In a world under constant threat from viruses, phishing attempts and other security issues, it’s more important than ever for your agency to protect citizen information. During the 2018 Granicus National Summit, attendees heard about the importance of the Federal Risk and Authorization Management Program (FedRAMP) and why every Granicus solution is built with a security-first mindset. Speaking on the topics were Matt Goodrich, FedRAMP Director at the U.S. General Services Administration (aka Mr. FedRAMP), and Bob Ainsbury, Chief Product Officer at Granicus.
In both the public and private sector, data breaches are occurring at alarmingly high rates. “It seems every week there’s something going on affecting personal lives and federal government,” Ainsbury said.
Government faces additional challenges in trying to address these security incidents with outdated technologies. “Over the past few years, government has been in a reactive state because of legacy systems,” Goodrich said. “We’re not immune. But we are taking steps to modernize and look at new technologies that are FedRAMP compliant and that we can keep secure.”
FedRAMP was originally designed as “a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.”
Part of Goodrich’s job entails helping federal agencies understand how they can use FedRAMP to keep their data safe, especially when migrating to newer cloud technologies.
“Cloud computing is a way to modernize,” Goodrich said. “But one concern agencies have with cloud is security, because they can’t physically see the servers. FedRAMP is a way to make sure that as agencies use those cloud services, they’re secure. The program also makes sure vendors are compliant with the regulations.”
FedRAMP works to authorize cloud service providers, or vendors, so that they can offer more secure cloud services for federal agencies to achieve their missions.
“We have about 100 vendors that are authorized under the program and 30 that are trying to identify federal customers for the program,” Goodrich said. “We also cover a third of the world’s internet access and about 500 million technologies.”
Part of Goodrich’s job also entails making sure all stakeholders are kept in the loop in terms of the authorization process. His team uses Granicus communication technologies to quickly get in touch with their huge base of stakeholders.
“On a weekly basis, we have a touch base with over 10,000 people,” Goodrich said. “We use Granicus and have a lot more visibility into how well we’re communicating with stakeholders. We know how many people are actually interacting with our emails and opening them, which we didn’t know before.”
Granicus is the only cloud communications portal that is FedRAMP certified. “The controls of FedRAMP are security standards, so you have to make sure all your servers are patched accordingly,” Ainsbury said. “There are hundreds of controls to make sure your cloud providers are compliant.”
One way FedRAMP ensures cloud service providers are staying compliant is through third party assessment organizations or (3PAOs). A 3PAO is an organization that has been certified to help cloud service providers and government agencies meet FedRAMP compliance regulations through periodic assessments of cloud systems.
It left the audience wondering, why aren’t all organizations using FedRAMP? Ainsbury posed a similar question to Goodrich, “With the Equifax breach, if they’d been FedRAMPEed, would it have happened?”
Goodrich didn’t think so. “We’ve never had a major breach with any of our vendors,” he said. “There was a good chance for that patch to have been fixed with Equifax but they let it linger too long whereas we are required to patch within 15 days.”
In addition to security, another benefit to FedRAMP is enhanced productivity.
“By law, each agency owns their data and has to authorize any IT system they use,” Goodrich said. “With vendors, you don’t have to keep reevaluating them over and over again. When agencies come to the FedRAMP website, they can focus on implementing the functionality rather than working with security teams to make sure they get through all the hoops.”
And while FedRAMP is geared toward federal agencies, there are many ways state and local governments can leverage the program. “They can go to our websites and see what vendors are authorized because a lot of them work directly with state and local governments,” Goodrich said. “They can also work with us to see how to leverage the program for their own use.”
In the next 6-12 months, Goodrich and his team will be focusing on helping both service providers and federal agencies with more resources. “We just released a playbook for agencies to understand how they can engage with their vendors and one for vendors as well,” he said.
According to Goodrich, this is also the “year of the provider,” where his team is focused on speeding up the authorization process for vendors. “Authorization used to take longer,” Goodrich said. “Now it takes 12-15 weeks to authorize providers, which is fast for how in-depth we go. We’re also looking at the oversight we do on a monthly basis to make it less of a burden for providers and more digestible on our side.”
By going to fedramp.gov and marketplace.fedramp.gov, agencies can see playbooks and all the vendors and auditors associated with FedRAMP and start making the most of security essentials in today’s digital age.