ABSTRACT
For government IT leaders evaluating OKR and strategy execution software, security authorization is not an afterthought — it is the first gate. The FedRAMP authorization framework, FISMA compliance requirements, NIST SP 800-53 controls, HIPAA obligations, and an increasingly complex landscape of state-level frameworks (including StateRAMP) create a procurement environment that is uniquely challenging — and uniquely consequential when misnavigated. Procuring a non-FedRAMP-authorized platform for federal use is not just a policy violation; it is a career risk for the CIO and Contracting Officer who approved it.
This article provides a comprehensive guide for government IT leaders, program managers, and contracting officers evaluating OKR and performance management software for government deployment. It covers: the FedRAMP authorization spectrum from Ready to Authorized, the three impact levels and which applies to OKR data, the security framework landscape, a procurement due diligence checklist, the contract vehicle landscape for IT SaaS procurement, a CIO conversation guide for the most common objections, and Profit.co’s specific security posture and procurement pathway.
- 3 FedRAMP Status Levels Ready / In Process / Authorized
- 325 Security Controls required for FedRAMP Moderate authorization
- 22 Due Diligence Items in our government IT procurement checklist
- 7 Security Frameworks every government IT leader must understand
1. Why Security Authorization Is the First Question — Not the Last
The career risk, compliance exposure, and mission disruption that result from procuring software without the right security posture.
In the private sector, software procurement typically begins with functionality: does it do what we need? In government, the sequence is necessarily different. Before a program manager can deploy any cloud-based software that will touch government data, they must answer a more fundamental question: is this platform authorized to operate in a federal environment, at the appropriate security level, for the type of data it will process?
The consequences of getting this wrong are severe and non-theoretical. A Federal CIO who authorizes deployment of a non-FedRAMP platform for Moderate-impact data is in violation of OMB policy and potentially FISMA. A program manager who bypasses the IT security review process to deploy an unauthorized SaaS tool — even with the best intentions — creates unauthorized exposure for sensitive government data and personal information of federal employees and program beneficiaries.
Real-world consequences have included: IG findings and corrective action plans, temporary deauthorization of IT systems, personal liability for contracting officers who approved non-compliant procurements, and in several high-profile cases, mandatory data breach notifications after unauthorized platforms were compromised. These are not edge cases — they are the predictable consequences of an increasingly sophisticated threat environment targeting government data.
The good news is that the FedRAMP framework, for all its complexity, exists precisely to make secure cloud procurement tractable. It provides a standardized, rigorous, and publicly accessible authorization process that allows agencies to evaluate cloud vendors with confidence. Understanding it thoroughly is the foundation of every sound government IT procurement decision.
2. The FedRAMP Authorization Spectrum: Ready, In Process, Authorized
What each status level means, what level of risk it represents, and what it means for your procurement timeline.
The single most important thing a government IT leader needs to understand about FedRAMP is that not all FedRAMP status designations are equal. A vendor that is “FedRAMP Ready” has NOT been authorized for federal deployment. It has completed a preliminary assessment confirming it is likely to achieve authorization — but no Authorization to Operate (ATO) has been issued, and the full security assessment has not been completed.
Many government program managers have been misled by vendors who describe themselves as “FedRAMP compliant” or “working toward FedRAMP” without disclosing that they have not yet achieved authorization. The only status that provides full regulatory protection for federal deployments is FedRAMP Authorized, with a listed entry in the FedRAMP Marketplace.
Higher Risk — Agency must conduct its own due diligence; no formal authorization exists
FedRAMP Ready — Pre-authorization preparation phase
- Third Party Assessment Organization (3PAO) has completed a Readiness Assessment Report (RAR)
- FedRAMP PMO has reviewed and accepted the RAR — confirming the CSP is likely to achieve authorization
- The CSP has NOT yet undergone a full security assessment
- No ATO has been issued; no agency has formally accepted the risk
- Can be used by agencies under their own risk acceptance (not recommended for high-impact data)
Moderate Risk — Authorization is expected but not guaranteed; proceed with caution
FedRAMP In Process — Active authorization review underway
- The CSP is actively working with a sponsoring agency or Joint Authorization Board (JAB)
- A full 3PAO assessment is in progress or under review
- The System Security Plan (SSP) and associated documentation are under active review
- Authorization may be 6-18 months away; timeline depends on assessment scope and findings
- Some agencies will begin procurement negotiations at this stage with authorization as a contract condition
Lowest Risk — Formal authorization provides maximum procurement protection
FedRAMP Authorized — Full authorization achieved — safe for government deployment
- Full 3PAO security assessment completed; all findings documented and remediated
- Agency ATO or JAB Provisional Authorization (P-ATO) issued
- Listed in the FedRAMP Marketplace at marketplace.fedramp.gov
- Annual continuous monitoring and ConMon reporting required to maintain authorization
- Impact level specified: Low, Moderate, or High — must match agency data sensitivity requirements
Figure 1: The FedRAMP Authorization Spectrum — three status levels, their requirements, and risk implications for government procurement
