Defining FedRAMP Authorization and its Connection to Public-Safety Grade Solutions

For many public safety agencies, investing in trusted software vendors is an absolute must, especially in the wake of growing cyberattacks and data breaches. For federal government agencies, the Federal Risk and Authorization Management Program (FedRAMP) provides a vetted marketplace of vendors offering cloud-based IT products and services, like Rave. This hard-earned distinction serves as a new level of public-safety grade assurance for agencies looking for reliable solutions 


What is FedRAMP? 

Founded in federal law, FedRAMP was passed to serve as a “government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”  

Vendors looking to achieve FedRAMP authorization are put through a rigorous assessment process, usually taking up to 18 months or longer to complete. For agency sponsored authorizations the parties involved are a qualified assessor, a sponsoring government agency and the FedRAMP Program Management Office or PMO; all of which are meticulous and take great effort to ensure the cloud service is secure before it’s allowed to operate.

FedRAMP Agency Authorization 

Security controls based on NIST 800-53 controls are closely scrutinized by the assessor, sponsoring agency and the FedRAMP PMOwith an emphasis on: 

  1. How encryption is implemented to protect customer data in transit and at rest 
  2. How the vendor develops, tests and deploys their service and the associated infrastructure  
  3. What the physical and environmental security systems are in place where any data might be housed 
  4. What the hiring process is for employees handling or with access to the customers data 
  5. What business continuity programs are in place in the event of a disaster or catastrophic event 
  6. How the vendor will monitor, detect and respond to cyber security incidents  

In addition to evaluating security controls, the assessment includes a penetration test or pen test as it’s sometimes called, which identifies any vulnerabilities in the software, systems or network infrastructureEstablished public-safety grade companies already conduct pen tests on their own on a regular basis, but this specific pen test helps to identify issues that must be remediated and then validated by the FedRAMP assessors before an authorization to operate is granted.

Manufacturer Mass Notification   

How Does FedRAMP Differ from Other Security Assessments? 

When evaluating the security effectiveness of software options, some organizations might look at a variety of factors including other security assessmentsISO27001 is an international certification process that also closely scrutinizes an organization’s ability to maintain high-quality information security controls.

Survey Finds Employees Aren't Aware of Cyber Attack ProceduresWhile FedRAMP and ISO look at various sets of controls, ISO focuses on process and ownership of the controls while FedRAMP is concerned about implementation and effectiveness. 

FedRAMP also determines from the very beginning of the authorization process the level of impact a customer would inherit when signing with a particular vendor for cloud-based services. Vendors are given different security impact levels that emphasize confidentiality, integrity, and availability as major factors. 

Based on these factors, the three levels of impact are: 

Low Impact: Where there would be limited impact to an agency  

Moderate Impact: Where the impact to an agency would be more serious 

High Impact: Where the impact to an agency would be severe 

The Rave solution is assessed at the FedRAMP-moderate impact level that requires more then 320 controls be in place and effective, which makes the importance of security commitment even more critical. 

Why does FedRAMP Authorization matter for critical communication solutions? 

Critical communication solutions like what Rave provides are trusted by thousands of organizations and communities for a wide range of uses. From day-to-day community alerts to urgent messages with next steps following a catastrophic event, these organizations are relying on the software they use to effectively communicate their critical messages as quickly as possible. There’s no room for delays and even less so for data breaches that can expose personal information when an organization is trying to be the source of truth for their constituents. 

Universal - Citizen Engagement Ebook CTA

When a service providers achieves FedRAMP authorization, it isn’t just getting a one-time seal of approval as a trusted vendorFollowing the authorization, the vendor must implement a continuous monitoring process that includes monthly meeting with their FedRAMP customers to discuss the security of the environment and how the vendor is addressing vulnerabilitiesThe ConMon meetings as they are called ensure the upmost level of security hygiene is maintained. 

Rave is a Government Community Cloud deployment which means that state, local, tribal, and territorial government bodies use this service with a goal to partner with a FedRAMP-authorized vendor. However, any non-federal or local government organization can speed up their onboarding process by taking advantage of all the assessments done previously to prove that comprehensive security controls are in place. This is the essence of what public-safety grade infrastructure means.  

FedRAMP and Public-Safety Grade Infrastructure Definition

In a previous blog, we talked about how public safety grade is the expectation that equipment will remain operational during a natural disaster, attack, or any other emergency situation. For Rave, it goes beyond providing a shiny app or interface and means providing “five-nine” or 99.999% availability. Continuing to uphold FedRAMP authorization will only strengthen that commitment. 

Check out how FedRAMP Authorized Rave Alert works

Ready to Partner with a FedRAMP-Authorized Vendor Like Rave? 

Learn more about how Rave provides the leading FedRAMP-authorized mass notification solution sending over 1.2 billion notifications annually and in excess of 4,000 SMS messages per second.  

Rave Alert Employee Communications

Todd Miller
Todd Miller

Todd Miller manages all field operations at Rave. Prior to joining Rave, Todd managed the self-service consulting Practice at Oracle where he was responsible for the delivery of customized software solutions for clients in North America, supporting millions of users. At Oracle he was awarded recognition as a member of Oracle’s top 10% in Consulting. Todd’s previous experience includes leading consulting teams for Siebel and edocs in North America, Europe, and Australia. Todd is a graduate of Babson College.

Ready for a FedRAMP authorized solution?

Get a demo of Rave Alert, a leading, award-winning mass notification solution trusted by thousands of communities and organizations.

Get a Demo 

Schedule a Free Consultation

Talk With An Expert

Discover our pre-packaged solutions or configure a package that's right for your business. Learn how you can be up and running in days, take advantage of unlimited usage, and benefit from unbeatable performance and customer satisfaction.