As federal agencies elevate the experience on their .GOV sites, the security and integrity of their digital platforms remains paramount. As a technology provider to the federal sector, Acquia’s greatest priority is meeting the security and compliance demands of our clients. In the United States, the gold standard for government site security is FedRAMP, the set of standards and rules required for any vendor who wants to provide products and services to a federal agency.
Acquia has been a FedRAMP Compliant Cloud Service Provider (CSP) for more than a year, receiving our first Authority To Operate (ATO) from the U.S. Department of Treasury in April 2016. Since then we’ve also received an Authority to Operate by the Social Security Administration, and now most recently, as we’re proud to report today, from the U.S. Department of Transportation.
For Acquia, FedRAMP has enabled these incredibly supportive customers to move to the cloud, adopt open source technology, and leverage our Drupal tuned platform-as-a-service capabilities with confidence.
The federal government spends hundreds of millions of dollars a year securing the use of IT systems; FedRAMP provides assurance to agencies that the appropriate security and risk management practices are in place for their cloud properties. FedRAMP compliance requires our security team to ensure that we’re meeting the several parameters required.
FedRAMP: What is it?
With a rise in the adoption and proliferation of cloud solutions, finding a way to secure the use of cloud-based IT systems has proven challenging. Historically, the government’s risk management practices were inconsistent, time consuming, and expensive. FedRAMP was created to establish standards and efficiencies for cloud security practices.
FedRAMP, the Federal Risk and Authorization Management Program, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP was brought to life by close collaboration amongst cloud experts from both private industry and the following government organizations:
- General Services Administration (GSA)
- National Institute of Standards and Technology (NIST)
- Department of Homeland Security (DHS)
- Department of Defense (DOD)
- National Security Agency (NSA)
- Office of Management and Budget (OMB)
- Federal Chief Information Officer (CIO) Council
It was created to accelerate the adoption of secure cloud solutions, provide a baseline set of standards for cloud product approval, increase confidence in the security of cloud solutions, ensuring consistent application of existing security practices, and increasing the automation of near real-time data for continuous monitoring.
How did we secure an ATO?
To secure an ATO, Acquia had to meet the robust and detailed set of FedRAMP security controls that are outlined within the NIST 800-53 Revision 4 standard. Our team was put through a rigorous independent third party audit and approval process before getting a FedRAMP Authorization. The process included three steps:
- Security Assessment
- Leveraging and Authorization
- Ongoing Assessment and Authorization
These FedRAMP processes are designed to help agencies meet the Federal Information Security Management Act of 2002 (FISMA) requirements for cloud systems, and address the specific challenges that cloud systems face when trying to become FISMA compliant. An agency that begins this process with a FedRAMP compliant platform has already put certain security measures in place that will aide them in securing their own ATO.
If you’re curious to learn more about the process, the FedRAMP website offers a more in-depth look at how the FedRAMP authorization process works.
So what does this mean for you?
FedRAMP offers a number of benefits to federal, state, and local government agencies, as well as other governmental applications. First and foremost, it offers a significant cost and time savings, and provides a uniform approach to risk-based management. It improves real-time security visibility, and enhances transparency between the government and CSPs.
Every government application requires an ATO, but some platforms -- like the Acquia Platform -- can make the process much faster and more affordable. If your organization deploys your application in an on-premise data center, then you’ll require an ATO for the infrastructure, platform, and application. If you’ve deployed your application with AWS, which is also FedRAMP compliant, the controls are only in place through the IaaS level, so your organization is still responsible for platform and application certification. With the Acquia Platform, however, FedRAMP controls are in place up to the PaaS level, so your organization is only responsible for certification at the application level.
Acquia customers are able to leverage a best-in-class platform that is compliant with Federal security standards out-of-the-box. As explained above, your Certification and Accreditation (C&A) efforts will require significantly less time and cost compared with trying to accredit an on-premise solution, or even a system built on a FedRAMP-compliant IaaS. You get a safe and secure cloud platform to power your organization.
Overall, with FedRAMP in place, your organization experiences improved the trustworthiness, reliability, consistency, and quality of the Federal security authorization process.
Looking for more detailed information on the FedRAMP authorization process? Their Guide to Understanding FedRAMP is an exhaustive resource.