Webinar:
First Line of Defense: Menlo Secure Enterprise Browser
Icon Rounded Closed - BRIX Templates

Six reasons why FedRAMP® matters to more than just the Feds

Matt Shamshoian
|
January 28, 2023
linkedin logotwitter/x logofacebook logoSocial share icon via eMail

The U.S. federal government holds some of the most sensitive data on the planet, and that data needs airtight security. That’s why the federal government requires that the cloud providers it works with meet the most stringent security standards. But the need for such strict adherence to security requirements has left federal agencies lagging behind the private sector as more organizations continue to move their resources and applications to the cloud.

Enter FedRAMP®. Well aware of the need to balance security requirements with the implementation of new technology, the federal government introduced FedRAMP in 2011 to accelerate federal agencies’ adoption of secure cloud solutions. The program provides a standardized approach to security assessment and authorization for cloud service provider (CSP) solutions, ensuring that cloud offerings are secure enough to be used by federal agencies handling sensitive information and data. FedRAMP allows CSPs to provide their services to federal agencies without going through lengthy and expensive individual certifications for each new federal agency they work with, streamlining the process and eliminating redundancies.

“FedRAMP helps government organizations determine very quickly whether or not a cloud capability is something they want to use from a security point of view,” said David Mihelcic, former CTO of the Defense Information Systems Agency (DISA).

Though FedRAMP was created to accelerate the federal government’s adoption of cloud services, the certification also brings value to those outside of the public sector. For commercial organizations looking to work with a CSP, FedRAMP is a game changer.

Authorized organizations…

Meet the highest security standards

FedRAMP Authorization allows organizations to work with the federal government, the most security-conscious organization there is. For federal agencies such as the Department of Defense and the Department of Homeland Security, keeping the federal government’s data secure is quite literally a matter of national security.

“Your product has to be hardened to the government’s security standards,” said Darrin Curtis, vice president of public sector at Menlo Security. “There are no second chances when it comes to protecting federal agencies.”

If your product is secure enough for the federal government, chances are it’s secure enough for other industries, too. Any organization can make whatever claims they want about their product, but the FedRAMP certification proves that a CSP’s security architecture meets the government’s rigorous requirements.

Stand out from the competition

With only 264 organizations listed as FedRAMP Authorized on the FedRAMP Marketplace, becoming FedRAMP Authorized puts an organization in an exclusive club. And that’s for good reason, as gaining Authorized status usually requires sponsorship from a federal agency, and they aren’t keen to invest time and money into sponsoring an organization that won’t provide them with a good return on their investment.

“You have to have a government organization recognize the extreme value you bring to the table,” said Mihelcic. “They have to see enough value to make an investment to sponsor your organization.”

Easily meet state and local requirements

FedRAMP requirements don’t just apply to the federal government — they apply to state and local government agencies and institutions of higher education, too. Ten states require CSPs that work with state and local agencies to meet StateRAMP requirements — essentially FedRAMP for states — and other states are looking to StateRAMP as a guide. CSPs that are FedRAMP Authorized don’t have to go through another lengthy compliance process — they can simply apply to the StateRAMP board with their FedRAMP materials and expect to be approved within a month.

Even foreign governments such as Japan and Australia look to FedRAMP as a benchmark, though they have their own compliance requirements, according to Curtis. Knowing that a product is built to the specifications of the largest regulated industry in the world — the U.S. federal government — should give organizations in highly regulated industries with sensitive data, like critical infrastructure, healthcare, and banking, confidence in a product’s security.

Are continuously tested

FedRAMP Authorization isn’t a one and done. Maintaining FedRAMP Authorized status requires continuous monitoring, including annual audits and a monthly report to FedRAMP’s Program Management Office (PMO) to ensure compliance.

If at any point in time an organization’s risk level rises or fails to meet FedRAMP requirements, FedRAMP Authorized status can be revoked. That’s how FedRAMP Authorized status guarantees not only that an organization met strict security requirements at one point in time, but that they still meet those requirements.

Recently revamped their products

Most organizations didn’t set out to create their product with FedRAMP requirements in mind, and it’s not likely that their product will meet all of the requirements right off the bat. That means organizations will have to put significant time, effort, and resources into redesigning parts of their product to meet FedRAMP requirements, like encrypting data and having code written in the U.S.

For example, Menlo Security had to devote significant resources to testing and hardening parts of their Cloud Security Platform powered by an Isolation Core™ to ensure that it met FedRAMP requirements, according to Curtis. This gave Menlo the chance to reevaluate certain parts of their product and rebuild them with clean code — a rare opportunity for most organizations, which tend to look forward rather than backward.

Are collaborative and well aligned

Becoming FedRAMP Authorized is a significant undertaking — one that requires collaboration across a range of teams and buy off from the board of directors, executives, and other stakeholders. As a part of their FedRAMP Authorization process, Menlo formed a team specifically to work on FedRAMP, hired an expert, and prioritized FedRAMP product building over other new products.

“This is a huge effort. You have to have the whole company behind it,” said Curtis. “They have to be willing to make the investment and put in the work to get certified.” That type of investment — of money, time, and man-hours — shows that FedRAMP Authorized organizations are ready to put their money where their mouth is when it comes to security. Not only does it show they are willing to make the investment, but that they can coordinate well enough to execute on that investment.

FedRAMP is more than just a list of particular requirements CSPs need to check off to work with the federal government. It’s a substantive marker of continuous security at the highest level, and organizations had better take note when evaluating which CSPs to work with.

Blog Category