Vice President for StateRAMP Solutions, Carahsoft: StateRAMP: Recognizing the Importance of Framework Harmonization

StateRAMP builds on the National Institute of Standards and Technology (NIST) Special Publication 800-53 standard, which underpins FedRAMP’s approach to cloud security for Federal agencies by offering a consistent framework for security assessment, authorization and continuous monitoring. Recognizing the need for a similar framework at the State and Local levels, StateRAMP has been developed to tailor these Federal standards to the unique needs of State and Local Governments.  

Key to StateRAMP’s initiative is the focus on framework harmonization, which aligns State and Local regulations with broader Federal and industry standards. This harmonization includes efforts like FedRAMP/TX-RAMP reciprocity and the CJIS task force, making compliance more streamlined. By mapping more compliance frameworks to one another, StateRAMP helps Government agencies and industry players leverage existing work, avoid redundancy and facilitate smoother procurement of secure technologies. Carahsoft supports this mission by partnering with StateRAMP Authorized vendors and engaging in initiatives that promote these harmonization efforts, such as the StateRAMP Cyber Summit and Federal News Networks’ StateRAMP Exchange.  

Developing Framework Harmonization 

CSPs often operate across multiple sectors and industries, each regulated by distinct frameworks such as FedRAMP CJIS, IRS Publication 1075, PCI DSS, FISMA, and HIPPA. Managing compliance across multiple frameworks can lead to redundant processes, inefficiencies and complexity. These challenges have emphasized the need for framework harmonization—aligning various cybersecurity frameworks to create a more cohesive and streamlined process.  

Carahsoft StateRAMP Framework Harmonization Blog Embedded Image 2024

With the FedRAMP transition to the NIST SP 800-53 Rev. 5 requirements in 2023, StateRAMP began working towards harmonization with FedRAMP across all impact levels. Through the StateRAMP Fast Track Program, CSPs pursuing FedRAMP authorization can leverage the same compliance documentation, including Plans of Actions and Milestones (POA&M), System Security Plans (SSP), security controls matrix and Third Party Assessment Organization (3PAO) audits, to achieve StateRAMP authorization.  

Reciprocity between StateRAMP and TX-RAMP has been established to streamline cybersecurity compliance for CSPs working with Texas state agencies, higher education institutions and public community colleges. CSPs that achieve a StateRAMP Ready or Authorized status are eligible to attain TX-RAMP certification at the same impact level through an established process. Additionally, StateRAMP’s Progressing Security Snapshot Program offers a pathway to provisional TX-RAMP certification, enabling CSPs to engage with Texas agencies while working towards StateRAMP compliance. Once CSPs have enrolled in the Snapshot Program or have engaged with a 3PAO to conduct an audit, they are added to the Progressing Product List, a public directory of products and their cybersecurity maturity status. This reciprocity eases the burden of navigating multiple compliance frameworks and certifications.  

Harmonized frameworks enable CSPs to align with the cybersecurity objectives of various organizations while simultaneously addressing a broader range of threats and vulnerabilities, improving overall security. StateRAMP’s focus is to align requirements across the Federal, State, Local and Educational sectors to reduce the cost of development and deployment through a unified set of standards. To ensure the Public and Private Sectors work in alignment, StateRAMP members have access to the same guidance, tools and resources necessary for implementing a harmonized framework. This initiative will streamline the compliance process through a unified approach to cybersecurity that ensures adherence to industry and regulatory requirements. 

The Future of StateRAMP  

StateRAMP has rolled out an overlay to its Moderate Impact Level baseline that maps to Criminal Justice Information Services (CJIS) Security Policy. This overlay is designed to strengthen cloud security in the law enforcement sector, helping assess a product’s potential for CJIS compliance in safeguarding critical information.  

At the 2024 StateRAMP Cyber Summit, Deputy Information Security Officer Jeffrey Campbell from the FBI CJIS addressed the challenges state and local entities face when adopting cloud technologies. He explained that while state constituents frequently asked if they could use FedRAMP for cloud initiatives, the answer was often complicated because FedRAMP alone does not fully meet CJIS requirements. “You can use vendors vetted through FedRAMP, that is going to get you maybe 80% of these requirements. There’s still 20% you’re going to have to do on your own” Campbell noted. He emphasized that, through framework harmonization, StateRAMP can bridge this compliance gap, offering states a viable solution to achieve several parallel security standards.  

Another initiative is the NASPO/StateRAMP Task Force, which was formed to unite procurement officials, cybersecurity experts, Government officials and industry experts together with IT professionals. The task force aims to produce tools and resources for procurement officials nationwide to make the StateRAMP adoption process more streamlined and consistent. 

Though still relatively new, StateRAMP is gaining traction, with 28 participating states as of October 2024. As cyberattacks become more sophisticated, cybersecurity compliance has become a larger point of emphasis at every level of Government to protect sensitive data. StateRAMP is working to bring all stakeholders together to drive toward a common understanding and acceptance of a standardized security standard. StateRAMP’s proactive steps to embrace framework harmonization are helping CSPs and State and Local Governments move towards a more secure digital future. 

To learn more about the advantages the StateRAMP program offers State Governments and technology suppliers watch the Federal News Network’s StateRAMP Exchange, presented by Carahsoft.  

To learn more about framework harmonization and gain valuable insights into others, such as cloud security, risk management and procurement best practices, watch the StateRAMP Cyber Summit, presented by Carahsoft. 