3. Impact Levels: Which One Does OKR Software Require?
Understanding Low, Moderate, and High impact designations — and determining which applies to your performance management data.
FedRAMP authorization is not a single standard — it is tiered by the sensitivity of the data being processed. The three impact levels (Low, Moderate, High) determine the number and type of security controls required, and choosing the wrong level is a compliance failure in either direction: insufficient controls for sensitive data creates real risk; over-engineering controls for low-sensitivity data wastes resources.
For OKR and performance management software, the relevant question is: what data will flow through this system? The answer determines the required impact level.
| Level | Designation | Definition | OKR Platform Applicability | Key Facts |
|---|---|---|---|---|
| Low | FedRAMP Low | Limited adverse effect on operations, assets, or individuals if breached | Examples: Public-facing information, training content, general administrative data. OKR dashboards with only aggregated, non-sensitive performance data; public-facing reporting tools | Fastest path to authorization; approximately 125 security controls |
| Moderate | FedRAMP Moderate | Serious adverse effect — significant damage to operations, finances, or individual privacy | Examples: Personally identifiable information (PII), procurement-sensitive data, HR records, program beneficiary data. OKR/performance management platforms with individual employee data, grant recipient information, or PII of any kind | Most government SaaS tools qualify here; approximately 325 controls — the most common authorization level |
| High | FedRAMP High | Severe or catastrophic adverse effect — loss of life, financial ruin, or severe long-term damage | Examples: Law enforcement data, emergency services, financial systems, health records, national security data. Not typically applicable to OKR/strategy software unless integrated with LE or national security data | Approximately 421 controls; fewer than 15% of FedRAMP-authorized products achieve High authorization |
Figure 2: FedRAMP Impact Levels — definitions, examples, and applicability to OKR and performance management platforms
3.1 The OKR Platform Impact Level Assessment
Most government OKR and performance management deployments require FedRAMP Moderate authorization. The determining factor is the presence of Personally Identifiable Information (PII): individual employee OKRs, performance appraisal data, HR records, and compensation information all constitute PII under OMB Circular A-130 and the Privacy Act of 1974. Any system that stores, processes, or transmits this data requires Moderate-level controls.
There are two common exceptions. First, a purely aggregate reporting deployment — where the OKR platform shows only department-level and agency-level metrics with no individual employee data — may qualify for Low impact level authorization. Second, some specialized deployments at law enforcement or intelligence agencies that integrate OKR data with classified or law enforcement sensitive data may require High impact level authorization.
When in doubt, consult with your agency’s Privacy Officer and ISSO (Information System Security Officer) before making an impact level determination. The cost of getting this wrong — either in compliance exposure or in over-engineering the procurement — is significant.
4. The Security Framework Landscape
A comprehensive map of the seven frameworks every government IT leader evaluating OKR software must understand — and how they relate to each other.
FedRAMP is the most visible but not the only security framework relevant to government OKR software procurement. The full compliance landscape involves multiple overlapping frameworks, each addressing a different dimension of security, privacy, and governance. Understanding how they interrelate — which are complementary, which are substitutes, and which are legally required — is essential for building a sound procurement decision.
