As federal agencies elevate the experience on their .GOV sites, the security and integrity of their digital platforms remains paramount. As a technology provider to the federal sector, Acquia’s greatest priority is meeting the security and compliance demands of our clients. In the United States, the gold standard for government site security is FedRAMP, the set of standards and rules required for any vendor who wants to provide products and services to a federal agency.
Acquia has been a FedRAMP Compliant Cloud Service Provider (CSP) for more than a year, receiving our first Authority To Operate (ATO) from the U.S. Department of Treasury in April 2016. Since then we’ve also received an Authority to Operate by the Social Security Administration, and now most recently, as we’re proud to report today, from the U.S. Department of Transportation.
For Acquia, FedRAMP has enabled these incredibly supportive customers to move to the cloud, adopt open source technology, and leverage our Drupal tuned platform-as-a-service capabilities with confidence.
The federal government spends hundreds of millions of dollars a year securing the use of IT systems; FedRAMP provides assurance to agencies that the appropriate security and risk management practices are in place for their cloud properties. FedRAMP compliance requires our security team to ensure that we’re meeting the several parameters required.
FedRAMP: What is it?
With a rise in the adoption and proliferation of cloud solutions, finding a way to secure the use of cloud-based IT systems has proven challenging. Historically, the government’s risk management practices were inconsistent, time consuming, and expensive. FedRAMP was created to establish standards and efficiencies for cloud security practices.
FedRAMP, the Federal Risk and Authorization Management Program, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP was brought to life by close collaboration amongst cloud experts from both private industry and the following government organizations:
- General Services Administration (GSA)
- National Institute of Standards and Technology (NIST)
- Department of Homeland Security (DHS)
- Department of Defense (DOD)
- National Security Agency (NSA)
- Office of Management and Budget (OMB)
- Federal Chief Information Officer (CIO) Council
It was created to accelerate the adoption of secure cloud solutions, provide a baseline set of standards for cloud product approval, increase confidence in the security of cloud solutions, ensuring consistent application of existing security practices, and increasing the automation of near real-time data for continuous monitoring.
How did we secure an ATO?
To secure an ATO, Acquia had to meet the robust and detailed set of FedRAMP security controls that are outlined within the NIST 800-53 Revision 4 standard. Our team was put through a rigorous independent third party audit and approval process before getting a FedRAMP Authorization. The process included three steps:
- Security Assessment
- Leveraging and Authorization
- Ongoing Assessment and Authorization