How Knox Systems helps others crack the FedRAMP bottleneck

Knox Systems has made a lot of noise since it emerged from stealth mode in May of last year.

The company closed its $6.5 million seed funding round with contributions from Felicis, Ridgeline and Firsthand VC.

Now Knox is announcing a $25 million Series A round led by B Capital. Other participants included Microsoft’s venture fund, Okta Ventures, MongoDB Ventures. Hearst Ventures and Benchstrength.

But what’s even more noteworthy is what Knox was up to between May and Wednesday – launch a FedRAMP authorization platform that helps companies get their product authorized in 90 days.

Currently, there are less than 500 FedRAMP approved products and even fewer products with the Defense Information Systems Agency Impact Level approval. The FedRAMP process can cost millions and take years.

“It is a very high standard to meet, both from a cybersecurity perspective as well as a compliance perspective,” said Irina Denisenko, Knox's founder and CEO. “Plus you need to get a federal sponsor, at least one and when you ask an agency to sponsor you, the CISO or CIO of that agency is personally taking on the cyber risk of that vendor.”

Should there be a breach, it is the chief information security officer or chief information officer of that agency that goes before a House or Senate subcommittee for a dressing down. Often they get fired, she said.

Through its heritage of supporting FedRAMP authority for Adobe, Knox holds 15 FedRAMP ATOs with a 16th in the works.

Knox then opened its ATOs to commercial companies with cloud-based offerings that want to enter the federal market, but find the FedRAMP requirements too daunting to go it alone.

“I’m very excited to report that we have gotten over 20 companies FedRAMPed or in the process and listed in the next few weeks,” she said.

This includes companies such as Celonis, which provides financial data mining tools; Outsystems, a low code-no code development platform; and Procurement Sciences, which has contracting and business development tools.

Denisenko compared what Knox does to owning a condo complex. You buy a unit instead of going through the investment of buying property, getting building permits, hiring a builder and going through layers of inspections.

The building – in this case Knox – provides the infrastructure, security and compliance with the rules and regulations.

“We sit on all three big hyperscalers. Our customers come to us, we deploy them into a single tenant subaccount,” she said. “The key is that [their product] has to be up to the standards of FedRAMP.”

By coming into Knox’s environment, they are inheriting the security controls that Knox is running. Knox scans its environment every six hours for vulnerabilities, conducts penetration testing, does static code analysis and conducts infrastructure as code scanning.

“All of that culminates in an understanding of FedRAMP compliance at the code level every six hours,” she said. “What that means is we are running true continuous monitoring, and we are then ensuring that either we or our customer remediates every single one of those findings.”

Knox charges $500,000 per year for the service plus pass-through hosting costs, compared to the $3 million-plus it can cost to get FedRAMP on your own. There also are the years of effort.

“Celonis, an $800 million revenue company, had been trying to get on FedRAMP for five years before they started working with us last summer,” Denisenko said.

Knox had them on FedRAMP within 45 days.

“They actually had done all the technical work, but they just couldn’t get a sponsor,” she said.

Since getting their FedRAMP certification in August, Celonis deployed their product at five agencies.

“That’s unprecedented time to value and mission outcome,” she said. “Celonis is a big company with plenty of resources, and they told me that they estimated they invest between $7 million and $10 million before they started working with us.”

Palantir is the only company that offers a similar service and Celonis could not go to them because the two companies compete with each other.

Denisenko said that is a selling point for Knox because the company is a neutral player and does not compete with its customers.

The opportunity appears large because relatively few companies have a FedRAMP certification.

As Denisenko said, less than 500 applications have been approved. Compare that to the 10,000 applications available in the commercial market.

“We are on a mission to get more cutting-edge technology into the hands of the government,” she said. “And it's particularly relevant at this moment in time because obviously we've got an administration right now who is heavily leaning in on using modern technology.”