly was a full circle moment for us in the continuation of our work in the federal security space.  

The Nucleus of Nucleus 

Over two years before Nucleus officially launched in December of 2018, a large U.S. federal agency put out a call to cybersecurity professionals for innovative ideas that would transform federal security. At the time, I was working for Rampant Technologies, a managed security services provider that I founded in 2015 with my long-time colleague, Mike Nixon. We had spent the last decade supporting vulnerability management programs and teams within different federal agencies and had seen time and time again the repeated issues these agencies faced when it came to aggregating and normalizing vulnerability scan results. 

We knew that vulnerability management presented a real set of problems still in need of technical solutions, so we decided to submit a whitepaper that shined a light on the agency’s inability to streamline and prioritize their vulnerability scan results in a way that was automated, focused on the need for clear communication and collaboration on vulnerability triage and remediation activities, and made sure that vulnerability information was accessible by only those who needed it. Soon after, we landed a one-year research and development contract to build a proof-of-concept that would solve some of the core vulnerability management challenges that the agency was facing… and that’s where Nucleus was born. 

Our Journey from Federal to Private Sector 

As much as Nucleus was built to meet the challenges and security requirements of top U.S. federal agencies, we also realized early on that it would take growth and experience before we could begin selling an enterprise platform to top large federal agencies… that simply doesn’t happen as a new small business. However, it was evident early on that large enterprises in the private sector were facing most of the same vulnerability challenges as those in federal, and that’s where Nucleus quickly developed a strong market fit selling to large commercial organizations. 

In 2020, we raised our Series-A round of funding, fueled in part by the understanding that the investment would be necessary to successfully execute federal go-to-market strategy, and soon after we were accepted into Dcode’s technology accelerator program — a program designed to help successful startups bring new technology products to the federal market. From there, the hard work and perseverance began. 

Going Head-to-Head with the FedRAMP Approval Process 

Anyone with experience entering the federal market will tell you that it takes at least two years to develop any significant traction, and they aren’t lying. We were fortunate however, and less than nine months after starting the Dcode program, Nucleus had some significant wins, including a Small Business Innovation Research (SBIR) contract and a federal agency sponsorship from the Center for Medicare and Medicaid Servies (CMS) for FedRAMP — a process that takes thousands of man hours across months and months of time and over $1 million to achieve. 

Because of the significant investment of funds, man hours, blood, sweat, and tears, few small businesses actually take on the long and rigorous FedRAMP process. Out of the roughly 300 SaaS vendors that have achieved FedRAMP authorization, most are Fortune 500 or Global 2000 organizations. For perspective, when Nucleus began the process in November 2021, we were at just 30 employees.  

Needless to say, as a small business, pulling the trigger on the FedRAMP authorization process was our largest and most complex investment into our business so far… and we’re not at the finish line just yet. Obtaining full FedRAMP authorization will likely require another eight months, but we firmly believe that we are uniquely qualified to revolutionize vulnerability management for the federal government for many reasons, including decades helping large U.S. federal agencies and enterprises build programs and tools to help solve their vulnerability management challenges. 

Over the years, we have built out support for co-managed deployments to federal agency hardware and private cloud environments, and many of our team have obtained the clearances and accesses necessary to support even the most sensitive federal government systems. 

We are out to revolutionize and improve the way that federal agencies approach and remediate vulnerabilities, and our path to FedRAMP approval is just step one towards achieving this full-circle federal security journey. 

Want to learn more about our vulnerability management capabilities for both civilian enterprise organization and future federal agencies? Click here to schedule a call with our team.