FedRAMP Roadmap 2024-25: Modernization Strategy and its Impact on the Program

Carahsoft represents a wide range of FedRAMP offerings and supports many emerging SaaS ISVs as they create Government mission focused solutions. Our Government customers have leveraged thousands of reuse authorizations across the hundreds of FedRAMP authorized cloud services that Carahsoft sells and supports. With such a substantial record of reuses, FedRAMP could be considered the most cost-effective, time-efficient, and security enhancing program in the history of Government IT.

Carahsoft FedRAMP Roadmap Blog Embedded Image 2024

We are excited by the new FedRAMP roadmap, released by GSA on March 28, 2024. This roadmap introduces strategic initiatives designed to modernize the program. FedRAMP allows agencies to leverage previously completed work and reuse cloud authorizations, offering significant time and cost savings for government and industry alike.

Building on the OMB FedRAMP Draft memo released in October 2023, the FedRAMP Roadmap underscores GSA’s commitment to make the program faster and less expensive for Federal Agencies and Cloud Service Providers (CSPs). This blog post aims to analyze the roadmap’s key initiatives and outline its primary objectives. FedRAMP lays out four clear goals to drive the program forward:

  1. Orienting around the customer experience
  2. Cybersecurity leadership
  3. Scaling a trusted marketplace
  4. Smarter, technology-forward operations

Accelerating FedRAMP Authorization and Deployment

Several initiatives introduced by the PMO are designed to significantly speed up the authorization process for CSPs and enable agencies to deploy advanced technology more rapidly:

  1. Reciprocity with External Frameworks: Starting with Low-impact SaaS, the roadmap outlines a plan to enhance interoperability across different frameworks. This allows CSPs to reuse previously completed work, reducing the time to achieve FedRAMP authorization.
  2. Low-review Authorization Model: In partnership with DISA, the roadmap pilots a model where trusted agencies undergo a less extensive review process. This approach aims to make the authorization process faster and more efficient for agencies with mature review processes.
  3. Joint Authorization Groups: The FedRAMP PMO, OMB, and the FedRAMP Board are establishing joint authorization groups to promote a unified approach to risk management. This collaboration is expected to reduce the overall risk profile and workload, thereby increasing the chances for a CSP to secure agency sponsorship.
  4. Digital Authorization Packages: The PMO plans to pilot machine-readable packages using OSCAL. These digital packages are designed to speed up the review process by eliminating many of the manual tasks currently required of PMO staff.

These steps are part of a broader effort to make FedRAMP more agile and responsive to the needs to both CSPs and government agencies, ensuring quicker access to secure and industry-leading cloud solutions.

Maintaining a Cutting-Edge Program

Other initiatives laid out in FedRAMP’s 2024-25 roadmap addresses an effort to continuously update and enhance the program:

  1. SCR Overhaul: Replacing the extensive Significant Change Request (SCR) process with a more agile change management system. This adjustment allows for quicker delivery of security updates, better aligning FedRAMP with the rapid iteration cycles typical of commercial tech products. By allowing CSPs to implement iterative product updates, FedRAMP is not only improving its own operational efficiency but also enhancing the security posture of cloud services used throughout the federal government.
  2. Updated Guidance: Refreshing guidelines in critical security areas, including FIPS 140, DNSSEC, and external service integrations. These updates ensure that the program keeps pace with the latest developments in cybersecurity.
  3. New Metrics: To better meet the evolving needs to agencies and CSPs, FedRAMP is introducing new, customer-oriented key performance metrics.

Through these initiatives, FedRAMP is not just maintaining its standards but also enhancing its adaptability, ensuring it continues to set the standard in government cloud security.  

Timeline

Looking Forward

The roadmap marks a clear commitment to modernization. The PMO is confident that this strategic overhaul will alleviate the current review backlog, streamline processes, and optimize service delivery. As we look towards a transformative period for FedRAMP, Carahsoft remains committed to supporting our partners through these changes. Together, we anticipate a future where Government cloud technology is not only secure and compliant but also at the cutting edge of innovation.

To learn more about Carahsoft’s partner marketplace for FedRAMP certified cloud solutions visit our FedRAMP portfolio and speak to a member of our team today.  

Join us for GovForward’s 6th Annual ATO and Cloud Security Summit on Thursday, July 11, 2024 from 8:00 am-4:45 pm in Waldorf Astoria, Washington D.C. Learn more about the event here.

Revitalizing FedRAMP: Navigating the Shift to a Modernized Cloud Security Framework

The Federal Risk and Authorization Management Program (FedRAMP) was created over a decade ago to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and service used by Federal agencies. Embracing the dynamic advancements in cloud technology, FedRAMP has recognized the importance of modernizing to keep pace with the rapid developments in the cloud landscape. The Office of Management and Budget (OMB) released a draft memorandum in October 2023 that outlined a comprehensive FedRAMP framework, emphasizing adaptability, automation and cooperation to address evolving cloud service requirements. 

An Opportunity for Modernization 

As technology continues to evolve, so do the advancement opportunities in the realm of cloud security for Federal agencies. With the expansion of cloud offerings and the increasing demand for cloud-based services, FedRAMP is undergoing a significant overhaul to meet the changing landscape. The new OMB FedRAMP guidance will replace the original guidance published in 2011, a year in which the cloud security climate looked drastically different and less complex than today. Changes to address the evolving threat landscape include tools for enterprise collaboration, product development and improving an enterprise’s own cybersecurity. Having already authorized more than 300 authorized services in the FedRAMP Marketplace, FedRAMP recognizes the need to add more solutions for agencies to have all the required capabilities to deliver on their missions.[1]

OMB aims to address these challenges by establishing a plan to scale the program, bolster security reviews of cloud solutions and accelerate Federal adoption. Drew Myklegard, the Deputy Federal CIO, said during CyberTalks, a gathering of the most influential leaders in cybersecurity and digital privacy, “There’s a lot of room in the FedRAMP process with friction and [manual] steps that are causing too long of times from when people identify a product that they need until they can employ it.” [2] 

The New FedRAMP Guidance 

Carahsoft FedRAMP General Overview Blog Embedded Image 2024Automation and Continuous Monitoring (ConMon) stand at the forefront of FedRAMP modernization as the memo underscores the significance of automation and the use of machine-readable formats for authorization and ConMon artifacts. The new guidance will create a system for automating security assessments and reviews, as well as expand on the initiative to obtain FedRAMP security artifacts solely through automated, machine-readable processes. The General Services Administration (GSA) also plans to update ConMon processes within 180 days and exclusively accepting machine-readable artifacts within 18 months.  

