Security as a Service Enhances Federal Cybersecurity and Improves Scalability

“With Security as a Service, you’re outsourcing cybersecurity to a cloud service provider,” says Hasan Yasar, technical director of the Continuous Deployment of Capability group at the Carnegie Mellon University Software Engineering Institute. “It allows you to reduce the infrastructure and expertise you would otherwise need to have on-prem.”

While SECaaS certainly isn’t new, the shutdown combined with recent government downsizing has put it on the radar for agencies that may be looking to do more with less.

The FedRAMP SECaaS Market

SECaaS is a “comprehensive security solution” and a “valuable option for agencies looking to enhance their security posture while reducing operational overhead,” the General Services Administration reports. GSA adds that SECaaS solutions can be agency-specific and include services ranging from email security and encryption to identity management and disaster recovery.

John Pescatore, director of emerging security trends at the SANS Institute, recalls doing research on SECaaS in the early 2000s when he worked as a security analyst at Gartner. “Private industry adopted this model as an option a long time ago,” he says. “And a lot like everything in cloud-based computing, the government eventually followed.”

Today, federal agencies can pick from a long list of SECaaS offerings authorized through FedRAMP.

“The key is to first really understand your agency’s IT architecture,” Pescatore says. “Then you can choose services at the appropriate impact level for the data being handled.”

Low-impact solutions, for example, are suitable in cases “where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals,” FedRAMP says.

Moderate-impact offerings are those that would result in “serious adverse events” if data were lost or unavailable, while high-impact services are appropriate for emergency, financial and other federal systems where data compromise would have a “severe or catastrophic adverse effect.”

Click the banner below to keep up with the IT, cyber and AI experts making government efficiency a reality.

Pescatore says it’s also important to distinguish between two broad classes of Security as a Service offerings: network-based SECaaS, where the security controls live in the cloud service provider’s network and the provider acts as a proxy between user devices and the internet, and cloud-based or application-based SECaaS, where security is delivered through software hosted in the CSP’s cloud but integrated into the user’s own systems.

“The choice is whether to route all of your traffic through that FedRAMP-authorized service, or instead to require that software be installed on everybody’s device that will then communicate with that service,” he says.

The SECaaS Contract

Yasar agrees with Pescatore that agencies should do their homework before deciding to go with any SECaaS offering.

“First of all, you have to define what your objectives are,” he says. “Are you trying to protect your data, your infrastructure and your property? Once you know the protections you actually need, then you can consider the potential solutions on the market.”

Click the banner below for the latest federal IT and cybersecurity insights.

It’s also important to weigh the advantages of going the SECaaS route against the possible drawbacks of doing so. Agencies that rely on SECaaS often reduce their overall security costs, and they typically benefit from cutting-edge tools designed to address emerging cyberthreats, for example. At the same time, agencies should take care when finalizing their SECaaS contracts.

“Just because something is ‘security software’ doesn’t mean it’s secure software,” Yasar says. “It’s the same thing with SECaaS: It’s up to you to make sure that the solution you’re getting has everything you need and is really secure.”

Former CIA CISO Robert Bigman says that just because a service is listed in FedRAMP doesn’t mean it’s the right fit for a specific agency.

“Proceed with caution,” he says. “FedRAMP authorization is a good first step, but remember that the devil is in the details.” He recommends determining total cost of operation for on-prem ownership for any security products, then carefully comparing that figure with the costs associated with various SECaaS offerings.

WATCH: These are the five IAM trends to monitor in 2026.

If a service solution seems financially beneficial, it should then fall to the agency’s CISO (or their representatives) to ensure that any contracts spell out exactly what the organization expects.

“It can’t just be your CFO who’s involved; it has to be someone who knows what you already have and the specific settings you want the CSP to use,” Bigman says. In his experience consulting with organizations in the financial sector, the companies that got the most out of their SECaaS deployments were those that weren’t afraid to be demanding. “They dictated the measures of performance and they documented everything,” he says.

SECaaS Is a “Necessity”

Larry Hughes, vice president of research and development at the Cloud Security Alliance, says that improving an organization’s cybersecurity performance is what SECaaS is all about. Especially as federal IT employees are furloughed or choose to leave government for jobs in the private sector, such services are increasingly becoming a “necessity” for agencies, he says.

With SECaaS, historically manual tasks such as real-time monitoring of networks and systems to detect and respond to security threats suddenly become much more manageable. “The CSPs are experts at this, and they can do it at scale and be highly cost-effective,” Hughes says.

UP NEXT: Agencies handling genomic data need identity-focused access governance.

Previously a security-compliance consultant, Hughes has more than a decade of experience helping companies in the private sector understand and meet federal government security requirements. SECaaS providers are constantly updating their offerings as the threat landscape evolves, and he points to a variety of technologies when asked to predict the future of the FedRAMP marketplace.

“Artificial intelligence and zero trust are obviously becoming more important, and I think that developments in quantum-resistant cryptography aren’t far behind,” Hughes says.

His advice to federal agencies aligns with that of other security experts: SECaaS “isn’t the answer to everything,” but it can be a tool in the federal cybersecurity kit.