You Don’t Simply DO FedRAMP, You LIVE FedRAMP
The Federal Risk and Authorization Management Program, or FedRAMP, as it’s commonly known, elicits respect from organizations, but as with anything involving security, it can also make some organizations nervous.
It helps to look at FedRAMP as a lifestyle choice – while it requires a significant investment, it gives cloud service providers (CSPs) a stronger security model, as it touches a lot of what a company does for a living.
Today, Duo Security entered into the FedRAMP certification process with sponsorship from the U.S. Department of Energy (DOE). FedRAMP is currently reviewing for authorization our cloud-based Duo Access solution, which enables federal agencies to replace or augment traditional security card authentication methods with Duo’s push-based two-factor authentication (2FA) technology. Duo is now listed as “In Process” in the FedRAMP Marketplace.
It’s important to go through the onboarding process with an understanding that FedRAMP is an ongoing “program” and not simply a “certification” to be achieved and to move on. Some CSPs are not as versed in the long history of NIST 800-53 controls morphing into FISMA, and now FedRAMP. They will tend to treat FedRAMP more as a certification than a program. Remember, the move the cloud is risky in the eyes of some (most?) federal agencies, but they need to do it and they need to do it quickly.
The move to “cloud first” and now “cloud smart” has only accelerated in the last couple of years even though it was laid out by the Office of Management and Budget (OMB) way back in 2011 (seems a lifetime ago). The predominance and proliferation of mobile as the endpoint and the constant drumbeat of attackers (state-run and hacktivists) have not only raised our risk awareness, but they’ve also necessitated the need to move faster, and to be more agile. Move faster and smarter to the cloud. Move faster to mobile. Move faster to mitigate the non-stop barrage of risks. To just move faster. FedRAMP helps agencies do this without compromising security along the way. On the contrary, it helps CSPs and their agency customers “bake in” the security architecture. And we all know “baked in” is better than “bolted on.”
Will we reach a time and level of awareness where all of these security controls are automated and we as CSPs can just run a report and get an onboarding (and yearly) assessment? Will we find ways to make this process quicker while still maintaining an acceptable risk profile/posture? I certainly believe so. In the meantime, FedRAMP is an important process for us to mitigate and identify risk, and an important process for agencies to participate in as they accelerate their inevitable move to “cloud first.” That’s why we’re excited about Duo’s “In Process” status as we help federal agencies adopt a cloud-first model and address the need for strong authentication to secure and protect critical data.