Hacking celebrity photo albums. State-based cyberespionage. Everything in between. The applications of data security are endless. Cloud-based services are a concern to everyone.
These concerns can even reach national security levels when government data is at stake. FedRAMP is a set of rigorous security standards that the U.S. federal government demands all cloud services be used by federal agencies.
What is FedRAMP and what are its benefits? This is the place to learn more.
Bonus: Read the step-bystep social media strategy guide with pro tips on growing your social media presence.
What is FedRAMP?
FedRAMP is the Federal Risk and Authorization Management Program. It standardizes security assessments and authorizations for cloud services and products used by U.S. Federal agencies.
The goal is that federal data will be protected consistently at high levels in the cloud.
It is a serious matter to obtain FedRAMP approval. The required level of security is mandated by the law. There are 14 laws and regulations that apply, as well as 19 standards and guidance documents. It’s one of the most rigorous software-as-a-service certifications in the world.
Here’s a quick introduction:
FedRAMP is around since 2012. Cloud technologies began to replace old tethered solutions. The “Cloud First” policy of the U.S. federal government was responsible for its birth. This strategy required agencies first to consider cloud-based options.
Before FedRAMP cloud service providers were required to submit an authorization package to each agency with which they wished to do business. The requirements weren’t consistent. There was also a lot duplication of effort on the part of both agencies and providers.
FedRAMP streamlined and brought consistency to the process.
Evaluations and requirements have been standardized. The FedRAMP security package can be reused by multiple government agencies.
FedRAMP adoption was slow at first. In the first four-year period, only 20 cloud services were approved. Since 2018, the FedRAMP cloud product authorization rate has increased dramatically. There are now 204 FedRAMP-authorized cloud products.
Source: FedRAMP
FedRAMP’s control is under the Joint Authorization Board. The board is composed of representatives from
The Department of Homeland Securitythe General Services Administration and the Department of Defense.
The Federal Chief Information Officers Council of the U.S. Government has endorsed this program.
Why is FedRAMP Certification Important?
FedRAMP approval is required for all cloud services that hold federal data. FedRAMP is a critical part of any security plan if you are planning to work with federal agencies.
FedRAMP is essential because it provides consistency for the evaluation and monitoring of cloud services provided by the government. It sets one standard for all government agencies as well as all cloud providers.
The FedRAMP Marketplace lists cloud service providers who are FedRAMP-authorized. The FedRAMP Marketplace is the first stop for government agencies when they are looking to find a cloud-based solution. It is much faster and easier for agencies to use products that are already approved than to begin the approval process with a different vendor.
A listing on the FedRAMP Marketplace will increase your chances of getting additional business from government agencies. It can also help you to improve your reputation in the private sector.
The FedRAMP marketplace can be accessed by anyone. The list of FedRAMP-authorized solutions is available to any private sector company.
This is a good resource for those looking to find a cloud service or product that’s secure.
FedRAMP certification can give clients more confidence in the security protocols. It is a commitment to meet the highest standards of security.
Your security credibility is significantly enhanced by FedRAMP certification, and not just in the FedRAMP Marketplace. Share your FedRAMP approval on social media or your website.
FedRAMP probably isn’t known by most of your customers. It doesn’t matter if you are authorized or not. Lack of authorization can be a deal breaker for large clients, both in the public and private sector who understand FedRAMP.
What is required to become FedRAMP Certified?
You can become FedRAMP-authorized in two ways.
1. Joint Authorization Board Provisional Authority to Operate
The JAB will issue a provisional approval during this process. This lets the agencies know that the risk has been assessed.
This is a very important first approval. However, any agency that wishes to use this service must still issue its own Authority to Operate.
This process is most suitable for cloud service providers who are at high or moderate risks. We’ll discuss risk levels in the following section.
Here is a visual representation of the JAB Process:
Source: FedRAMP
2. Agency Authority to Operate
In this process the cloud service provider establishes an agreement with a federal agency. This agency is involved in the entire process. The agency will issue a letter of Authority to Operate if the process is successful.
Source: FedRAMP
FedRAMP Authorization: Steps
FedRAMP authorization requires four steps, regardless of the type you choose.
