GovDelivery’s FedRAMP Journey and Why It Matters
Security matters, and cloud security matters a lot – moreso than ever in the public sector. That common belief brought together government and industry professionals at GovDelivery’s latest event in the Digital Engagement Breakfast series, Cloud Security 101: Why FedRAMP Matters To You. The panel included the Director of the Federal Risk and Authorization Management Program (FedRAMP), Matt Goodrich; GovDelivery’s Chief Operating Officer, Bob Ainsbury; and GovDelivery’s Vice President of Cloud Operations, Gerry Hansen.
Ainsbury opened the panel with a broad discussion of digital security. The statistics tell a shocking story. In 2015 alone, there were over 50,000 reported public sector security incidents—a rate of 137 incidents a day. Between 2006 and 2014, there was a 1,121% increase in federal agency security incident. The average total cost of a data breach is $6.5 million. A chart displays the world’s biggest data breaches, highlighting how prevalent and massive these data breaches can be.
So in the face of this turbulent security landscape, what can agencies do? The government has a long history of creating security standards for its digital technology, such as 2002’s Federal Information Security Management Act (FISMA). While security is paramount, FISMA can also be unwieldy, forcing each agency to go through the security procedures for a cloud service provider, even if another agency is already using that same provider. In addition, each agency can interpret and implement FISMA standards in different ways, creating added complexity.
FedRAMP, the first government-wide security authorization program for FISMA, offers a way to eliminate redundancies in the clearance process for cloud systems while still maintaining a high level of security. As Goodrich noted, FedRAMP is an attempt “to standardize the standards.” In addition to make the security process easier for agencies and providers, FedRAMP has significant financial benefits: it is estimated to save the government $70 million in security costs this year, and as FedRAMP grows, the savings will grow as well.
Cybersecurity has always been a priority for GovDelivery. It has a network of over 126 million citizens, with around 40,000 new subscribers every day. There are over 36,000 admin users who can access the network. 2 billion people see GovDelivery content in a year, and the platform sends over 10,000 emails a second. With that level of data and connectivity, topnotch security is imperative.
Undergoing FedRAMP certification was a natural step. GovDelivery’s first government security accreditation was in 2009, when they received authorization to operate (ATO) from the National Institute of Standards and Technology (NIST). In 2013, they met the requirements for ISO 27001, an international information security standard. 2014 and 2015 saw ATOs from the Centers for Medicare and Medicaid Services and the Census Bureau.
This experience with certification and GovDelivery’s existing security infrastructure helped reduce the time it took to go through the FedRAMP certification. The FedRAMP security assessment process is based on the NIST six-step risk management framework, though FedRAMP condenses the process into four steps: document, assess, authorize, and monitor.
The NIST framework, however, focuses on building new security systems, while the majority of the cloud providers already have a system in place. Based on this, FedRAMP will begin a new accelerated program that starts with an upfront readiness capability assessment to test a provider’s existing security infrastructure before moving forward. This new program is expected to reduce the average certification time from 12 months to 6 months.
Hansen said that GovDelivery’s security framework is better for FedRAMP’s process. GovDelivery underwent review by the Joint Authorization Board (JAB), which consists of the chief information officers from the Department of Defense, the Department of Homeland Security, and the General Services Administration. JAB authorization is the most rigorous technical review of any of the paths to FedRAMP certification. FedRAMP itself now uses GovDelivery as its communications platform.
FedRAMP is the future of government digital security. As more and more agencies turn to cloud computing solutions, the reliance on FedRAMP will grow. Some state governments are beginning to require FedRAMP adherence for their cloud service providers as well. As of 2015, the federal government spent $7 billion on provisioned services, such as cloud, and there were over 1,400 cloud implementations and over 80 cloud service providers in use. FedRAMP levels the playing field for cloud providers, holding them to the same security standards so agencies can make the best choice about what they need.