| Framework | Full Name | Scope | Authorization Artifact | Key Facts for OKR Procurement | SLED Relevance |
|---|---|---|---|---|---|
| FedRAMP | Federal Risk and Authorization Management Program | Federal cloud services; any CSP providing SaaS/PaaS/IaaS to federal agencies | ATO or JAB P-ATO | Mandatory for federal agency cloud procurement; FISMA-derived; 325 controls at Moderate | Direct requirement for all federal agencies; SLED agencies may require or strongly prefer |
| FISMA | Federal Information Security Modernization Act | All federal information systems, whether cloud or on-premise | Agency ATO (annual) | Statutory requirement under 44 U.S.C. § 3551; requires annual assessment and reporting to OMB; FedRAMP satisfies the cloud portion | SLED not directly subject but many states have adopted equivalent frameworks |
| NIST SP 800-53 | NIST Special Publication 800-53: Security and Privacy Controls | Federal systems; widely adopted by state/local and private sector | Basis for ATO assessment | FedRAMP controls are drawn directly from NIST SP 800-53 Rev. 5; the authoritative source for all federal security control requirements | Gold standard for security control assessment; widely respected in procurement |
| SOC 2 Type II | System and Organization Controls 2 (AICPA) | Commercial SaaS companies; not a government framework per se | SOC 2 Report (annual) | Important trust signal but NOT equivalent to FedRAMP; does not authorize federal deployment; covers Trust Services Criteria (Security, Availability, Confidentiality, etc.) | Necessary but not sufficient for federal deployment; valuable for SLED procurement |
| HIPAA | Health Insurance Portability and Accountability Act | Any system that processes Protected Health Information (PHI) | BAA + technical safeguards | Required for VA, HHS, state Medicaid, and any OKR platform that processes individually identifiable health data; must be in BAA with vendor | Critical for health agencies; OKR platforms must sign BAA if they access any PHI |
| ISO 27001 | International Organization for Standardization — Information Security Management | Global; widely used in commercial and government contexts | Third-party certification | Respected international standard; not equivalent to FedRAMP for US federal but valuable as evidence of security maturity for SLED procurement and partner agencies | Valuable trust signal; does not substitute for FedRAMP at federal level |
| StateRAMP | State Risk and Authorization Management Program | State and local governments; modeled on FedRAMP | StateRAMP Authorization | Launched 2021; growing adoption among state CIOs; uses NIST 800-53 controls tailored for SLED context; separate from but interoperable with FedRAMP | Increasingly required by state procurement offices; check your state’s adopted framework |
Figure 3: Government Security Framework Landscape — seven frameworks, their scope, authorization artifacts, and relevance to OKR software procurement
4.1 The FedRAMP-FISMA Relationship
The most important relationship to understand is between FedRAMP and FISMA. FISMA (Federal Information Security Modernization Act) is the statutory framework that requires all federal information systems to have an Authority to Operate (ATO) based on a risk assessment. FedRAMP is the standardized implementation of FISMA’s ATO requirement specifically for cloud services: instead of every agency conducting its own security assessment of every cloud vendor, FedRAMP assessments are conducted once and recognized government-wide. A FedRAMP ATO satisfies the FISMA ATO requirement for cloud services.
This “assess once, authorize many” model is what makes FedRAMP so powerful. Without it, every federal agency would need to conduct its own full security assessment of every cloud vendor — a process that would take years and cost millions of dollars per vendor. FedRAMP centralizes that assessment, making compliant cloud adoption tractable.
4.2 StateRAMP: The Emerging SLED Standard
For state and local government agencies, StateRAMP is rapidly becoming the standard equivalent of FedRAMP. Launched in 2021 and modeled directly on FedRAMP’s framework, StateRAMP uses the same NIST SP 800-53 controls but adapts them for the SLED context. As of 2025, more than 30 states have formally adopted StateRAMP as a procurement requirement or strong preference for cloud software.
Government IT leaders at the SLED level should verify whether their state has adopted StateRAMP and whether it is a requirement or recommendation for new SaaS procurements. The StateRAMP Marketplace (stateramp.org) maintains a list of authorized products. Profit.co is working toward StateRAMP authorization as SLED adoption of the standard accelerates.
5. The 22-Point Government IT Procurement Checklist
A comprehensive due diligence framework covering security, data governance, and contract considerations for OKR software procurement.
