The Federal Risk and Authorization Management Program (FedRAMP®) authorization has, for years, been seen as an arduous undertaking only for companies that want to do business with government agencies and their contractors. However, with growing cybersecurity risks, coupled with tightening data privacy regulations across industries, FedRAMP’s fundamental security requirements are becoming best practices for all organizations handling sensitive data.
Devo is excited to announce that we have recently become FedRAMP authorized! Why is this so important and what does it mean for companies looking for cloud security solutions? In this post, we sit down with Devo’s CISO, Kayla Williams, to explore the core principles of FedRAMP authorization, what’s required to obtain authorization, and how the designation can provide value to companies both within and outside the public sector.
Explain the process companies go through to achieve FedRAMP.
Williams: There are two approaches for a Cloud Service Offering (CSO) to become FedRAMP authorized – through an individual agency or the Joint Authorization Board (JAB). In the Agency Authorization path, government agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. At Devo, we chose the Agency Authorization process because it is a quicker path to achieving authorization.
Under a JAB, a company receives a provisional ATO (P-ATO), and each agency that chooses to do business with that company then has to essentially grant their own ATO off of the P-ATO while with an Agency Authorization, the sponsoring government agency assumes the risk of granting the authorization.
Why are there different levels of FedRAMP authorization?
Williams: There are three authorization levels for FedRAMP: Low, Moderate, and High. Devo has achieved a Moderate Authorization. CSPs and their offerings are scrutinized across three security objectives:
- Confidentiality: Information access and disclosure includes means for protecting personal privacy and proprietary information.
- Integrity: Stored information is sufficiently guarded against modification or destruction.
- Availability: Ensuring timely and reliable access to information.
The above is also referred to as the C-I-A triad, in information security industry vernacula with different controls required at each level of authorization.
What advice would you give to others who are or will be achieving FedRAMP?
Williams: Before embarking on a FedRAMP authorization journey, ensure there is enough buy-in at the executive level. There is a lot of work and a high level of effort that is required to be completed in order to achieve and then continue to maintain authorization. Additionally, understanding the market and sales potential can help to justify the work (and sometimes expense).
Not only does a FedRAMP authorization allow an organization to do business with the US Government, but it is also an attractive avenue for more regulated industries, such as financial services or healthcare, opening up additional revenue streams. Investing in the stronger security posture that is achieved through the FedRAMP authorization process demonstrates to the commercial market space that security is top of mind for your organization.
This can make your organization’s FedRAMP authorized product offering an attractive option for customers in other regulated industries, such as pharmaceuticals, financial services, or education.
In an era where cyber threats are prevalent and always evolving, organizations of all types need reliable partners who can safeguard their digital assets. FedRAMP authorization provides the assurance that companies possess the expertise and capabilities required to mitigate risks effectively. Whether it’s financial institutions, healthcare providers, or small businesses, the value of choosing a FedRAMP authorized Cloud Service Provider lies in its ability to protect vital information and contribute to a safer and more secure digital landscape for everyone. Learn more about Devo’s commitment to public sector security.