Acquia’s FedRAMP ATO: What Does it Mean for You?

On February 19, 2016, Acquia received an Authority To Operate (ATO) from the U.S. Department of the Treasury, and is now a FedRAMPSM Compliant Cloud Service Provider (CSP). For many individuals and organizations operating in the public sector, FedRAMP is a well-known program, but what does FedRAMP compliance really mean?

FedRAMP: What is it?

With a rise in the adoption and proliferation of cloud solutions, finding a way to secure the use of cloud-based IT systems has proven challenging. Historically, the governmental process for risk management was redundant, inconsistent, time consuming, and expensive, so there was a real need to develop a solution that would cut costs and improve efficiencies. FedRAMP became that solution, adopting the “do once, use many times” approach.

FedRAMP, the Federal Risk and Authorization Management Program, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

FedRAMP was brought to life by close collaboration amongst cloud experts from both private industry and the following government organizations:

• General Services Administration (GSA)
• National Institute of Standards and Technology (NIST)
• Department of Homeland Security (DHS)
• Department of Defense (DOD)
• National Security Agency (NSA)
• Office of Management and Budget (OMB)
• Federal Chief Information Officer (CIO) Council

It was created to bolster the cloud computing industry, by accelerating the adoption of secure cloud solutions, providing a baseline set of standards for cloud product approval, increasing confidence in the security of cloud solutions, ensuring consistent application of existing security practices, and increasing the automation of near real-time data for continuous monitoring.

How did we secure an ATO?

Acquia had to meet a highly robust and detailed set of FedRAMP security controls based on the NIST 800-53 Revision 4 standard. Our team was put through a rigorous independent third party audit and approval process before getting a FedRAMP Authorization. The audit was conducted by an accredited third party assessment organization (3PAO). The process included three steps:

1. Security Assessment
2. Leveraging and Authorization
3. Ongoing Assessment and Authorization

These FedRAMP processes are designed to help agencies meet the Federal Information Security Management Act of 2002 (FISMA) requirements for cloud systems, and address the specific challenges that cloud systems face when trying to become FISMA compliant. An agency that begins this process with a FedRAMP compliant platform has already put certain security measures in place that will aide them in securing their own ATO.

If you’re curious to learn more about the process, the FedRAMP website offers a more in-depth look at how the FedRAMP authorization process works.

So what does this mean for you?

FedRAMP offers a number of benefits to federal, state, and local government agencies, as well as other governmental applications. First and foremost, it offers a significant cost and time savings, and provides a uniform approach to risk-based management. It improves real-time security visibility, and enhances transparency between the government and CSPs.

Every government application requires an ATO, but some platforms -- like the Acquia Platform -- can make the process much faster and more affordable. If your organization deploys your application in an on-premise data center, then you’ll require an ATO for the infrastructure, platform, and (3) application. If you’ve deployed your application with AWS, which is also FedRAMP compliant, the controls are only in place through the IaaS level, so your organization is still responsible for platform and application certification. With the Acquia Platform, however, FedRAMP controls are in place up to the PaaS level, so your organization is only responsible for certification at the application level.

Acquia customers are able to leverage a best-in-class Digital Platform that is compliant with Federal security standards out-of-the-box. As explained above, your Certification and Accreditation (C&A) efforts will require significantly less time and cost compared with trying to accredit an on-premise solution, or even a system built on a FedRAMP-compliant IaaS. You get a safe and secure cloud platform to power your organization.

Overall, with FedRAMP in place, your organization experiences improved the trustworthiness, reliability, consistency, and quality of the Federal security authorization process.

Looking for more detailed information on the FedRAMP authorization process? Their Guide to Understanding FedRAMP is a fantastic and exhaustive resource.