By automating security assessments and reviews, FedRAMP is looking to streamline the authorization process, reduce the time and cost of compliance, and improve the accuracy and consistency of security assessments. An added benefit is that automation will help identify and mitigate security risks more quickly and effectively, improving the overall security posture of cloud-based services used by the Federal Government.  

The key changes proposed in the new guidance will: 

  • Reaffirm the presumption of adequacy established in the FedRAMP Authorization Act. This provision establishes that once a CSO achieves FedRAMP Authorization, Federal agencies must presume the offering has adequate security measures for a streamlined reauthorization.  
  • Recognize the transformation of the cloud marketplace and the need for FedRAMP to adjust its processes, originally tailored to a limited number of Infrastructure as a Service (IaaS) solutions, to now accommodate a vast and growing amount of Software as a Service (SaaS) solutions. 
  • Introduce a fast-track authorization program for agencies that have demonstrated mature authorization processes and frequently provide the PMO with high-quality authorization packages. 
  • Propose new authorization types: Joint-Agency and Program authorizations. The Joint Authorization Board (JAB) authorization option is evolving, with all existing JAB authorizations automatically transitioning to Joint-Agency authorizations upon the memorandum’s issuance. Joint-Agency authorizations can pool the resources of any Federal agency to review an authorization package, expanding beyond the DoD, DHS and GSA to include all relevant agencies. 
  • Define the roles and responsibilities of the newly established FedRAMP Board. The FedRAMP Authorization Act empowered OMB to assume a more active and leading role in FedRAMP, and this memo serves as a notable illustration of that increased involvement. 
  • Establish a preliminary “pilot” authorization category allowing agencies to test new cloud services for up to twelve months. This authorization pathway would provide agencies and CSPs with an expedited route to market, accelerating the availability of CSOs. 
  • Streamline authorizations for products that leverage FedRAMP-authorized Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) solutions and for products which have obtained external security frameworks that evaluate relevant risks.  
  • Establish the Technical Advisory Group (TAG) to act as an independent source of Federal Government employees for best practices to enhance the efficiency of FedRAMP’s operations.  

Benefits for Federal Agencies 

By scaling the program, more cloud service providers will be able to obtain FedRAMP authorization, increasing the availability of authorized cloud services for Federal agencies to use. This will enable agencies to more easily and quickly adopt cloud-based services that meet their specific needs. 

Through enhanced security reviews of cloud service offerings, Federal agencies can gain increased confidence in the adherence of the cloud services they utilize to rigorous security standards. Therefore, improving the overall security posture of Federal agencies and reducing the risk of data breaches. 

Streamlining the authorization process and offering a broader range of authorized cloud services can help Federal agencies alleviate the costs and administrative burden linked to duplicative security assessments. Overall, agencies will be able to more efficiently and effectively leverage cloud-based services to support their mission and better serve its citizens.  

The Future of FedRAMP 

Stakeholders are optimistic the new OMB guidance will pave a future for the program that will be more comprehensive, efficient and tailored to the current security environment. As more commercial providers become incentivized to pursue FedRAMP authorization, Federal agencies will have more options when it comes to cloud, and technology vendors will be more suited to achieve FedRAMP authorization success. 

To explore more in-depth insights into the OMB Memo view the Carahsoft Guide to Modernizing the Federal Risk Authorization Management Program (FedRAMP). To learn more about Carahsoft’s partner marketplace for FedRAMP certified cloud solutions visit our FedRAMP portfolio and speak to a member of our team today.  

 

Resources: 

[1] “Office of Management and Budget Releases Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP).” The White House, https://www.whitehouse.gov/omb/briefing-room/2023/10/27/office-of-management-and-budget-releases-draft-memorandum-for-modernizing-the-federal-risk-and-authorization-management-program-fedramp/. 

[2] “OMB extends comment period for new FedRAMP guidance.” FedScoop, https://fedscoop.com/omb-extends-comment-period-for-new-fedramp-guidance/ 

Why AppExchange Use Offers Agencies Untapped Opportunity

In our first Insider’s Guide, we’re pulling back the curtain on the world’s largest cloud app marketplace, the Salesforce AppExchange, to offer a look at what it is, how it works and how it can provide value to agencies in extending their investment in the Salesforce platform. With the government’s increased focus on improving service delivery — particularly public-facing services per the presidential administration executive order on customer service — taking advantage of possible software-as-a-service integrations with the Salesforce customer relationship management platform makes logical sense. Download the guide to learn how AppExchange helps organizations increase productivity, eliminate risk and save time.

 

Nintex DocGen for Document Creation, Automation and Management

“A great example would be voter registration cards. Every year, you need to update it. We make it really easy to go out and maintain it with our solution and not have to go into code to make updates. It becomes easy to create, easy to maintain going forward and not having to spend budget on development cycles or development resources to build these solutions. The alternative is to write and maintain custom Apex code, which requires an advanced skill set and takes more time. This is a faster way to develop it and an easier way to maintain it.”

