By Chris White, GovDelivery Information System Security Officer
Change is hard.
But changing to comply with FedRAMP has made us stronger. Last week, GovDelivery announced that the GovDelivery Communications Cloud platform achieved Federal Risk and Authorization Management Program (FedRAMP) compliance at the moderate level – the program’s highest level. (You can read more of the details here.)
We learned a lot about FedRAMP and compliance along the way, and came out of the process with a wealth of knowledge and experience. Today, we wanted to tell you a little bit about the FedRAMP process, and how we did it.
If you’re an agency just starting to look at what FedRAMP means, or if you’re a CSP looking to become FedRAMP compliant, you’ll soon realize that it’s a really big deal. In a nutshell, FedRAMP follows the NIST 800-53r4 standard and guarantees that there’s a specific, testable security baseline in place that has been reviewed by not only an independent auditor, but also by the Chief Information Officers of the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA), ensuring that there’s a great foundation in place. These three CIOs make up what’s called the Joint Authorization Board, or JAB.
Currently, only 21 companies in the world have completed the rigorous work required for compliance through the JAB, and when you dig into what changes are needed, you can understand why:
At GovDelivery, we started the journey back in 2013, not really understanding what was required. We threw together a quick SSP, wrote up some high-level policies, and thought we would breeze through the process.
We were wrong.
Big Changes
It’s not that a lot of companies aren’t already doing much of what FedRAMP requires. At GovDelivery, we already had a lot of the groundwork in place, at least informally. We required our employees to have strong passwords and had all of our web traffic encrypted long before FedRAMP required it. However in addition to the many different technical implementations that are required, FedRAMP also requires that you have repeatable and, more importantly, provable processes in place. It’s easy to say, “We patch systems monthly,” but do you have a way to not only prove that you do – but also that the patches were tested in lower environments and were properly approved by a change management process?
These repeatable processes require a shift in corporate culture. While in the past, it may have been acceptable to deploy new code immediately, the formalized processes require an organization to take a step back and have a holistic view of the infrastructure before making a change. You’ll initially be met with some resistance because change is hard, but over time it should be easy for everyone to see the benefits, not the least of which is a reduction in unplanned outages.
There’s also a lot of day-to-day changes that can be difficult to implement and can hamper both your internal workflow, as well as customer access.
Fortunately, none of the FedRAMP requirements are show-stoppers, and it’s easy to see how most of the controls fit into the security puzzle to increase the confidentiality, integrity, and availability of the data.
But the fact is, there will be frustrations along the way from all of the changes that are required.
Security is Everyone’s Responsibility
It’s important for your company to realize that security isn’t just an IT problem – it’s an organizational responsibility. You need support for this mantra from the top levels of the organization, including the CEO, because no amount of technology will make you completely secure. At GovDelivery, we preach this message constantly and it’s permeated throughout our entire culture with everyone pointing out potential issues as they see them, whether it’s an unusual entry in a webserver log or a door to the office that doesn’t close quite right.
It’s just as important that your customers be part of the security conversation as well. FedRAMP assists in this by requiring the organization to provide documentation so that agencies understand their responsibilities. For example, we require that customers review and re-authorize the users they create on the system because we have no way to know when an employee leaves the agency.
What does it mean?
Does the FedRAMP authorization guarantee that GovDelivery is 100% secure and that data will never be compromised? No, and if any company makes that claim you should run away from them because they’re clearly lying.
What it does guarantee is that we have a mature security posture in place that’s based upon the industry-recognized NIST 800-53r4 standard. In addition, since GovDelivery went for a JAB approval, it means we’re working with the FedRAMP team on a monthly basis, that they’re reviewing our findings, and that we’re providing evidence that we’re fixing any issues that come up. It also means that we have the seal of approval from GSA, DHS, and DoD.
In summary, it took three years, a huge investment of money and staff time, but today, we’re proud to have achieved this significant milestone in GovDelivery history. When using GovDelivery technologies, you can now be more certain than ever that your information and data of your citizens’ is secure – and that’s what we’re all about.