Package development. The first step is a kick-off authorization meeting. Next, the provider creates a System Security Plan. A FedRAMP approved third-party assessor develops the Security Assessment Plan. Assessment organization submits Security Assessment report. The provider creates a Plan of Action & Milestones.Authorization. The JAB, or the authorizing agency, decides if the risk is acceptable. The FedRAMP project manager will then submit a letter of Authority to Operate if the answer is yes. The provider is then listed in the FedRAMP Marketplace.Monitoring. Monitoring. The provider will send monthly security monitoring deliverables for each agency that uses the service.
FedRAMP authorization best practices
It can be a difficult process to achieve FedRAMP approval. It’s in everyone’s best interest for cloud service providers, once they begin the authorization process, to be successful.
FedRAMP asked several small and new businesses about the lessons they learned from authorization. Here are seven of their best tips to successfully navigate the authorization process.
Spend time defining your boundaries. That includes:>internal componentsconnections to external services, andthe flow of information and metadata.Think of FedRAMP as a continuous program, rather than just a project with a start and end date. Consider carefully your approach to authorization. The FedRAMP PMO can be a great resource. They can help answer technical questions, and plan your strategy.
FedRAMP provides templates to cloud service providers in order to prepare them for FedRAMP compliance.
What are the FedRAMP compliance categories?
FedRAMP provides four impact levels to services that have different types of risk. These levels are based on potential impact of a breach in security across three areas.
Confidentiality: Protections for privacy and proprietary information.Integrity: Protections against modification or destruction of information.Availability: Timely and reliable access to data.
The Federal Information Processing Standard FIPS 199 of the National Institute of Standards and Technology is used to determine the first three impact levels. The fourth is based upon NIST Special Publication 80037. The impact levels are as follows:
Based on 421 controls. The loss of confidentiality, availability, or integrity could have a serious or catastrophic effect on the operations, assets, and individuals within an organization. This is usually true for law enforcement, emergency service, financial, and healthcare systems. Moderate, based upon 325 controls. The FedRAMP moderate impact level is based on 125 control points. “The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.”Low-Impact Software-as-a-Service (LI-SaaS), based on 36 controls. FedRAMP Tailored is for “systems with low risks, such as collaboration tools, project-management applications, or tools that assist in the development of open-source software.”
The FedRAMP Tailored category was introduced in 2017 as a way to simplify the approval process for “low-risk” use cases. To qualify, the provider has to answer yes to 6 questions. These questions are listed on the FedRAMP Tailored page.
Is it a cloud-based service? Is it fully operational? Is the Cloud Service a Software as a Service, as defined in NIST SP 800-145: The NIST Definition for Cloud Computing? Does the Cloud Service contain any personally identifiable information, except for the login credentials (username, email and password)? Is the Cloud Service low-security impact, as defined in FIPS PUB 199: Standards for Security Categorization for Federal Information and Information Systems (FIPS PUB 199)?
Remember that FedRAMP is not an easy task. Remember the Monitoring phase of FedRAMP authorisation? You’ll have to conduct regular security audits in order to remain FedRAMP-compliant.
FedRAMP certified products examples
FedRAMP is authorized to provide a wide range of products and services. Here are some examples of cloud service providers that you may be familiar with and have used yourself.
Hootsuite
Hootsuite will be officially FedRAMP authorized as of March 2021. Hootsuite is used by a number of government agencies including The US Department of the Interior and FEMA to accomplish a variety of federally related objectives.
Tom Keiser, former CEO of Hootsuite and the official designation, was quoted by Tom Keiser:
It’s important to keep our security practices up-to-date to meet the standards. Our FedRAMP ATO will allow the US Federal Government and all Hootsuite users to feel confident in our commitment to improving our security practices.
You can read more about why Hootsuite has been the most trusted social media tool for government agencies, or you can book a demo (no obligations required).
#1 Social Media Tool for Government
Engage citizens with the only tool that makes it easy to communicate, deliver services, and manage crises.
Book a Demo>
mazon Web Services
There are two AWS listings in the FedRAMP Marketplace. AWS GovCloud is authorized at the High level. AWS US East/West is authorized at the Moderate level.