Read more insights from Steve Witt, Director of Public Sector at Nintex.

 

IIG FNN AppExchange Blog Embedded Image 2023FormAssembly for Secure Online Forms

“Specifically, we’re the most secure and compliant platform in the entire marketplace. That is how we go to market, that’s what we pride ourselves on: being good stewards of our data, being thought leaders in that space. Government organizations should use us because, doubling down on the security and compliancy, we’re tailored for highly sensitive data. We’re built for that. We hold the distinction of being the only FedRAMP-ready platform on the marketplace in this category. We also hold SOC 2, ISO 27001, PCI DSS and GDPR compliance. And really, what that means for our customers and partners is that we’re experts in this space, and that will mitigate any risk and collecting data for your organization, whether it’s here in the United States or abroad.”

Read more insights from Paul Lazatin, Director of Partnerships at FormAssembly.

 

WalkMe for No-Code Digital Adoption

“What makes us unique is that we have the ability to overlay on any enterprise application in the tech stack, commercial off-the-shelf (COTS), government off-the-shelf (GOTS) or custom-built. By doing so, we’re able to create better user experiences, drive employee productivity and monitor digital adoption on any enterprise application that’s being deployed out to the federal government, whether those applications are internal to employees or externally facing for taxpayers and constituents.”

Read more insights from Carl Wright, Director of Public Sector of Federal Sales at WalkMe.

 

Odaseva for Enterprise Data Protection

“Many federal and state organizations have questions that need answers when it comes to managing their Salesforce data. How do Salesforce users archive data that is no longer needed? How do they comply with regulations such as those from the National Institute of Standards and Technology or in the California Consumer Privacy Act? That’s why we at Odaseva consider the data management lifecycle. Odaseva helps organizations comply with the strictest data regulations and guard against data failure — all with precise control on a field-tested platform to scale with ease. And we deliver this with the strongest data security features that exceed the requirements of even the most complex, highly regulated businesses in the world.”

Read more insights from Matt Carstensen, Senior Solutions Engineer at Odaseva.

 

Conga Apps for Contract and Workflow Management

“Conga offers a flexible platform and set of solutions built natively on top of Salesforce that address a broad set of needs for federal, state and local government entities. Our products include Composer, the number one downloaded application on Salesforce’s AppExchange. Conga Composer allows public sector customers to automate document generation to get work done faster and easier in Salesforce. Users can create documents with dynamic data from Salesforce in the correct template, then send it, store it and trigger the next business process. Conga Sign is a modern and highly secure e-signature solution. We now offer a FedRAMP-certified version of our e-signature solution, which is getting quite a bit of attention.”

Read more insights from Eric Daggett, Vice President of Sales for Public Sector at Conga.

 

Download the full Insider’s Guide for more insights from these AppExchange leaders and additional interviews, research and infographics.

 

Innovative Government Procurement: Tech Companies’ Solution to Faster IT Acquisition

As technology changes, innovation is necessary to update systems in a timely manner so the government can keep pace with the greater technological environment. To accomplish this and improve the defense of the nation, private sector solutions need to be sold to federal agencies swiftly and effectively. Currently, the commercial industry moves substantially faster than the government due to the federal procurement process time.

Procurement, which is the method of acquiring products to improve or complete an agency’s mission, should be combined with innovation to provide efficient service and optimized technology delivery to the public sector. Through communication and collaboration, the federal government and the private sector can take advantage of resources to spur innovation and time to deployment.

Accelerating Government Procurement

Innovative Government Procurement Blog Embedded Image 2022Government procurement can be lengthy, as it involves handling prime contractors, working through the budgeting process and navigating rapid technology and resource changes. In light of this, many tech companies are unsure of how to deal with the government.

Having recognized this hesitancy, the Department of Defense (DoD) has worked collaboratively to make their contracts more attractive and easier to access. As a result, 75% of tech companies that the Air Force conducts business with now had never previously contracted with the DoD before. Innovation and collaboration can minimize procurement delays and clearly enhance private and public sector cooperation.

Innovation 1: Understanding Procurement Resources & Communicating Early

One crucial element to driving process improvement and increased understanding, is for the public and private sector to discuss the market needs, tech solutions, and contract availability before the acquisition stage. While these conversations are currently underutilized and often viewed with apprehension, they fall safely within the ethics code and can have a major impact on the overall success of a contract. Through these conversations, both industry and government parties can ensure alignment between obtainment strategies and mission goals.

For example, an acquisition innovation lab assists with innovative acquisition techniques and develops best practices, providing tech companies with a safe space to engage with government procurement officials. By researching and understanding the current needs, budget allocations and available resources, tech companies can offer government procurement officers a simple path forward. Since government employees have limited time to sort through the various new resources, presenting all the elements and coming to the table with a clear understanding expedites the process. Working with system integrators also helps government employees acquire the necessary products for their missions.

The Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs support small business in reaching commercialization within Federal Research and Research and Development (R&D). As an awards-based program, SBIR and STTR incentivize the development and procurement process to stimulate tech innovations. These programs provide an avenue for companies to bring their products to a public sector market and connect with government needs. By qualifying for an SBIR or STTR award, companies meet the competition requirement and have a sole source award providing an easier path to acquiring contracts.

Innovation 2: Presenting Proactively

Tech companies have the ability to proactively contact government market research teams to discuss their tech capabilities and how they match a mission need. Through an intentional targeting approach, the private sector can reach its desired audience much faster than contacting mass groups of government stakeholders to whom the specific technology might not be relevant.

