Six-factor decision framework for infrastructure component choices. Factors and weighting are established. Specific vendor evaluations and recommendations populate once the platform spec is drafted and L2 customer requirements are confirmed.
Ch 9 of Shrink-Wrap It names the POC Trap explicitly: "Pilots accelerate via shortcuts (commercial cloud, manual deployments, no logging, shared credentials). These shortcuts create authorization debt (12-24 weeks remediation, $150-300K)." Build-vs-buy decisions are the most common source of authorization debt. A team building a custom SIEM instead of buying a FedRAMP Moderate-authorized SIEM saves $50K in Year 1 and spends $300K in remediation during the authorization assessment.
The six factors below are weighted to surface authorization debt risk early. Cost is one factor of six, not the primary factor.
Does the component require its own FedRAMP authorization, or can it inherit from an existing authorized product? If built custom, what is the authorization assessment cost for the component?
| Consideration | Build | Buy (FedRAMP authorized vendor) |
|---|---|---|
| Authorization path | Custom component requires NorthAI to assess and document every control it touches, including shared-responsibility controls. Assessment cost: $50-200K per major component. | FedRAMP authorized vendor inherits existing authorization. NorthAI documents the integration but does not re-assess the vendor's controls. Assessment cost: $5-20K for integration documentation. |
| ConMon obligation | NorthAI owns the ConMon burden for every custom component: scanning, patching, POA&M management. Adds 0.5-1 FTE per major custom component. | Vendor owns ConMon for their component. NorthAI's ConMon scope shrinks proportionally to the inheritance. |
| Boundary risk | Custom components are harder to scope tightly. Every feature addition potentially changes the boundary. | Vendor's boundary is fixed. NorthAI's integration point is the boundary edge. Easier to defend. |
Default posture: Buy any component that has an existing FedRAMP Moderate (or higher) authorized equivalent. Build only when no authorized equivalent exists and the capability is core to NorthAI's differentiation.
| Cost category | Build | Buy |
|---|---|---|
| Year 1 (acquisition + build) | Engineering time: [TBD hours x blended rate]. Infrastructure: [TBD]. Authorization debt if shortcuts taken: $150-300K remediation risk. | Vendor license: [TBD]. Integration engineering: [TBD]. No authorization debt if vendor is already authorized. |
| Year 2-5 (maintenance + ConMon) | Engineering maintenance: ~20-30% of original build cost annually. ConMon scanning and patching: 0.5 FTE equivalent. | Vendor subscription + support: [TBD]. Integration maintenance: minimal if vendor maintains backward compatibility. ConMon: vendor handles for their component. |
| Exit cost | High. Custom builds create proprietary dependencies that are expensive to replace. | Medium. Vendor lock-in is real. Budget 6-12 months migration if vendor relationship ends. |
| Scenario | Build | Buy |
|---|---|---|
| Time to functional component | 4-16 weeks depending on complexity and team capacity | 1-4 weeks for integration (vendor handles build) |
| Time to authorized component | Add 12-24 weeks for 3PAO assessment if component is in boundary | Zero additional assessment time if vendor is already FedRAMP Moderate authorized |
| Impact on SKU launch | Custom build of a boundary component delays launch by the assessment cycle | Buying an authorized component does not add assessment time; may accelerate launch |
Some components have no authorized equivalent and require custom build because the specific capability does not exist in the vendor market. This factor checks whether the customization is genuinely necessary or a preference.
| Customization need | Decision guidance |
|---|---|
| No authorized vendor equivalent exists for this capability | Build is required. Document the authorization path for the custom component before starting build. |
| Authorized vendor exists but does not support all required features | Evaluate whether the missing features are Zone 1 (core, required) or Zone 2-3 (configurable, optional). If Zone 2-3, accept the vendor's limitation and configure around it. If Zone 1, build or find a different vendor. |
| Authorized vendor exists and covers all required features | Buy. Do not build a custom version of an authorized vendor capability. Authorization debt is not worth the engineering control. |
| Preference for control over the implementation | Not a sufficient justification for building inside the authorization boundary. Control preference is worth approximately 0 when weighed against $150-300K in remediation risk. |
| Risk dimension | Evaluation criteria |
|---|---|
| Authorization continuity | Is the vendor's FedRAMP authorization current and without outstanding findings? Check the FedRAMP marketplace for revocation history before purchase. |
| Supply chain risk | Does the vendor have supply chain risk management documentation (SCRM)? DFARS 252.239-7018 may apply if deploying in DoD environments. |
| Business continuity | Is the vendor financially stable? A vendor with FedRAMP authorization who goes out of business leaves NorthAI with an unsupported authorized component that may require emergency rebuild. |
| Contractual terms | Does the vendor's contract allow NorthAI to extract data and migrate within 30 days if the relationship ends? Data portability clause is required before any vendor selection. |
Exit cost is the cost to replace this component if NorthAI decides to change vendors (or stop using the vendor's product) within three years. High exit cost is acceptable only if the component is deeply standard and unlikely to change. High exit cost for a rapidly evolving capability (e.g., identity, observability) is a risk.
Apply the six factors to each infrastructure component under evaluation. Score each factor 1-3 for Buy and 1-3 for Build (3 = favors that option). Sum the scores. The option with the higher total is the recommendation, subject to Factor 1 (compliance) veto.
| Component | F1 Compliance | F2 Cost | F3 Time | F4 Custom need | F5 Vendor risk | F6 Exit cost | Total Buy | Total Build | Decision |
|---|---|---|---|---|---|---|---|---|---|
| SIEM / log aggregation | [TBD — authorized vendors exist (Splunk GovCloud, AWS Security Hub); complete after platform spec confirms boundary] | [TBD] | [TBD] | [TBD] | |||||
| Identity provider / ICAM integration | [TBD — authorized vendors exist; complete after first customer's ICAM requirements are confirmed] | [TBD] | [TBD] | [TBD] | |||||
| Monitoring / APM | [TBD — authorized vendors exist (Datadog GovCloud, New Relic, AWS CloudWatch); complete after platform spec] | [TBD] | [TBD] | [TBD] | |||||
| Auth decision engine | [TBD — this is potentially core IP; build may be justified if no authorized equivalent matches NorthAI's posture model] | [TBD] | [TBD] | [TBD] | |||||
| Vulnerability scanning | [TBD — multiple authorized scanners available (Tenable.io / Nessus, Qualys GovCloud); buy is almost certainly the right answer] | [TBD] | [TBD] | [TBD] | |||||
Factor 1 veto rule: If a component can be bought from an existing FedRAMP Moderate authorized vendor and NorthAI is choosing to build instead, Factor 1 scores that choice as a 0 (disqualifying). The build option does not advance to the other five factors without a documented justification for why the authorized vendor is insufficient for Zone 1 (core) requirements.