Dispel.com is a cybersecurity company offering a zero-trust platform for secure remote access to operational technology (OT), IT, and cyber-physical systems (CPS). Their platform focuses on protecting critical infrastructure by ensuring secure access for remote users and devices, integrating features like identity and access management, moving target defense, and OT DMZ unification.

As the Technical Product Manager at Dispel, I was responsible for leading our FedRAMP High qualification project, a critical initiative that would enable our cybersecurity platform to serve federal agencies with high-security requirements. This involved managing over 900 NIST controls, coordinating with multiple teams, and ensuring our platform met the stringent security standards required for FedRAMP High certification.

My primary responsibility was to analyze all FedRAMP High controls, identify gaps in our current system, and create a comprehensive roadmap for achieving compliance. This involved reviewing our existing policies, technical infrastructure, and AWS GovCloud architecture, followed by the development and implementation of necessary changes that maintained our platform’s core functionality and user experience.

I began by conducting a thorough analysis of all FedRAMP NIST controls, creating a detailed matrix that mapped our current capabilities against requirements. Working closely with policy owners, I drafted revisions to company policies where needed, ensuring they aligned with FedRAMP requirements while remaining practical for our operations. For instance, I enhanced our access control policies to implement separation of duties and least privilege access patterns that met federal standards.

On the technical side, I translated compliance requirements into actionable engineering tasks. Using Jira, I created detailed user stories that broke down complex security controls into manageable development tasks. For new security features that require user interaction, I designed intuitive workflows in Figma that strike a balance between security requirements and usability. One significant example was redesigning our multi-factor authentication flow to support PIV/CAC cards while maintaining a smooth user experience.

The AWS GovCloud architecture required substantial modifications to meet FedRAMP High standards. I collaborated with our cloud architects to design and implement enhancements, including improved encryption at rest, more robust backup systems, and enhanced disaster recovery capabilities. This included implementing cross-region replication for critical data and establishing stricter network segmentation.

Throughout the project, I maintained detailed documentation of our compliance evidence. This involved capturing screenshots, logs, and configuration settings that demonstrated our adherence to each control. I created a structured repository of evidence, making it easily accessible for our eventual audit.

The systematic approach to this project yielded significant outcomes. We successfully identified all required controls within our twelve-month timeline, with full creation of technical stories in Jira as well as half of the control family process documents completed and reviewed. The evidence collection process was so thorough that we passed our initial audit of our policy documentation with only minor findings, significantly faster than the industry average for FedRAMP High certification.

Key achievements included implementing over 40 new security features in our platform, updating 15 major company policies, and redesigning our AWS GovCloud architecture to meet the FedRAMP High security standards. The project opened up new market opportunities, allowing Dispel to serve agencies with stringent security requirements and positioning us as a leader in secure remote access solutions for government clients.

The most valuable lesson from this project was the importance of striking a balance between security requirements and usability. Rather than simply implementing controls as checklist items, we found ways to enhance our platform’s security while maintaining, and in some cases improving, the user experience. This approach not only satisfied FedRAMP requirements but also created a better product for all our customers.

This experience strengthened my skills in technical product management, particularly in navigating complex compliance requirements while maintaining focus on user needs and business objectives. The project’s success demonstrated my ability to coordinate cross-functional teams, manage complex technical requirements, and deliver results in a highly regulated environment.