The following checklist has been developed through Profit.co’s experience supporting government IT procurement processes across federal, state, and local agency clients. It is organized into three sections — Security & Compliance, Data Governance, and Contract & Procurement — and should be used as a structured due diligence framework for evaluating any OKR or performance management software vendor.
| Section | Item | What to verify | Priority |
|---|---|---|---|
| Security & Compliance | FedRAMP Authorization Status | Confirm the vendor’s exact FedRAMP status: Ready, In Process, or Authorized. Request the FedRAMP Marketplace listing URL. Do not accept marketing language as a substitute. | Critical |
| Security & Compliance | FedRAMP Impact Level | Confirm the authorization impact level (Low/Moderate/High) matches your agency’s data sensitivity requirements. Most HR/performance data requires Moderate. | Critical |
| Security & Compliance | Scope of Authorization | Confirm that the specific product and features you are procuring are within the authorization boundary. Features added after authorization may not be covered. | Critical |
| Security & Compliance | Continuous Monitoring Status | Request the vendor’s most recent ConMon report or annual assessment results. Verify there are no open High or Critical Plan of Actions & Milestones (POA&Ms). | Critical |
| Security & Compliance | HIPAA BAA Availability | If any Protected Health Information will flow through the system, confirm the vendor will sign a Business Associate Agreement (BAA). | High |
| Security & Compliance | StateRAMP Authorization | For SLED agencies, confirm whether the vendor has StateRAMP authorization or is working toward it. Check your state’s specific requirements. | High |
| Security & Compliance | SOC 2 Type II Report | Request the most recent SOC 2 Type II report. Review the auditor’s opinion and any exceptions noted. | High |
| Security & Compliance | Penetration Testing | Request evidence of recent third-party penetration testing. Understand the scope and confirm critical findings were remediated. | Medium |
| Data Governance | Data Residency | Confirm all government data will be stored in US-based data centers. Request the specific cloud infrastructure used (AWS GovCloud, Azure Government, etc.). | Critical |
| Data Governance | Data Isolation | Confirm government data is logically or physically isolated from commercial/other-sector tenants. Understand the multi-tenancy architecture. | Critical |
| Data Governance | Data Portability & Exit | Confirm you can export all OKR, performance, and employee data in a standard format (JSON, CSV, XML) at any time. Understand the data retention policy post-contract. | High |
| Data Governance | Data Encryption | Confirm data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Request the encryption key management architecture. | High |
| Data Governance | Backup & Recovery | Confirm Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Request evidence of recent disaster recovery testing. | High |
| Data Governance | Audit Logging | Confirm comprehensive audit logs of all user actions, data access, and system events are maintained. Confirm log retention period meets your agency’s requirements. | Medium |
| Contract & Procurement | Contract Vehicle Availability | Confirm whether the vendor is on an existing contract vehicle: GSA Schedule (IT 70), SEWP V, NASA SEWP, CIO-SP3, or equivalent. This dramatically accelerates procurement. | Critical |
| Contract & Procurement | Government Contract Terms | Request government-specific contract terms: FAR/DFARS clauses, data rights provisions, IP ownership, termination for convenience, and performance guarantees. | Critical |
| Contract & Procurement | Pricing Transparency | Confirm pricing is based on the same schedule as the contract vehicle. Understand per-user vs. enterprise pricing and the cost implications of scaling. | High |
| Contract & Procurement | SLA Guarantees | Review the Service Level Agreement: uptime guarantees (99.9% minimum), support response times, escalation paths for critical issues, and remedies for SLA breaches. | High |
| Contract & Procurement | Implementation Support | Confirm the availability of government-experienced implementation consultants. Request references from comparable agency deployments. | Medium |
| Contract & Procurement | Training & Change Management | Understand the training resources available. Confirm whether government-specific training materials and change management support are included. | Medium |
| Process | RFI/RFP evaluation mapping | Map each Critical and High checklist item to explicit evaluation criteria and scoring weights in the solicitation so gaps are visible during source selection. | High |
| Process | Evidence repository & ISSO packet | Maintain a single repository of vendor attestations, NDA-gated reports (SOC 2, pen test summaries), and ISSO sign-off for each Critical item before award. | High |
Figure 4: 22-Point Government IT Procurement Checklist — Security & Compliance, Data Governance, and Contract considerations
6. Contract Vehicles for OKR Software Procurement
The established procurement pathways that allow government agencies to acquire OKR software quickly, compliantly, and at government-negotiated pricing.