Contacting the correct stakeholder based on an understanding of their problem and a providing a clear presentation of how the technology will solve that issue, removes significant wait times and deliberation. Tech companies can seek out cohorts who will walk them through best practices and how to engage with the government correctly. Procurement professionals, such as those at the Procurement Innovation Lab, are a major storehouse of information and can also advise companies on how to target program offices.

To help government agencies appreciate the value of emerging technologies, private sector companies should promote how their tech products solve the agency’s specific mission needs. To have a convincing presentation, technology companies must recognize what makes their product unique, and market it based on what gives it a competitive advantage within the industry.

Innovation 3: Implementing Preliminary Steps Before Starting the Process

The government has also instituted additional requirements for solutions that are deployed within their environments. Providers must assure compliance with these supply chain security, cyber hygiene, cyber security, maturity modeling and Federal Risk and Authorization Management Program (FedRAMP) mandates, among others. For example, being FedRAMP-authorized is a baseline requirement that opens many procurement doors for companies that run Software as a Service (SaaS) in a cloud-based environment. Each tech company should research FedRAMP requirements to determine if they need authorization to sell to the government and then weigh the opportunity against the cost of going through the certification process. Tech companies that proceed with obtaining the authorization should view the FedRAMP process as a marketing cost, because without the authorization, the procurement conversation may never be initiated. Having the authorization in hand before approaching bidding, allows tech companies, especially those selling SaaS, a better opportunity to be considered and not immediately disqualified. Procurement experts also recommend that tech companies selling software contemplate preemptively obtaining an Authority to Operate (ATO), which is an additional security authorization that would further aid with a smooth procurement process.

Tech companies must evaluate where to invest their time and resources before completely engaging to maximize progress and efficiency, which also includes focusing on agencies and procurement officials who are ready to innovate in their procurement. These preliminary steps can save hours of frustration and prevent the private sector from chasing dead-end opportunities.

Innovative Government Procurement Blog Graph Image 2022

Delivering With Purpose

When tech companies engage in conversation, collaboration, proactive research and targeted marketing, they can effectively reduce the processing time for acquiring and deploying commercial products in the federal market. Tech companies must leverage their market intelligence to help government agencies understand the resources available to them to enable more innovative procurement. In doing so, both the public and private sector can benefit from the improved procurement process which supports tech modernization and enables critical missions.

To learn more about how to get involved in the Government procurement process and hearing innovative ideas from a panel of thought leaders, watch the webinar here.

Federal News Network Expert Edition: FedRAMP

 

When the Office of Management and Budget first conceived the Federal Risk Authorization Management Program (FedRAMP) back in 2010 and launched it in 2011, the concept was supposed to make it easier for agencies to move to secure cloud instances. Unfortunately for agencies and vendors alike, turning that proposal into reality has been more difficult than imagined. At the same time, the FedRAMP program management office saw and heard—sometimes quite loudly—the calls to simplify its processes without losing any security rigor. That’s why FedRAMP issued a white paper in February asking for feedback on the threat-scoring methodology with the goal of ensuring that consistency and rigor while continually reducing the burden of FedRAMP. Brian Conrad, the acting director of FedRAMP, said the latest set of initiatives strive to continually improve the government-wide program. Hear from leaders at FedRAMP, CISA, NIST, GSA, DoD and DHS on how changes such as automation and simplification are likely to impact the cloud security program in the latest Federal News Network Expert Edition report.

 

For Digital Communications, Cloud Meets Agency Needs for Security, Scalability

“Much has been made of the government’s pivot to a mostly telework environment last year, especially with regards to how to enable government employees to maintain their mission and collaborate effectively. But less attention has been paid to the equally important subject of how agencies interact with their constituents, across agencies and out to businesses and consumers. The journey to providing digital services has been happening for years, but much like telework, the COVID pandemic acted as an accelerator to these efforts. Agencies have multiple ways of communicating with their constituents, each with their own specific requirements. For example, agencies that publish information for public consumption need to be able to host this information on their websites, and it has to be available to and consumable from a myriad of devices to suit the needs of the public. Likewise for email newsletters, where people can sign up to hear the latest information an agency has to offer. But those are one way communication channels, agency to public. Communication also has to move the other way, to allow constituents to get in touch with agencies.”

Read more insights from Adobe’s Vice President and Public Sector CTO, John Landwehr.

 

How Government can Innovate at the Speed of the Private Sector

“Governments have unique security needs for a reason. No other entity has such diverse, unique missions or collects such a huge volume of data – such as scientific, medical, tax, Social Security, defense and classified intelligence. But the idea that these security needs can prevent government agencies from innovating at the speed of the private sector is a myth. Think for a moment about all of the varied ways that data collected by federal agencies can be used. Take a very simple example: GPS location data. While most people think of that data in terms of being able to use their smartphone to find the best path from point A to point B, governments may use it for a variety of missions. But Salesforce has also used that data to develop maps that allow agencies to track the locations of wildfires and the deployment of first responders, helping those agencies protect lives and prevent property damage.”

Read more insights from Salesforce’s Principal Solutions Engineer, Matt Goodrich.

 

FNN FedRAMP Expert Edition Blog Embedded ImageSocial Media is Increasingly Important to Federal Agencies. Here’s How They Can Do it Right.

“The COVID-19 pandemic forced massive changes in the way the government does business. In the beginning, all efforts were focused on enabling a primarily telework environment for federal employees, and securing that environment from outside threats. But after a year, those changes are spreading into other areas of business, forcing federal agencies to continue to adapt. Not least among those new challenges is the way agencies communicate with their constituents Many traditional brick and mortar locations are closed, shutting off that avenue for citizens to contact their government. In response, federal agencies are turning to digital communication methods to fill the gap. Websites and portals are one way citizens can find information published by agencies or access services. But the average American now spends two hours a day on social media, and federal agencies have to go where their citizens are. That means developing a strategy for communications, including new workflows and measures to ensure their security.”

