https://ift.tt/3n8Syll
FedRAMP Certification: What Is It, Why It Matters, and Who Has It https://ift.tt/36bjoST Hacked celebrity camera rolls. State-based cyberespionage. And everything in between. Data security has a huge range of applications. And it’s a major concern for everyone who uses or supplies cloud-based services. When government data is involved, those concerns can reach the level of national security. That’s why the U.S. government requires all cloud services used by federal agencies to meet a meticulous set of security standards known as FedRAMP. So just what is FedRAMP, and what does it entail? You’re in the right place to find out. Bonus: Read the step-by-step social media strategy guide with pro tips on how to grow your social media presence. What is FedRAMP?FedRAMP stands for the “Federal Risk and Authorization Management Program.” It standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies. The goal is to make sure federal data is consistently protected at a high level in the cloud. Getting FedRAMP authorization is serious business. The level of security required is mandated by law. There are 14 applicable laws and regulations, along with 19 standards and guidance documents. It’s one of the most rigorous software-as-a-service certifications in the world. Here’s a quick introduction: FedRAMP has been around since 2012. That’s when cloud technologies really began to replace outdated tethered software solutions. It was born from the U.S. government’s “Cloud First” strategy. That strategy required agencies to look at cloud-based solutions as a first choice. Before FedRAMP, cloud service providers had to prepare an authorization package for each agency they wanted to work with. The requirements were not consistent. And there was a lot of duplicate effort for both providers and agencies. FedRAMP introduced consistency and streamlined the process. Now, evaluations and requirements are standardized. Multiple government agencies can reuse the provider’s FedRAMP authorization security package. Initial FedRAMP uptake was slow. Only 20 cloud service offerings were authorized in the first four years. But the pace has really picked up since 2018, and there are now 204 FedRAMP authorized cloud products. Source: FedRAMP FedRAMP is controlled by a Joint Authorization Board (JAB). The board is made up of representatives from:
The program is endorsed by the U.S. government Federal Chief Information Officers Council. Why is FedRAMP certification important?All cloud services holding federal data require FedRAMP authorization. So, if you want to work with the federal government, FedRAMP authorization is an important part of your security plan. FedRAMP is important because it ensures consistency in the security of the government’s cloud services—and because it ensures consistency in evaluating and monitoring that security. It provides one set of standards for all government agencies and all cloud providers. Cloud service providers that are FedRAMP authorized are listed in the FedRAMP Marketplace. This marketplace is the first place government agencies look when they want to source a new cloud-based solution. It’s much easier and faster for an agency to use a product that’s already authorized than to start the authorization process with a new vendor. So, a listing in the FedRAMP marketplace makes you much more likely to get additional business from government agencies. But it can also improve your profile in the private sector. That’s because the FedRAMP marketplace is visible to the public. Any private sector company can scroll through the list of FedRAMP authorized solutions. It’s a great resource when they’re looking to source a secure cloud product or service. FedRAMP authorization can make any client more confident about the security protocols. It represents an ongoing commitment to meeting the highest security standards. FedRAMP authorization significantly boosts your security credibility beyond the FedRAMP Marketplace, too. You can share your authorization on social media and on your website. The truth is that most of your clients probably don’t know what FedRAMP is. They don’t care whether you’re authorized or not. But for those large clients who do understand FedRAMP – in both the public and private sectors – lack of authorization may be a deal-breaker. What does it take to be FedRAMP certified?There are two different ways to become FedRAMP authorized. 1. Joint Authorization Board (JAB) Provisional Authority to OperateIn this process, the JAB issues a provisional authorization. That lets agencies know the risk has been reviewed. It’s an important first approval. But any agency that wants to use the service still has to issue their own Authority to Operate. This process is best suited for cloud services providers with high or moderate risk. (We’ll dive into risk levels in the next section.) Here’s a visual overview of the JAB process: Source: FedRAMP 2. Agency Authority to OperateIn this process, the cloud services provider establishes a relationship with a specific federal agency. That agency is involved throughout the process. If the process is successful, the agency issues an Authority to Operate letter.