Did you hear? AWS GovCloud (US) customers can use #AmazonEFS for mission-critical file workloads thanks to recently achieving FedRAMP High authorization. #GovCloud https://t.co/iZoKNRESPP pic.twitter.com/pwjtvybW6O
— AWS for Government (@AWS_Gov) October 18, 2019
AWS GovCloud has a whopping 292 authorizations. AWS US East/West has 250 authorizations. That’s far more than any other listing in the FedRAMP Marketplace.
dobe Analytics
Adobe Analytics was authorized in 2019. It is used by the Centers for Disease Control and Prevention and the Department of Health and Human Services. It’s authorized at the LI-SaaS level.
Adobe actually has several products authorized at the LI-SaaS level. (Like Adobe Campaign and Adobe Document Cloud.) They also have a couple of products authorized at the Moderate level:
Adobe Connect Managed ServicesAdobe Experience Manager Managed Services.
Adobe is currently in the process of moving from FedRAMP Tailored authorization to FedRAMP Moderate authorization for Adobe Sign.
Learn more about how @Adobe Sign is working to move from FedRAMP Tailored to FedRAMP Moderate statues here: https://t.co/cYjihF9KkP
— AdobeSecurity (@AdobeSecurity) August 12, 2020
Remember that it’s the service, not the service provider, that gets authorization. Like Adobe, you might have to pursue multiple authorizations if you offer more than one cloud-based solution.
Slack
Authorized in May of this year, Slack has 21 FedRAMP authorizations. The product is authorized at the Moderate level. It’s used by agencies including:
the Centers for Disease Control and Protection,the Federal Communications Commission, andthe National Science Foundation.The U.S. public sector can now run more of their work in Slack, thanks to our new FedRAMP Moderate authorization. And by meeting those stringent security requirements, we’re keeping things secure for every other company using Slack, too. https://t.co/dlra7qVQ9F
— Slack (@SlackHQ) August 13, 2020
Slack originally received FedRAMP Tailored authorization. Then, they pursued Moderate authorization by partnering with the Department of Veterans Affairs.
Slack makes sure to call attention to the security benefits of this authorization for private sector clients on its website:
“This latest authorization translates to a more secure experience for Slack customers, including private-sector businesses that don’t require a FedRAMP-authorized environment. All customers using Slack’s commercial offerings can benefit from the heightened security measures required to achieve FedRAMP certification.”
Trello Enterprise Cloud
Trello was just granted Li-SaaS authorization in September. Trello is so far used only by the General Services Administration. But the company is looking to change that, as seen in their social posts about their new FedRAMP status:
Trello is now FedRAMP authorized, allowing your agency to use Trello for increased productivity, team collaboration, and breaking down silos. https://t.co/GWYgaj9jfY
Trello by Atlassian @trello October 12, 2020
Zendesk
Zendesk was also authorized by the following in May:
The Department of Energy is responsible for the Federal Housing Finance Agency, the FHFA Office of the Inspect General and the General Services Administration.
Li-Saas is authorized for the Zendesk Customer Support and Help Desk Platform.
As of today, we will make it easier for government agencies and @Zendesk to work together. Thanks to everyone who worked on this, both inside and outside Zendesk. https://t.co/A0HVwjhGsv
— Mikkel Svane (@mikkelsvane) May 22, 2020
FedRAMP is a social media management framework
Hootsuite has been FedRAMP approved. Hootsuite is FedRAMP authorized.
Request a Demo
Hootsuite, the leading social media tool in government. Engage citizens, reduce risks, and manage crises online.
Book a demo> FedRAMP certification: What is it, why does it matter, and who has one?
Did you miss our previous article…
https://www.affiliatemarketingbuzz.com/how-to-verify-your-twitter-account-by-2023-the-essential-guide/
The post FedRAMP: What it is, why it matters, and how to get certified appeared first on Affiliate Marketing Buzz.
from
https://www.affiliatemarketingbuzz.com/fedramp-what-it-is-why-it-matters-and-how-to-get-certified/?utm_source=rss&utm_medium=rss&utm_campaign=fedramp-what-it-is-why-it-matters-and-how-to-get-certified
No comments:
Post a Comment