The FedRAMP authorization obtained by the Qualys Cloud Platform was one of Qualys’ significant achievements in 2016. Why is that, you may be asking? Here we explain five reasons why the FedRAMP (Federal Risk and Authorization Management Program) approval is important for Qualys customers and partners. (And we explain what FedRAMP is!)
#1 — The Qualys FedRAMP authorization is backed by a major federal agency
In mid-2016, the Qualys Cloud Platform achieved FedRAMP compliance from the FedRAMP Project Management Office (PMO) after submitting a security package — formally called a Cloud Service Provider (CSP) Supplied Package — that had been reviewed by independent, third-party evaluator Coalfire Systems.
Then in November, the Qualys Cloud Platform further obtained a FedRAMP Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS), which added heft to Qualys’ FedRAMP standing. The HHS ATO carries special weight because the agency has a lot of resources to evaluate its technology providers and make sure they meet its high standards and stringent requirements.
With the HHS ATO under its belt, Qualys will continue seeking ATOs from other federal agencies to add to its FedRAMP dossier.
#2 — It simplifies and accelerates approval of Qualys solutions for federal agencies
Qualys’ FedRAMP certification makes life easier for federal agencies, since they can now leverage it to speed up approvals to use Qualys cloud security and compliance solutions.
The certification also benefits partners — system integrators and cloud providers — since it makes it easier to integrate Qualys with other FedRAMP-certified Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) CSPs to deliver cloud-based solutions designed to be FedRAMP compliant.
Last but not least, the FedRAMP seal is also good news for customers and partners outside of the federal government as further proof of the security and stability of the Qualys Cloud Platform. Not only does the FedRAMP seal guarantee that the platform complies with the program’s exacting requirements, but it also ensures that it will continue to be so, since in order to retain their FedRAMP seal, cloud providers need to comply with continuous post-certification monitoring.
#3 — It’s a rare recognition
Since FedRAMP’s launch in mid-2012, only 78 products from 57 cloud service providers to date have received this important security seal of approval given by the U.S. federal government.
With its FedRAMP certification, Qualys joined a very distinguished and select group of cloud providers which includes Accenture, VMware, Adobe, Microsoft, Amazon, IBM, Verizon, Cisco, Google, Salesforce and Oracle.
This means that Qualys Cloud Platform, with its suite of 10 integrated security and compliance apps, shares the FedRAMP stage with cloud computing services such as IBM’s SmartCloud for Government, Salesforce’s Government Cloud, Oracle’s Federal Managed Cloud Services and Microsoft’s Azure Government, as part of a carefully chosen set of cloud services whose security stands out in the industry.
#4 — It demonstrates successful completion of lengthy and rigorous testing
A FedRAMP seal says that a cloud provider’s infrastructure-, software- or platform-as-a-service offering underwent and passed a stringent, exhaustive security evaluation, which can take 18 months or more to complete.
For example, among the multiple documents cloud providers must submit as part of this lengthy, complex and rigorous process is the core System Security Plan (SSP), whose template alone is more than 400 pages long. Its purpose is to detail a cloud system’s security controls and determine how U.S. federal information will be safeguarded.
Overall, the FedRAMP security controls are based on NIST (National Institute of Standards and Technology) Special Publications 800-53 R4 controls for low and moderate impact systems and contain controls above the NIST baseline for low and moderate impact systems that address the unique elements of cloud computing.
#5 — It’s a key federal government certification
FedRAMP, which standardizes how the Federal Information Security Management Act (FISMA) applies to cloud providers and is governed by the executive branch of the federal government, involves multiple agencies, including NIST, the General Services Administration (GSA), the Office of Management and Budget (OMB), the Department of Defense (DoD), the Department of Homeland Security (DHS) and the Federal CIO Council.
The FedRAMP Joint Authorization Board (JAB), made up of the CIOs from DHS, GSA and DoD, defines and establishes the FedRAMP baseline system security controls, while the FedRAMP PMO manages its day-to-day operations.
The use of FedRAMP is mandated by the OMB for all federal agencies as they migrate their on premises systems and applications to commercial cloud computing services.
The reason for this mandate is that FedRAMP was designed to streamline, standardize, sharpen and systematize the security assessment of cloud computing services, accelerating the cloud adoption process, cutting costs and removing inefficiencies.
With FedRAMP in place, individual agencies don’t have to evaluate separately the same cloud service. This FedRAMP “do once, use many times” philosophy aims to allow agencies to reuse assessments and authorizations, so that a cloud service provider can be certified once and used as a cloud provider by multiple agencies.