It’s a dark and dangerous world out there for your precious business data, and you need to be as careful selecting a Cloud Service Provider (CSP) as you would in hiring a nanny for your children. When searching for the right nanny, each will assert she is the best choice because she will care for and protect your children; CSPs make similar assertions about your data. CSPs of all types are primary targets for hackers. With the frequency and severity of cyber-attacks increasing, you need to be genuinely confident in the ability of your chosen CSP to protect your data. But how can you distinguish among the myriad of CSPs competing for your business as to their security capabilities? Don’t they all make similar sounding claims?
The answer is yes; they all make very similar sounding claims. To make the vendor selection process even more challenging, there are very limited ways to independently validate their assertions. Unfortunately, many CSPs advertise compliance with standards for which no audit is required (such as EU Safe Harbor) or self-certify to standards which map to other standards without any independent, third party audit validation. While there are a number of independent compliance standards CSPs can attest to through third party audits (such as the AICPA SOC II, PCI DSS, ISO/IEC 27000, and HIPAA/HITRUST CSF), none feature the same level of complexity, depth, rigor, and attestation requirements as the FedRamp standard. FedRAMP is one of the most vigorous security compliance standards that a CSP can undertake. Recovery Point pursued FedRAMP authorization in a continued effort to provide a higher level of defense in depth for our clients.
The security of your data rests on you making the best, most informed decision possible.
A CSP authorized by FedRAMP has successfully demonstrated through rigorous testing by a government approved auditor that they have implemented the required administrative, technical, and operational security tools, capabilities, and controls necessary to ensure the confidentiality, availability, and integrity of client data in a multi-tenant cloud environment.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is the government program that CSP must comply with to provide cloud services to the Federal government. FedRAMP has devised a standardized approach to security assessment, authorization and monitoring of products and services for the Federal government. The goal is to protect Federal data in the cloud, so the compliance requirements are among the most stringent available.
The FedRAMP stamp of security approval means the government has confidence in the CSP’s cloud services and levels of security. FedRAMP focuses on CSPs and the security elements unique to providers. Its requirements are significantly higher than typical industry baseline specifications. FedRAMP approval cannot be obtained through self-certification. It requires a third-party assessment by a government approved auditor and continuous monitoring reviewed by a government official on a monthly basis.
Who gets certified?
Federal government agencies must utilize a FedRamp Authorized Cloud Service Provider (CSP) when moving their agencies data to the cloud. Federal agencies must acquire cloud services from authorized cloud services providers located on the FedRamp.gov marketplace schedule. Private corporations offering cloud services to the Federal government must engage with the FedRamp.gov PMO office to start the authorization and accreditation process which typically takes 12-18 months to complete, depending on their government sponsorship and method of accreditation. Private corporations must obtain a government sponsor or be selected by the FedRamp Joint Advisory Board (JAB) to be authorized as a FedRamp Cloud Services Provider. Only authorized CSPs are listed on the FedRamp.gov marketplace.
What does it take to be certified?
During the Readiness Assessment, the CSP works with an accredited third party assessment organization (3PAO) to determine if the CSP is likely to be successful in obtaining a FedRAMP authorization. CSPs must prove they have designed and implemented the most critical mandated security controls in order to move on to the next phase of accreditation process which is the full assessment.
Once the CSP is deemed “FedRAMP Ready” by the FedRamp PMO and has acquired official sponsorship from a Federal agency, the CSP can then begin the full security controls assessment performed by a government authorized auditor 3PAO. This process can take between six and twelve months and will involve rigorous testing of approximately 300 security controls in addition to successfully passing an intense penetration test of the CSPs cloud environment by a third party tester. If approved, the CSP will join a very select group of less than 175 CSPs nationwide who have achieved a full FedRAMP Authority to Operate (ATO). To maintain the ATO, the CSP must submit to the Government sponsor on a monthly basis a series of continuous monitoring reports including vulnerability scan results and Plan of Action and Milestones (POAMs). This monthly reporting ensures the CSP is meeting the requirements of the FedRamp standard on a consistent basis. Annual third party security control audits are also performed on approximately one-third of the security controls to ensure that all controls are audited no less than every three years.
Benefits of Certification
FedRAMP security controls go beyond the baseline requirements of the industry. Since they are designed for Federal government agencies that deal with sensitive information, there is continuous monitoring and remediation to ensure protection is effective. In addition, substantially similar security controls and compliance procedures are engineered into Recovery Point’s commercial cloud services. As a result, our commercial clients enjoy analogous security benefits.
When you partner with Recovery Point, you can focus on your business operations knowing that your CSP provides the best protection available. To have that trust brings the same stress relief as knowing you have selected the best child-care provider and your youngster is happy and safe.