Read more insights from Hootsuite’s Global Principal Solutions Consultant, Ben Cathers.

 

Agencies Need Better Data Intelligence – FedRAMP is Giving Them the Opportunity

“One of the biggest challenges agencies have to deal with when it comes to securing their data is their budget. Even if Congress were to increase funding for cybersecurity, that budget still has to be spent in the most efficient and effective way possible. That means agencies need to know their data inside and out: what it is, where it is, and what degree of security is appropriate to ensure its integrity and confidentiality. That’s important, because bad actors are targeting the data itself. They don’t care what infrastructure or platform it’s sitting on. They just want to exploit the data. That means agencies need a governance model. ‘Agencies are using many different types of technologies and varied database sources. And they’re operating very heterogeneous environments. They need technology that allows them to connect into all of those various data sources, and identify and understand what data exists in those locations,’ said Mike Lyons, chief information security officer at Collibra, a leading Data Intelligence software vendor. ‘Government agencies should be looking at cloud-based technologies for the purposes of securing their information, understanding their information, and frankly, trusting it.’”

Read more insights from Collibra’s Chief Information Security Officer, Myke Lyons.

 

Okta Can Be the Zero Trust Broker for Cloud Services

“When most people think about IT modernization, what they’re really thinking about is adopting cloud services. That’s true both for the innovation side of things and on the security side. The National Security Agency and other agencies heavily involved in cybersecurity recommend going to zero trust for modernizing identity and access management, and using cloud services to do so. That’s especially important in today’s environment, where workforces have been operating at maximum telework for almost a year. Most agencies’ network boundaries are no longer in their office buildings where they have total control, but are now in people’s homes. ‘A good friend of mine talked about this in the beginning of the lockdown. He basically said my agency went from 100 branch offices to 10,000 branch offices,’ said Sean Frazier, federal chief information security officer at Okta. ‘That’s exactly the mindset you have to take, which is now all of a sudden, I’m managing endpoints further out than I thought I was managing it. And zero trust is really the perfect security architecture for that use case.’”

Read more insights from Okta’s Federal Chief Security Officer, Sean Frazier.

 

Download the full Federal News Network Expert Edition report for more insights on the future of FedRAMP from Carahsoft’s technology partners and leaders at FEDRAMP, CISA, NIST, GSA, DoD and DHS.

A New Option for Agencies and Providers: StateRAMP

 

FedRAMP, a program that standardizes the federal government’s approach to security and risk assessment across cloud technologies, has been a success for both government agencies and technology providers. A team of state executives saw the need for a FedRAMP-style option for state and local governments to verify cybersecurity and manage third-party risk. In 2020, they created StateRAMP (State Risk and Authorization Management Program) so the “verify once, use many” approach can benefit state and local governments.

StateRAMP, which is not affiliated with FedRAMP, is an independent not-for-profit organization providing an efficient and cost-effective solution for verifying the cybersecurity of cloud service providers for state and local governments. The organization’s goal is to create a framework for continuous improvement in cybersecurity for governments, providers, and the constituents they serve.

While StateRAMP’s Marketplace is modeled after FedRAMP, StateRAMP’s mission is education. StateRAMP will provide proactive education, sample policies, resources, and templates for its members. The goal with this documentation is to provide clear guidance with a focus on intent and purpose.

The StateRAMP Process

State and local governments will have the option of adopting a cyber policy requiring independent verification—via StateRAMP—of their vendors’ cyber posture. Because states have adopted a cybersecurity framework based on National Institute of Standards and Technology (NIST), that is also the basis for the StateRAMP verification requirements.

Providers who wish to do business with that state or local government would need to engage a third party assessment organization (3PAO) for the required assessments. Any FedRAMP 3PAO is eligible to become a StateRAMP 3PAO, letting StateRAMP leverage the marketplace that already exists. FedRAMP 3PAOs are American Association for Laboratory Accreditation certified and know how to verify for NIST controls.

The 3PAO conduct the readiness or security assessment report and submit that security package to StateRAMP—which manages the program management office (PMO) that reviews the security package and verifies security status. StateRAMP also maintains responsibility for continuous monitoring and maintains updates to the StateRAMP Marketplace.

StateRAMP Marketplace

StateRAMP’s Marketplace is a public website (stateramp.org) that will include information about the service provider’s products, including impact level, provider type, and security status.

StateRAMP is organized as a membership organization. Providers that wish to list products on the StateRAMP Marketplace must join as a subscriber member for an annual fee; government agencies can join for free. In addition to listing products, subscriber members are eligible for education, templates, and resources provided by StateRAMP.

Security Impact Levels

Once a provider has decided to list a product on the StateRAMP Marketplace, they will need to identify their impact level. The higher the impact level, the more sensitive or critical the data or the system will be. For example, FedRAMP has three levels, including low, moderate, and high impact. Low is for less sensitive and generally publicly available data, and high impact typically involves data and systems at the highest security, including national security.

StateRAMP also offers three security impact levels, including category one, which will align with FedRAMP low. Category three aligns with FedRAMP moderate and maps to confidential data or highly critical systems.

The StateRAMP committee learned of interest in a low-plus option for systems that transmit processors store less-sensitive PII, such as emails, or systems that store public data and may interface with a more sensitive system. In these examples, the state may wish to require a low-plus option—which is what led to the concept of a category two. It includes control and sub-controls of low impact with select additional controls.

