Back To Blog

What It Takes for Granicus to be FedRAMP Authorized

Unless you’ve been living under a rock, you probably know about dozens of high-profile security scandals over the years. The ones that make it on the news are only the tip of the iceberg – there are thousands of breaches and hacks taking place that you’ll never hear about.

In the modern digital era, security is a priority, especially when it comes to government and the data it handles. As a company developing software specifically for the public sector, security is the number-one priority as Granicus designs products. In fact, many of our partners demand it.

Of course, any organization worth its salt realizes security isn’t just a one-time stamp of approval – it’s an ongoing process. Because of that, the federal government requires cloud service providers (CSPs) like Granicus to follow one of the most-stringent government security protocols in the world: FedRAMP.

The Federal Risk and Authorization Management Program is a federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. As the FedRAMP website states: “FedRAMP enables Agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.”

What does this mean in practice? Because we recently passed an annual FedRAMP audit, I thought it would be interesting to walk readers through the FedRAMP authorization process and why it should put you at ease using our products. It’s not easy—it took us nearly three years to receive our first provisional authority to operate—so we’re proud that today we maintain such a high standard.

The FedRAMP process

Prep work

The process of securing FedRAMP authorization starts well before an audit – about three months, in fact. That’s when Granicus’ security team meets with Coalfire, our Third-Party Assessment Organization (3PAO). Together, we draft a Security Assessment Plan that goes over the upcoming audit: what will be tested, the methods by which the test will be administered, the schedule for completing the assessment, and more.

Once complete, the document is sent to the federal government’s Joint Authorization Board (the primary governance and decision-making body for the FedRAMP program, comprised of the CIOs at the Department of Defense, Department of Homeland Security, and the General Services Administration—in other words, the most security-demanding organizations in government) to get the go-ahead. Once the JAB approves, we’re ready for an on-site assessment at our offices.

But there’s still work to be done before the audit. Our System Security Plan, an 800-page document that describes how Granicus implements everything in the environment, needs to be updated with the latest information. This “Bible of Security” describes everything on the topic at Granicus: who does what, who is responsible for each step of the security process, etc. There are also hundreds of other pages of documentation that need to be written, from an Incident Response Plan (IRP), to the Business Continuity Plan (BCP), to things like the CIS Worksheet that explain both Granicus’ responsibilities as well as the customer’s responsibilities for keeping things secure.

Once all the documentation is complete, we send it all over to Coalfire for review.

Now it’s time to for an on-site visit.

The FedRAMP audit

After months of planning, it’s time for Coalfire to make a visit to ensure we are following the strictest standards. About five to eight people will spend a week at Granicus’ offices, with several more folks working on the audit remotely.

This is the part of the process where we show rather than tell. If our documentation says we deal with a security concern in one such way, we have to demonstrate it to Coalfire. Several of the remote auditors get login credentials to our platform and try to “break” it with penetration testing. Some Granicus employees will be subject to a targeted phishing test. We also need to sit down with a scan specialist to scan all of our code looking for system vulnerabilities.

Once Coalfire leaves the office, they’ll spend the next several weeks going through their notes to make sure everything is documented. They need to do this both to prove that we are following the rules and for their own sake – the government audits them from time to time.

The report

From all of this work emerges a Security Assessment Report (SAR), which details potential vulnerabilities rated as high, moderate, or low. The higher a vulnerability is rated, the more quickly it must be resolved in order to maintain authorization. The SAR is then presented to the JAB, and reps from the board can ask questions or request more details before signing off. If everything is done right, we are granted FedRAMP authorization for another year.

An ongoing process

While the audit might be over, the work of keeping our platform secure isn’t. As I mentioned at the beginning of this post, security is an ongoing process. That’s why we present monthly scans to the JAB and have weekly meetings with them to provide status updates, ask questions, and be questioned. They’re our partner in this process, and we share a common goal of keeping government data secure. We’re proud that products like govDelivery meets their standards—in fact, it’s the only government communication tool to reach that bar.

The most security-minded departments in the federal government trust our data security practices – do you? We encourage you to get in touch to learn more about how we can bring modern digital government to your organization, and to do so securely.