A CISO’s reflections on four years of FedRAMP

Drew Daniels, CISO

The importance of government data is generally well understood as a great deal of this information can and does have a material impact on national security. Beyond national security, this data is highly sought after by those meaning to do harm to America and its citizens – be they nation states, organized criminals, or individual bad actors. Like in many other industries, the amount of data being created in the federal sector is growing at a rapid pace. With this growth, the complexity and value of the data also continue to increase.

Enter FedRAMP

Companies providing services have been known by many descriptive categories over the years, from Application Service Providers (ASPs) in the 1990s, to Software as a Service (SaaS) providers in the late 2000’s/early into the next decade. Over this timeframe, each subsequent generation of services has generally provided greater capabilities, increased service efficiency, and lower costs. This has continued into the era of cloud service providers (CSPs) as well. As federal agencies looked to commercial CSPs for their cloud migration needs, it became apparent that there needed to be a strong framework to assess the security controls of these CSPs. 

As we saw in part 1 of our FedRAMP blog series, the Federal Risk and Authorization Management Program (FedRAMP) provides a framework for security assessment, authorization, and the ongoing security monitoring of CSPs. It is a rigorous certification program aimed at assessing the risk levels of CSPs, and most likely more rigorous than any previous compliance regulation governing this industry. 

While FedRAMP was meant to be a cost-effective solution for securing service providers in the cloud, it can be quite a barrier to entry. As the CISO of a service provider who is FedRAMP authorized, I can tell you that it takes a lot of time, careful planning, and ultimately significant resources to achieve successful integration and implementation. However, the good news is FedRAMP allows cloud security solutions to be assessed once annually, and that assessment to be used across multiple agencies.

How Druva approached FedRAMP certification

As federal spending on cloud computing services grew to $6.6 billion in 2020,¹ there has been an increased interest among commercial CSPs to get FedRAMP-ready so that they could tap into this explosive market opportunity. 

During the first few years, there were only about 20 cloud service offerings that were authorized under FedRAMP. Druva was one of those, and the very first in the cloud data protection industry to reach this milestone under an agency sponsorship. First authorized in 2017, Druva continues to satisfy the security requirements of a number of private and public sector organizations and agencies, demonstrating its commitment to data security for this key industry.

Since 2017, Druva has worked with more than 40 customers including federal agencies, public and private organizations, to enable them to exceed their cost, infrastructure, and digital transformation journeys — including the Department of Homeland Security and the National Cancer Institute.  

Others followed, but…

Lately, other providers have come forward to try to win federal business. But due to the complexity of FedRAMP, which consists of over a dozen applicable laws and 19 different standards, some have taken shortcuts. For example, some CSPs tie up with subcontractors to bridge the gaps in their cloud services. 

Let me explain why this is a problem. Let us say that your CSP handles Controlled Unclassified Information (CUI). In order to handle CUI, they would need to be FedRAMP Moderate or equivalent. And if there is another subcontractor involved, they too need to meet this requirement or your CUI is at risk. In such a scenario, ensuring that your CSP meets all the security requirements and that the confidentiality of your CUI is protected becomes critical. You also have to ask who is responsible for what, and who to turn to when an issue arises.

How a leading federal agency uses Druva to protect its remote workforce

Built on Amazon Web Services (AWS), a FedRAMP-high IaaS platform, Druva has gone through more scrutiny than many public or private sector IT service offerings, resulting in a government-compliant SaaS solution.

The Druva solution reduces costs, improves flexibility, meets government requirements, and provides secure, air-gapped copies of your data that, while residing in the Druva platform, are non-executable. In addition, your backed-up data is not exposed to Druva personnel. 

Only our customers have access to their data stored in Druva through our encryption methodology. Druva has built and continues to deliver innovative solutions around recovery and resilience. These key principles are at the core of our platform, and as we continue to develop and deliver solutions around ransomware recoverysensitive data governance, and interoperability with existing solutions, this leads to only one conclusion: the future is bright for our federal customers.

Not only did Druva achieve FedRAMP because our customers were asking for it as far back as 2017, we continue to excel at delivering data protection to federal agencies and customers. 

In one specific example, we had a high-profile national agency reach out to us for supporting its over 40,000 employees who went remote practically overnight at the onset of the pandemic. With no administrator able to go onsite, the agency had to authenticate and deploy at scale with little impact on VPN and network. Going with a cloud-based solution was the only viable option.

With Druva, the customer deployed over 45,000 users in three months without any disruption to its network or VPN. By migrating to Druva’s cloud-native backup and data protection service, the agency was able to reduce its on-premises footprint from 11 data centers to zero, and backup administrators from 22 to just one. This freed up those administrators to work on far more complex and time-sensitive challenges. More importantly, this was achieved without any disruption to employee productivity. 

These added benefits are precisely why a number of agencies in the federal government trust Druva as their data protection platform, and benefit from our years of experience in helping them reduce cost and complexity.

In addition, one of the biggest differentiators for Druva is ransomware protection. As ransomware attacks continue to increase in frequency and severity,² Druva’s ability to provide air-gapped backups along with cost savings gives government agencies peace of mind that their data is always protected and compliant with strict governance requirements.

Druva continues to innovate and improve the efficiency of the services it provides and passes on that savings to our customers in the federal government.

Download our FedRAMP solution brief to learn more.


¹ Nextgov, “Federal Cloud Spending Tops $6.6 Billion,” Frank Konkel, February 4, 2021.

² NPR, “How To Stop Ransomware Attacks? 1 Proposal Would Prohibit Victims From Paying Up,” Jason Breslow, May 13, 2021.