Provider Path and Minimum Mandatory Requirements

There are three milestone statuses: Ready, Authorized, and Provisional. Ready does not require government sponsor, but authorized and provisional do. The Ready status is attained by meeting the minimum mandatory requirements—demonstrated by a readiness assessment report conducted by a 3PAO. A provider that is StateRAMP Ready indicates its product meets the minimum requirements and is well-positioned to comply with the full authorization requirements.

Authorized indicates the product meets all required NIST controls by impact level and the provider has completed the necessary documentation, including a 3PAO security assessment report. To be Authorized, both the StateRAMP PMO and the sponsoring government must agree that the product meets the requirements.

If a provider meets the minimum requirements and most, but not all, critical controls, a sponsoring government might list their status as Provisional while the provider works towards becoming Authorized. State and local governments perceived a need to give providers an on-ramp to attain a listing of Ready or Authorized.

 

If you would like to learn more about StateRAMP, join their briefing on Friday, April 30th.

Improving the User Experience by Integrating Security

 

What is happening now, in 2021, is forcing government agencies to use their IT in different ways. Tools like VPNs have had a hard time scaling to the amount of traffic being generated when employees are suddenly working from home. It pushes security controls in different directions—onto people’s identities and the endpoints—the machines they use. The most effective security focuses on the security of identities and endpoints and uses that to make access decisions—rather than the user’s physical location or network.

Adopting Technologies More Efficiently

The current environment also means that agencies need the capacity to adopt technologies more quickly. Cloud service providers’ ability to inherit authorities to operate (ATOs) from other cloud service providers is critical to FedRAMP’s success. FedRAMP just has to verify that a company is doing the same as company X is doing before providing an ATO.

By checking those couple boxes, it allows new cloud service providers to quickly get a bunch of controls off their plate and focus on what they do best. In inheriting those ATOs, other cloud service providers can reduce their development and audit time before entering the FedRAMP marketplace. This makes government more efficient and cost effective.

Choosing the Right Security Solutions

Another factor affecting government operations is a zero-trust environment, which particularly affects companies’ developers. Zero trust forces us to examine other signals and factors when making authentication decisions: we especially check the identity of the individual and the system they are using. We ensure that the end points are secure, fully patched, and managed by the organization.

GovForward Blog Series - Okta Embedded ImageIf they aren’t, then we might not actually want to completely deny access. Today’s workforce is highly mobile, and we must take that into account while building applications. If we limit access so tightly that nobody can use it or they need a very specific environment to use it, then our users will find different solutions.

The IT industry has often made the mistake of bolting on security, putting it in the wrong place rather than building it into the system. This can drive users away from better solutions into less secure systems. Zero trust wants to solve for that problem, offering people access to the right information at the right time and building that into our applications.

Improving the User Experience

Okta worked with the Quality Payment Program for the U.S. Digital Service and the Center for Medicare and Medicaid Services. They needed to bring together providers, patients in data registries, and the government; but each group had different needs and usage patterns. We helped them tie the three different backgrounds together to form a single authentication experience.

The users also required a consistent, compliance-based experience because they were working with regulated healthcare data. The regulations set various requirements, such as needing a FIPS 140 validated multifactor authentication. They solved that issue by using a secure token, a soft token on the phone, or another authentication method.

The program also needed to integrate system identities. The access to more data means that we had to do that through APIs, allowing systems to share information with systems in a secure and auditable way. By managing these APIs, CMS was able to ensure that systems and users have access to that data.

Looking into the Future

Agencies will continue to focus on the specific challenges facing employees or constituents and need technical solutions. But, if your solution is not the easiest to use, your users will look for different systems. This is absolutely critical for IT professionals and security teams to understand.  If we continue to bolt on security, then the implications will be far reaching.

We will also see more focus on third-party and enterprise risk. FedRAMP is a risk-based program that is available to all agencies so they can fully understand the risk with using your application and compare that with the risks inside their own work. At the end of the audit, you have a list of risks, your plan of action, and milestones. In the future the third-party risk team will be beefed up as part of security.

Visit our website to learn more about the GovForward: Multicloud Series and FedRAMP through our additional resources.

The Advantages of a Risk-Based Approach to Security in Government

When the US government started the Federal Cloud Computing Initiative in 2009, the US Government had a perimeter-based, traditional on-prem approach to security. It was largely focused on securing hardware and meeting compliance requirements. The US Government knew its approach for cloud had to be different so they created FedRAMP. FedRAMP’s focus on securing multi-tenant cloud environments transitioned security from a hardware focused mentality to one of embracing an approach focused on data security and managed risk.

FedRAMP’s use of NIST’s Risk Management Framework has continued to expand how the government can use cloud services. When FedRAMP launched, it was predicted that only 25% of Federal IT systems would be suited for cloud computing. By using a risk-based approach to security, FedRAMP has introduced additional security guidelines to now enable more than 75% of Federal data to be suitable for cloud computing.

Benefiting from a Risk-Based Approach

The NIST Risk Management Framework allows Federal agencies to focus on a risk-based approach by focusing on data as the first element of security. In this approach, before determining any security requirements of a system, agencies must first determine the data they will be putting into a system. Then you match the security requirements to the data itself.

By starting with the data, this allows agencies to better understand the risk of that data being manipulated, seen by the wrong person, or unavailable, because ultimately that is what securing a system is meant to protect against. The security process now allows the government to look at a system holistically in how it protects against those threats, not from a component to component approach.