Source: FedRAMP Steps to FedRAMP authorizationNo matter which type of authorization you pursue, FedRAMP authorization involves four main steps:
FedRAMP authorization best practicesThe process of achieving FedRAMP authorization can be tough. But it’s in the best interest of everyone involved for cloud service providers to succeed once they start the authorization process. To help, FedRAMP interviewed several small businesses and start-ups about lessons learned during authorization. Here are their seven best tips for successfully navigating the authorization process:
FedRAMP offers templates to help cloud service providers prepare for FedRAMP compliance. What are the categories of FedRAMP compliance?FedRAMP offers four impact levels for services with different kinds of risk. They’re based on the potential impacts of a security breach in three different areas.
The first three impact levels are based on Federal Information Processing Standard (FIPS) 199 from the National Institute of Standards and Technology (NIST). The fourth is based on NIST Special Publication 800-37. The impact levels are:
This last category was added in 2017 to make it easier for agencies to approve “low-risk use cases.” To qualify for FedRAMP Tailored, the provider must answer yes to six questions. These are posted on the FedRAMP Tailored policy page:
Keep in mind that achieving FedRAMP compliance is not a one-off task. Remember the Monitoring stage of FedRAMP authorization? That means you’ll need to submit regular security audits to ensure you stay FedRAMP compliant. Bonus: Read the step-by-step social media strategy guide with pro tips on how to grow your social media presence. Get the free guide right now!Examples of FedRAMP certified productsThere are many types of FedRAMP authorized products and services. Here are a few examples from cloud service providers you know and may already use yourself. Amazon Web ServicesThere are two AWS listings in the FedRAMP Marketplace. AWS GovCloud is authorized at the High level. AWS US East/West is authorized at the Moderate level.
AWS GovCloud has a whopping 292 authorizations. AWS US East/West has 250 authorizations. That’s far more than any other listing in the FedRAMP Marketplace. Adobe AnalyticsAdobe Analytics was authorized in 2019. It is used by the Centers for Disease Control and Prevention and the Department of Health and Human Services. It’s authorized at the LI-SaaS level. Adobe actually has several products authorized at the LI-SaaS level. (Like Adobe Campaign and Adobe Document Cloud.) They also have a couple of products authorized at the Moderate level:
Adobe is currently in the process of moving from FedRAMP Tailored authorization to FedRAMP Moderate authorization for Adobe Sign.
Remember that it’s the service, not the service provider, that gets authorization. Like Adobe, you might have to pursue multiple authorizations if you offer more than one cloud-based solution. SlackAuthorized in May of this year, Slack has 21 FedRAMP authorizations. The product is authorized at the Moderate level. It’s used by agencies including:
Slack originally received FedRAMP Tailored authorization. Then, they pursued Moderate authorization by partnering with the Department of Veterans Affairs. Slack makes sure to call attention to the security benefits of this authorization for private sector clients on its website: “This latest authorization translates to a more secure experience for Slack customers, including private-sector businesses that don’t require a FedRAMP-authorized environment. All customers using Slack’s commercial offerings can benefit from the heightened security measures required to achieve FedRAMP certification.” Trello Enterprise CloudTrello was just granted Li-SaaS authorization in September. Trello is so far used only by the General Services Administration. But the company is looking to change that, as seen in their social posts about their new FedRAMP status:
ZendeskAlso authorized in May, Zendesk is used by:
The Zendesk Customer Support and Help Desk Platform has Li-Saas authorization.
Securely inform and engage on social media with Hootsuite. From a single dashboard, you can schedule and publish content to every network, monitor relevant conversations, and measure public sentiment around programs and policies with real-time social listening and analytics. Try it free today. The post FedRAMP Certification: What Is It, Why It Matters, and Who Has It appeared first on Social Media Marketing & Management Dashboard. Social Media via Social Media Marketing & Management Dashboard https://ift.tt/1LdunxE November 5, 2020 at 01:32PM
0 Comments
Leave a Reply. |
Amazing WeightLossCategories
All
Archives
November 2020
|