One of the most significant practical barriers to government software procurement is timeline. A full open-market competitive procurement for a SaaS tool can take 12-24 months from initial requirements to contract award — by which time the strategic urgency that motivated the procurement has often passed. Established contract vehicles solve this problem by pre-qualifying vendors, pre-negotiating terms, and establishing compliant ordering processes that dramatically accelerate procurement.
| Vehicle | Issuing Agency | Eligible Customers | Order Process | Key Notes for OKR Procurement |
|---|---|---|---|---|
| GSA Schedule 70 (IT Schedule 70) | General Services Administration | All federal agencies; SLED agencies with cooperative purchasing agreements | Direct; no additional competition required above micro-purchase threshold | Largest IT contract vehicle; Profit.co available on Schedule 70; fastest path for most agencies |
| SEWP V (NASA SEWP) | NASA / Government-wide | All federal agencies; widely used for IT and cloud services | Task order against existing IDIQ contract | Strong for cloud and SaaS; government-negotiated pricing; 1-day to 2-week award timeline for existing holders |
| CIO-SP3 | NIH NITAAC | All federal agencies; health-focused agencies particularly | Task order competition (can be sole-source with justification) | Health IT and data analytics focus; useful for HHS, VA, and health-focused state agencies |
| 8(a) STARS III | SBA / GSA | Federal agencies seeking small business set-asides | Task order; competitive or sole-source under thresholds | Useful when small business requirements apply; Profit.co partners with 8(a) prime contractors |
| State Master Agreements | State-specific (varies) | State agencies in participating states; often extends to local government | Varies by state; typically competitive solicitation | Many states have established IT master agreements that include FedRAMP-authorized vendors; check your state’s procurement office |
| Agency-Specific IDIQs | Individual agencies | Specific agency or department | Task order against established IDIQ | Some large agencies (DoD, DHS, HHS) have established OKR/performance management IDIQs; check with your contracting officer |
Figure 5: Contract Vehicle Landscape for OKR Software Procurement — vehicles, issuing agencies, eligible customers, and order processes
6.1 The GSA Schedule 70 Pathway
For most federal and many SLED agencies, GSA Schedule 70 (IT Schedule 70) is the fastest and most straightforward procurement pathway for OKR software. As a Multiple Award Schedule contract, IT Schedule 70 pre-qualifies vendors, establishes maximum pricing, and creates a streamlined ordering process that typically allows contract award in days to weeks rather than months.
Profit.co is available on GSA Schedule 70, with government-negotiated pricing for both federal and eligible SLED agencies. The Schedule 70 ordering process for Profit.co involves: identifying the procurement need, confirming the FAR Part 8 requirements, requesting quotes from Schedule holders (or using the e-Buy platform), and executing a Task Order. For orders above the simplified acquisition threshold, a brief competition among Schedule holders is required.
6.2 SLED Procurement Considerations
State and local agencies face a more varied procurement landscape than their federal counterparts. Many states have established statewide IT master agreements or technology cooperative purchasing programs that include FedRAMP-authorized SaaS vendors. NASPO ValuePoint, the cooperative purchasing organization for state procurement offices, maintains a cloud solutions contract that includes OKR and performance management software categories.
County and municipal governments often have the most flexibility in procurement methodology — many can acquire software through cooperative purchasing agreements, piggybacking on state contracts, or through their own simplified procurement processes for software under designated dollar thresholds. IT leaders at the SLED level should consult with their procurement office early to identify the fastest compliant pathway.
7. The CIO Conversation: Responses to Common Objections
A field guide for program managers navigating the IT security review — with evidence-based responses to the most frequent CIO and ISSO objections.
Even when a vendor is FedRAMP Authorized and all compliance boxes are checked, program managers frequently encounter resistance from CIO offices that are risk-averse by institutional design. The following conversation guide provides evidence-based responses to the most common objections, allowing program managers to engage constructively rather than adversarially with IT security stakeholders.