GovForward Blog Series - Salesforce Embedded ImageDefense in Depth Enables Risk Management

FedRAMP’s risk based approach uses a concept called defense in depth. This approach leverages protecting data in different ways across multiple components within a system collectively. When you focus on the system as a whole, it allows you to have more adaptable security even if certain components of a system have known weaknesses.

A simplified way of thinking of defense in depth is the swiss cheese model which is used in other industries like healthcare, aviation, and engineering. The concept is that each individual piece might have holes in it (like swiss cheese), but when you layer each piece on top of each other, you create a solid piece with no holes (imagine putting multiple pieces of swiss cheese together).

Expanding the Risk Based Approach

The Federal government, to its credit, is working to enable a risk based approach to many of their cybersecurity programs in addition to FedRAMP. DHS’s CDM program took this to heart with a phased roll out of capabilities. The Trusted Internet Connection 3.0’s trust zones approach undoes the “all of nothing” approach of previous iterations and focuses on data classifications and type of service being used. Not to mention both of these programs have focused on ensuring they are compatible with FedRAMP and the NIST Risk Management Framework.

One of the newer concepts related to risk management is Zero Trust. In short, anytime data is accessed, there’s a check that whoever is accessing that data is supposed to see that data – and this happens constantly while using any system. Basically, there is zero trust whenever data is accessed – the trust has to be proven from component to component. How is this risk based and also fit the swiss cheese model? Because instead of allowing access to an entire system, you create segmentation that allows many people within the same system, all with different levels of access to data based on their unique need. It allows security teams to match data access with risk all within a singular system or interconnected systems.

Salesforce and Risk Based Security

At Salesforce, we have invested heavily in adopting FedRAMP’s risk based approach to security. We have two offerings meeting the strict FedRAMP moderate and FedRAMP high security requirements. When Federal agencies use Salesforce’s #1 CRM, agencies get to leverage the best of the risk management framework allowing them to innovate at speeds 2020 demands, scale to unprecedented levels, all while ensuring government data is secure.

Visit our website to learn more about the GovForward: Multicloud Series and FedRAMP through our additional resources.

Streamlining FedRAMP Compliance With Automation

When it comes to using cloud computing, federal agencies turn to the Federal Risk and Authorization Management Program (FedRAMP) to certify that their cloud-based solutions are secure and compliant with federal regulations. In order for their products to be used in the federal space, cloud service providers and software vendors must ensure that they are FedRAMP compliant—a notoriously in-depth process that can cost millions of dollars and take up to 24 months to complete.

The government has continued adopting cloud technology at a rapid pace, which has only expanded with the need for remote work capabilities during the pandemic. Agencies are turning to third-party solutions that don’t run on government infrastructure, and in turn, more cloud and software organizations are undertaking the FedRAMP compliance process in order to expand into the federal market.

Building and deploying a secure cloud environment is slow and costly, but it’s also ripe for automation. Cloud security and compliance automation companies are partnering up with cloud service providers to significantly reduce the time it takes to become FedRAMP compliant—in some cases, from two years to 90 days. By building the entire program on a pre-engineered security platform that automates configuration, documentation, and deployment tasks, these types of solutions automate the most complex, error-prone, and critical components of cloud-based software. This enables cloud software vendors to eliminate security and compliance barriers and dramatically accelerate time-to-market.

Anitian Lunch and Learn Blog 2020 Embedded ImageTaking on FedRAMP with Automation

FedRAMP compliance requirements have been in place since 2014, and while the process is complex it is also repetitive, making it a prime contender for security and compliance automation. This pre-engineered approach means that an organization’s internal teams don’t have to be FedRAMP experts and can instead focus on onboarding, training, and building out templates and security applications for the federal client. This type of purpose-built architecture—security and compliance as a platform—is designed with best practices in mind and uses proven third-party technologies to reduce the number of required add-ons.

This approach allows an organization’s applications to be seamlessly migrated into the compliance platform, which powers it through automation and ensures that crucial components like security architecture can operate seamlessly. Combining a cloud software service provider’s application with an established automation platform allows each to focus on their core competencies while remaining autonomous from each other, which is critical for security.

Tackling Compliance Challenges

FedRAMP-compliant access control and identity management is often complex—involving account management, role-based and remote access, data flow enforcement, session locking capabilities, and more. Pre-engineered and standardized technology can streamline all of these components, ensuring that they are secure and compliant. Similarly, internal encryption such as data segregation, boundary protection, encryption, Domain Name System (DNS) and more can be addressed through an established platform geared towards FedRAMP compliance.

Such an automated platform can implement FedRAMP best practices at a programmatic level, ensuring that the application is set up correctly from the start. From there, though, the cloud provider can utilize a library of automation tools to automate security components, documentation, DevOps, and deployment alike—taking full advantage of the platform’s capabilities to eliminate security and compliance impediments.

Streamlining Documentation and Testing

Auditing and documentation are crucial components of FedRAMP compliance and can also be conducted quickly and accurately through automation. FedRAMP’s System Security Plan (SSP) is a document full of variables that can be identified and automated. Completed SSPs can expand to 1,000 pages and are assessed closely, requiring clear, concise, consistent, and complete documentation. Conducting manual documentation increases the risks of introducing errors or other issues—even inconsistent terminology throughout the SSP can be problematic for FedRAMP compliance.

This is also where a third-party assessment organization (3PAO) can come into play—they serve as a bridge between the government and the cloud service provider, acting as a trusted third-party agent that recommends FedRAMP-compliant solutions. 3PAOs can conduct security testing on systems and report the results of the exercise, as well as the strength of the application’s security, to the government.

View the full Carahsoft webinar featuring experts from AWS, Anitian, and A-LIGN to learn more about the ways third-party organizations can help cloud service providers streamline the FedRAMP process.