Partnering with FedRAMP to Build a Strong Defense in the Cybersecurity Wars
Cybersecurity is always at the forefront of any government leader’s mind. The Russian attack on SolarWinds software products in December reminded everyone of why it’s important to inspect their supply chain management policies. But even lower-profile attacks can have a significant reach when it comes to disrupting service and exposing user data.
A March attack on Microsoft Exchange email servers by Chinese-sponsored hacker group Hafnium that impacted 30,000 organizations in the United States (and hundreds of thousands globally) was just the latest sign that the future for cybersecurity will be full of battles aimed at day-to-day technology.
When it comes to government communications and the related community engagement processes, agencies realize that they are significant targets for hacking attempts both directly and through the tools they use in their day-to-day operations. Governments around the world, for example, are learning the hard way to be on guard against ransomware attacks on government service websites in the era of Bitcoin.
That’s why Granicus has done more than place cybersecurity as a priority. We’ve taken the steps to make that commitment a reality in our products.
Striving for the Highest Security Compliance
Granicus’ Federal Risk and Authorization Management Program (FedRAMP) authorization is proof of that dedication. The govDelivery Communications Cloud platform earned that authorization after review and approval process conducted by FedRAMP’s Joint Authorization Board (JAB), which is widely recognized as the most demanding path to FedRAMP compliance.
The JAB, essentially, is the CIO of the Department of Defense, Government Services Agency, and Department of Homeland Security. Their authorization means that these three agencies have signed off on the trustworthiness of govDelivery — already utilized by hundreds of federal organizations including FEMA, the Department of Defense, and Health and Human Services – as a trusted software for all federal agencies. With Granicus’ “always-on” support, dedicated service teams stand ready to detect and amend any potential security threat.
FedRAMP authorization isn’t a “one-time only” deal, either. All FedRAMP-authorized services are required to use a third-party scanning system that looks for the latest threats and tests responses on multiple times each month. This requirement ensures that an organization’s cloud security posture is flexible enough to quickly detect and adapt to better protect against a future attack. For example, a scan might resist threats one week but fail the test the following week based on new threat vectors.
FedRAMP is based on NIST 800-53 standard controls that are also becoming the acceptable standard at the State level (StateRAMP.org) and even around the world. UK security standards are also based on the NIST framework.
In the end, FedRAMP is all about compliance and Granicus meets a standard security set of controls. But security overall is not just about compliance. Granicus also takes a risk-based approach, clearly mapping ways to reduce the risk of the top 10 most likely types of attacks. That allows our security experts to move from a reactive threat response to a proactive one.
What Does Secure Communications Look Like?
The backbone of any good software or service never sacrifices security for the sake of convenience. In achieving its FedRAMP security authorization, the govDelivery Communications Cloud continually reflects such FedRAMP security guidelines as complex password management, IP restrictions, and multi-factor authentication. CIOs can trust encryption that utilizes FIPS 140-2 validated encryption modules for all connections, whether data is in motion or at rest. Thorough reporting, advanced SIEM tools, and monitoring, administrative activity helps provide the on-going measures that ensure subscriber data protection.
Additional enhanced security impacts of this dedication to protection include:
- Strengthening administrator controls
Requiring organization administrators to change their password at a more secure interval and enforcing complex password management that complies with FedRAMP requirements helps maintain more direct security to access.
- Shielding unauthorized account access
By activating multi-factor authentication by means of either SMS, voice, or via PIV card tied to OMB MAX, administrators have new ways to make sure that only authorized accounts are accessing the system. Having the ability to limit account access to only IP addresses in a trusted list identified by the agency also provides an added level of protection to option of temporarily locking out users after a predetermined number of failed login attempts.
- Monitor security levels with thorough reporting
The ability to identify login attempts and lockouts across an agency’s account can help identify trends and possible attacks. Viewing an administrator activity section for a breakdown of login attempts or lockouts by administrator, as well displaying login attempts made from IP addresses outside a trusted list give even more insight to potential problems.
An Ongoing Relationship of Security
Whether it be FedRAMP or future security standards for cybersecurity, Granicus will continually strive to maintain their role as a trusted leader in providing a digitally secure platform of solutions. The Information Security team at Granicus provides regular network scans to the Joint Authorization Board at FedRAMP and has regular exchanges to maintain and ensure compliance.
This ongoing relationship is a partnership between company and agency, both dedicated to a common goal of keeping government data secure. It’s a reflection of Granicus’ commitment to making tools that not only make digital government easier to achieve, but safer to create as well.
Find out more about how the govDelivery Communications Cloud provides a secure solution to county, state, and federal governments.