| What Your CIO May Say | What to Say in Response |
|---|---|
| “We already have a FedRAMP-authorized platform” | “Which platform, at what impact level, and for which use cases? Has it been assessed for the performance management and OKR functionality specifically — or just for general IT operations? Different use cases may require separate authorization reviews.” |
| “FedRAMP authorization takes too long — we’ll do a local install instead” | “Local installs create a larger attack surface, require in-house security operations, and typically cost more in total cost of ownership than a FedRAMP-authorized SaaS solution. The authorization timeline for a FedRAMP Ready vendor working with a sponsoring agency is typically 6-12 months — comparable to the time required to stand up a locally hosted solution.” |
| “We can’t use cloud for performance data” | “OMB Memorandum M-19-17 and subsequent cloud-smart guidance explicitly encourage cloud adoption for government systems, including HR and performance data, provided appropriate authorization levels are met. FedRAMP Moderate authorization was specifically designed for data of this sensitivity.” |
| “We’ll wait until FedRAMP authorization is complete before evaluating” | “Vendors in the FedRAMP In Process stage are typically 6-18 months from authorization. Beginning evaluation now allows your agency to complete due diligence, negotiate contract terms, and be ready to deploy immediately upon authorization — avoiding the typical 3-6 month procurement delay that happens when agencies wait.” |
| “Our ISO 27001 / SOC 2 certified vendors are secure enough” | “SOC 2 and ISO 27001 are important trust signals but they do not authorize federal deployment. They assess commercial security practices against commercial standards. FedRAMP specifically assesses government-relevant security controls against NIST SP 800-53 — a much higher bar for the specific threats government systems face.” |
| “We need FIPS 140-2 validated encryption — most SaaS vendors don’t have this” | “FedRAMP Moderate authorization requires FIPS 140-2 validated cryptographic modules. Any vendor with a current FedRAMP Moderate authorization has demonstrated FIPS 140-2 compliance as part of that authorization. Request the specific modules used and their validation certificate numbers from the NIST CMVP database.” |
Figure 6: CIO Conversation Guide — six common IT security objections with evidence-based responses
8. Profit.co’s Government Security Posture
Profit.co’s specific security credentials, authorization status, and procurement pathway for government agencies.
Profit.co for Government is built on infrastructure designed specifically for the security and compliance requirements of public sector deployment. The following represents Profit.co’s current government security posture as of 2026; agencies should verify current authorization status directly with Profit.co’s government team and at the FedRAMP Marketplace.
| Security Credential | Status & Details |
|---|---|
| FedRAMP Status | FedRAMP Ready — actively pursuing FedRAMP Moderate Authorization with sponsoring agency partnership |
| Data Residency | All government customer data stored exclusively in AWS GovCloud (US-East and US-West) — US soil only |
| Encryption | AES-256 encryption at rest; TLS 1.3 in transit; FIPS 140-2 validated cryptographic modules |
| SOC 2 Type II | Current SOC 2 Type II certification — audit report available under NDA upon request |
| ISO 27001 | ISO 27001:2022 certified — certification number available upon request |
| HIPAA | HIPAA Business Associate Agreement (BAA) available for all healthcare agency customers |
| Penetration Testing | Annual third-party penetration testing conducted by an accredited 3PAO; most recent report available NDA |
| GSA Schedule 70 | Available on GSA IT Schedule 70 — Schedule Number available from Profit.co government sales team |
| StateRAMP | StateRAMP authorization in progress; targeted for completion in 2026 for eligible SLED customers |
| Dedicated Gov Environment | Logically isolated government tenant environment with dedicated support team and SLA |
Figure 7: Profit.co Government Security Posture — current credentials and authorization status (verify currency at profit.co/gov/security)
9. Conclusion: Security Is the Foundation, Not the Obstacle
Why FedRAMP exists — and how to use it to move faster with defensible decisions.
The FedRAMP framework, for all its complexity and rigor, exists to solve a genuine and important problem: how do government agencies adopt the best available technology without creating unacceptable security risks to the public they serve and the data they hold in trust? The answer — a standardized, rigorous, publicly accountable authorization process — is the right answer to that question, even when the implementation is imperfect and the timeline is frustrating.
For program managers and IT leaders who understand the framework well, FedRAMP becomes an asset rather than an obstacle. It provides a standardized, publicly verifiable basis for procurement decisions that protects the individual making those decisions as much as the agency. A CIO who procures from a FedRAMP-authorized vendor has a documented, defensible rationale for their decision. A CIO who procures from a non-authorized vendor does not.
Profit.co’s government team is available to guide agencies through the security review process, provide the documentation required for IT approval, support the contract vehicle selection, and accelerate the path from procurement decision to live deployment. The goal is to make the security review a collaborative process that builds the CIO’s confidence rather than consuming the program manager’s momentum.