Here is one example of waste: FedRAMP certified software often costs 2-10x equivalent non-certified software. That means the government is paying a lot more than anyone else for the same thing.
Why? Well part of it is because getting and keeping that certification is itself expensive. There are expensive audits, that take up a lot of time, and generally require paying specialized consultants to get through. All of your cryptography needs to be done using expensive FIPS certified "modules". There are requirements about the hardware you run on. All of your vendors also need to be FedRAMP approved. The requirements often add a lot of friction to normal operations and slow things down. In many cases it is easier, and cheaper to run/build an entirely separate product for FedRAMP possibly in a separate data center, which adds a lot of cost. And to be honest, a lot of the requirements are mostly security theater.
But another reason is just that the government is willing to pay that high premium for a stamp of approval.
To be fair, it is warranted for the government to have some assurance of the security and quality of software they use, especially if the software is used for more sensitive purposes. But the certification process is overkill for many places software is used, and I think that if some effort was put onto steamlining the process, the cost could be brought down.
Why? Well part of it is because getting and keeping that certification is itself expensive. There are expensive audits, that take up a lot of time, and generally require paying specialized consultants to get through. All of your cryptography needs to be done using expensive FIPS certified "modules". There are requirements about the hardware you run on. All of your vendors also need to be FedRAMP approved. The requirements often add a lot of friction to normal operations and slow things down. In many cases it is easier, and cheaper to run/build an entirely separate product for FedRAMP possibly in a separate data center, which adds a lot of cost. And to be honest, a lot of the requirements are mostly security theater.
But another reason is just that the government is willing to pay that high premium for a stamp of approval.
To be fair, it is warranted for the government to have some assurance of the security and quality of software they use, especially if the software is used for more sensitive purposes. But the certification process is overkill for many places software is used, and I think that if some effort was put onto steamlining the process, the cost could be brought down.