By Todd Miller - January 14, 2021
For many public safety agencies, investing in trusted software vendors is an absolute must, especially in the wake of growing cyberattacks and data breaches. For federal government agencies, the Federal Risk and Authorization Management Program (FedRAMP) provides a vetted marketplace of vendors offering cloud-based IT products and services, like Rave. This hard-earned distinction serves as a new level of public-safety grade assurance for agencies looking for reliable solutions.
Founded in federal law, FedRAMP was passed to serve as a “government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”
Vendors looking to achieve FedRAMP authorization are put through a rigorous assessment process, usually taking up to 18 months or longer to complete. For agency sponsored authorizations the parties involved are a qualified assessor, a sponsoring government agency and the FedRAMP Program Management Office or PMO; all of which are meticulous and take great effort to ensure the cloud service is secure before it’s allowed to operate.
Security controls based on NIST 800-53 controls are closely scrutinized by the assessor, sponsoring agency and the FedRAMP PMO, with an emphasis on:
In addition to evaluating security controls, the assessment includes a penetration test or pen test as it’s sometimes called, which identifies any vulnerabilities in the software, systems or network infrastructure. Established public-safety grade companies already conduct pen tests on their own on a regular basis, but this specific pen test helps to identify issues that must be remediated and then validated by the FedRAMP assessors before an authorization to operate is granted.
When evaluating the security effectiveness of software options, some organizations might look at a variety of factors including other security assessments. ISO27001 is an international certification process that also closely scrutinizes an organization’s ability to maintain high-quality information security controls.
FedRAMP also determines from the very beginning of the authorization process the level of impact a customer would inherit when signing with a particular vendor for cloud-based services. Vendors are given different security impact levels that emphasize confidentiality, integrity, and availability as major factors.
Based on these factors, the three levels of impact are:
Low Impact: Where there would be limited impact to an agency
Moderate Impact: Where the impact to an agency would be more serious
High Impact: Where the impact to an agency would be severe
The Rave solution is assessed at the FedRAMP-moderate impact level that requires more then 320 controls be in place and effective, which makes the importance of security commitment even more critical.
Critical communication solutions like what Rave provides are trusted by thousands of organizations and communities for a wide range of uses. From day-to-day community alerts to urgent messages with next steps following a catastrophic event, these organizations are relying on the software they use to effectively communicate their critical messages as quickly as possible. There’s no room for delays and even less so for data breaches that can expose personal information when an organization is trying to be the source of truth for their constituents.
When a service providers achieves FedRAMP authorization, it isn’t just getting a one-time seal of approval as a trusted vendor. Following the authorization, the vendor must implement a continuous monitoring process that includes monthly meeting with their FedRAMP customers to discuss the security of the environment and how the vendor is addressing vulnerabilities. The “ConMon” meetings as they are called ensure the upmost level of security hygiene is maintained.
Rave is a Government Community Cloud deployment which means that state, local, tribal, and territorial government bodies use this service with a goal to partner with a FedRAMP-authorized vendor. However, any non-federal or local government organization can speed up their onboarding process by taking advantage of all the assessments done previously to prove that comprehensive security controls are in place. This is the essence of what public-safety grade infrastructure means.
In a previous blog, we talked about how public safety grade is the expectation that equipment will remain operational during a natural disaster, attack, or any other emergency situation. For Rave, it goes beyond providing a shiny app or interface and means providing “five-nine” or 99.999% availability. Continuing to uphold FedRAMP authorization will only strengthen that commitment.
Check out how FedRAMP Authorized Rave Alert works
Learn more about how Rave provides the leading FedRAMP-authorized mass notification solution sending over 1.2 billion notifications annually and in excess of 4,000 SMS messages per second.
Todd Miller manages all field operations at Rave. Prior to joining Rave, Todd managed the self-service consulting Practice at Oracle where he was responsible for the delivery of customized software solutions for clients in North America, supporting millions of users. At Oracle he was awarded recognition as a member of Oracle’s top 10% in Consulting. Todd’s previous experience includes leading consulting teams for Siebel and edocs in North America, Europe, and Australia. Todd is a graduate of Babson College.
School safety in 2021 will be about getting back to basics. At the start of the 2020/2021 academic year, we...