I have spent a lot of time working with government agencies over the last 17 years, and have gained an appreciation for security, but more importantly, for certification and accreditation (or “C&A” in government-speak). C&A was originally spawned from the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), which applied risk-management frameworks to information systems. Eventually, DIACAP transitioned to the NIST Risk Management Framework (RMF), which further standardized this process. Working in the security space — especially with government agencies — I have learned that when vendors make security claims, they need to have actual evidence in the form of third-party certifications to back up those claims.
For traditional standalone on-premises products, this evidence usually involved FIPS 140-2 for encryption, while general security claims were handled using Common Criteria Certification. These two certifications did one very important thing: they provided a consistent set of validation criteria that encryption and security claims could be measured against at any point in time. Agencies also had the option to do a stand-alone Federal Information Security Management Act (FISMA) assessment for on-prem solutions but this was typically never recognized nor scalable to other federal agencies, thus multiplying the burden and workload on vendors to go through multiple authorizations. So the question becomes, “How do you scale security authorizations for the cloud?”
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This allows cloud security solutions to be assessed once and that assessment to be used across multiple agencies. FedRAMP is based on NIST SP800-53, which is the gold standard for security control frameworks. More importantly, FedRAMP provides a clear and consistent means for cloud service providers like Druva, as well as customers across all sectors, to measure security not only at a single point in time, but on an ongoing basis as well.
As a SaaS provider, Druva is focused on cloud information management. We provide data protection, governance, and compliance solutions for our customers in both the private and public sectors. One of the three pillars of Druva’s security strategy is trustworthiness. As the Chief Trust Officer at Druva, it is not enough for me to write a blog and say that Druva has implemented particular security features and functions — it’s also important that a third party actually validates those claims. In order to satisfy the security requirements of both private- and public-sector organizations, Druva made a conscious choice to pursue FedRAMP authorization to show its commitment to security. I am pleased to announce that Druva inSync in AWS GovCloud is currently “in process” for FedRAMP Moderate under an agency sponsorship. This achievement represents a very important step in Druva’s security journey.
While attaining this “in process” status for FedRAMP is a real achievement for Druva, we still have work to do in order to receive an agency Authorization to Operate (ATO). As with any certification, this is not a race, but a journey. Druva is the only cloud-native data-protection solution in the market, and we are very grateful that FedRAMP provides cloud service providers a measurable way to implement security the right way.
The Next Steps
As we continue our FedRAMP journey, we will provide more updates.
To learn more about FedRAMP and how Druva can help address government security concerns by leveraging the unique capabilities of the cloud, visit our Druva’s Government Solution Page.