FedRAMP – Let’s agree we want it secure!
Everyone wants to claim they have a secure solution. Vendor after vendor recognizes that security is important, but actually, there are very few who truly understand it and do something about it. All too often a software vendor, trying to get "out there" quickly, will set up their own cloud infrastructure, load their software, and say, "We’re Secure!"
What do we mean by "secure"?
When someone asks me about security, I cringe. It is such a vast topic, to summarize it in just one word makes me shiver. The word "Security" can mean:
- Authentication: Who can get in
- Authorization: What a person can do once in
- Access: Who can physically get to the servers
- Encryption: Who can see the data, if they can get to it
- Program: Who wrote it? Are there back doors, etc?
- And more (ugh… that’s enough)
Process and Controls for Cloud solutions
Let’s take a look at the Federal Government’s process and controls for Cloud solutions – a review of the requirements they have set forth. After all, if the Federal Government didn’t get it right, we’re all in trouble! (For the record, I believe they did!) In 2002, the United States legislation passed the Federal Information Security Management Act (FISMA) in an attempt to standardize security controls. FISMA defined a comprehensive framework to protect government information, operations and assets against natural or man-made threats. The legislation assigns responsibility to individual agencies to secure their data and their systems. The National Institute of Standards and Technology (NIST) outlined required elements to ensure compliance. For an agency to be FISMA-compliant, it means they adhere to these 9 steps:
- Select baseline controls
- Refine controls against risk assessments
- Document the controls
- Implement the controls
- Assess the effectiveness of the controls
- Determine agency-level risks
- Authorize the system to operate
- Monitor the systems
The Federal Government’s Cloud First policy, demanding the consideration of "light" technologies to increase efficiencies and curb costs, greatly increased the prevalence of cloud computing. As a result, the need to implement a practice around applying processes and controls became imperative.
Established in 2012, FedRAMP is the government-wide Federal Risk and Authorization Management Program that provides standards for security assessment, authorization, and continuous monitoring for cloud products and services. Together with the Cloud First policy, the program has helped accelerate the adoption of cloud solutions by increasing confidence in cloud security – taking full advantage of cloud computing and all its benefits. So, the Cloud First policy, together with FedRAMP security standards, has paved the way for Government agencies to leverage myriad solutions which, if needed to be brought in house, would never have existed. This has led to the Digital Government transformation that we are now seeing. A move towards a Digital Government (cloud services, etc.) means a move away from paper. Think of all the forms and documents (even in electronic format) that are necessary to do business. The Army Recruiting process alone uses 105 forms that require 52 signatures to sign up a single recruit! Digitizing operations means weaning off paper – and that poses a challenge: how does someone sign a document if not on paper? Enter Electronic Signatures. In prior blogs I’ve talked about how adding e-signatures is a smart and easy way to fully digitized your processes ("The Mouse is Mightier Than the Sword") so I’ll spare you the repeat. However, it’s important to realize that any vendor not offering a FedRAMP compliant solution, in my humble opinion, shows a lack of concern about helping government agencies move forward in this digital era. Agencies working towards providing a higher level of service to citizens, ease of access to government processes and transparency in doing business, demand a solution that meets adequate government security standards. Government agencies that want to leverage an e-signature solution in the cloud must select a vendor that is FedRAMP compliant. So, if you want to verify a company’s commitment to the government (and I mean ANY government – Federal, State or Local), ask if they are FedRAMP compliant. Their response will tell you all need to know. Learn more about using eSignLive in a FedRAMP compliant cloud. Read the full press announcement.