The cloud service ecosystem for FedRAMP authorization has been growing year over year, as has the demand for the reuse of cloud products across agencies. To facilitate cloud product adoption across different agencies without compromising security and usability, FedRAMP provides a quick process to help reuse these services.
One of the foundational pieces of information that a cloud provider needs to know when preparing for their FedRAMP Authorization is the required Impact Level. These levels aren’t generic labels applied by agencies to highlight the importance of their data–they are clearly-defined categories laid out by the National Institute of Standards and Technology (NIST) to… Read More
Providers looking into StateRAMP authentication standards may find themselves staring into a stack of requirements documents across multiple security frameworks and government contexts. Not only is this unhelpful for these providers, but it also makes the process sound much more intimidating than it needs to be. In this article, we’ll take a high-level view of… Read More
FedRAMP Authorization is a complicated undertaking due in no small part to the layers of requirements that cloud offerings must meet throughout the process. As part of the government’s turn to more comprehensive security, FedRAMP requirements include significant risk management standards that all providers must meet.
There are two clear paths through FedRAMP Authorization–the agency path and the much less-common Joint Authorization Board (JAB) path. While much more rigorous, this second course opens up several critical doors for cloud offerings that provide real and significant value to various federal agencies. However, the JAB path is exclusive and requires that cloud service… Read More
Last week, we discussed the process for Agency Authorization under FedRAMP guidelines. This route is, by far, the most common form of Authorization and one that most cloud providers will engage with. However, there are several use cases where a provider may seek more rigorous assessment to better open doors to serve with agencies across… Read More
As cloud service providers pursue their FedRAMP authorization process, they face a significant choice stemming from their ultimate goals in the federal space. This decision is based on how they are pursuing their working relationships with federal agencies and how well the provider is prepared for the rigorous FedRAMP assessment process. When a provider enters… Read More
Ongoing maintenance and upkeep are a cornerstone of all cybersecurity regulations and frameworks. And for a good reason. The rapidly changing threat landscape that businesses and government agencies face daily necessitates an ever-vigilant approach to cybersecurity. Vulnerability scanning is an important part of compliance and security across almost every data-driven industry. Here, we’re discussing what StateRAMP… Read More
There is no substitute for a competent and impartial auditor in terms of compliance, security, and correct operations. Organizations that can assess and certify technologies and organizations are essential for ensuring accountability and standards of excellence in place, applying to systems that store sensitive data. To modify a common saying, “who watches the auditors?” That’s… Read More
StateRAMP takes several of its requirements from FedRAMP, and perhaps one of the most important requirements is continuous monitoring. Continuous monitoring ensures that systems that earned StateRAMP Authorization remain in compliance year after year, avoiding gaps in security and protecting the interest of state and local governments.
StateRAMP is now nearly two years old, and the small project is quickly becoming a mainstay in the security industry. State and local governments are looking for a solid cybersecurity framework that they can use to vet and certify cloud providers that they may work with. In this article, we’ll talk about the basics of… Read More
The federal government leans more heavily on technology providers, including cloud computing platforms that support data storage, processing, and office application solutions. Accordingly, the question of data security is live, and the government’s response is to implement the FedRAMP authorization requirement. Like many other government programs, FedRAMP can threaten to bury the under prepared provider… Read More
Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are. However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email… Read More
Any organization in the healthcare industry knows that cybersecurity is a critical component of doing business. So much so, in fact, that any enterprise handling protected health information (PHI) must implement and maintain strict cybersecurity and privacy controls to protect patient data from unauthorized disclosure. However, understanding that HIPAA is a requirement for operation doesn’t… Read More
Most organizations have at least heard of SOC reports. Published and administered by the American Institute of Certified Professional Accountants (AICPA), the SOC umbrella of attestations helps organizations demonstrate adherence to best practices around data privacy, cybersecurity, risk assessment and financial reporting. Since SOC requirements come directly from the AICPA, the organization releases documents pertaining… Read More
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
The complexity of healthcare service demands robust technical infrastructure. Advances in patient treatment, research, diagnostic tools and even predictive analytics and AI have pushed technologies available to healthcare providers, which means that these organizations turn to expert providers to give them new tools and features to revolutionize their patient care models. This increased reliance on… Read More
The Payment Card Industry Data Security Standard is a voluntary security framework to help protect customers and merchants against the theft of credit card data during POS transactions. Like many other compliance frameworks, PCI DSS has continually evolved over the years to match new technologies and new threats to the privacy of consumers shopping online… Read More
Any IT or cloud provider working with the government needs to show that they are secured against data breach or theft. As the SolarWinds hack has demonstrated, our interconnected technology systems are under attack from outside entities who want to gain access to critical civil, military, and industrial data and undermine our security. That’s why… Read More
The Department of Defense has made a significant push to improve the security of its cyberinfrastructure and supply chain (known as the Defense Industrial Base), and the result of this push is the Cybersecurity Maturity model Certification (CMMC) initiative. This framework uses existing security guidelines to provide an overview of necessary security requirements for federal… Read More
StateRAMP, like any other compliance framework, includes several reports to document a provider’s progress through certification for the Program Management Office (PMO). As of February 2021, however, the PMO is still spinning up its resources and and StateRAMP reports templates. As such, many required report templates are slated for availability on the StateRAMP website but… Read More