Guest blog by Dave Michels, a Contributing Editor and Analyst at TalkingPointz.
The US Government has its own seal of approval of SaaS providers.
At the risk of oversimplification, Software as a Service (SaaS) turns products into services. ‘The cloud’ has been attractive to organizations of all sizes across most sectors as they can be more flexible, eliminate long-term commitments, and are simpler to implement and maintain. However, that’s not enough for the US government; it also requires FedRAMP approval.
Launched in 2011, FedRAMP is a US government-wide program that seeks compliance with its standards for security, authorization, and monitoring. The program is intended to simplify and standardize the review and approval process for SaaS providers, including CCaaS.
Prior to FedRAMP, each federal agency conducted its own security and compliance review for each cloud-delivered service it intended to purchase. This resulted in duplication of efforts and inconsistent requirements, which were wasteful of taxpayer funds and created unnecessary complexity for providers.
FedRAMP has dramatically accelerated the adoption of secure cloud technologies across the US government. Achieving FedRAMP authorization signals that the provider’s practices and processes meet strict government requirements for storing, processing, or transmitting federal data, that the provider has implemented rigorous operational controls, and performs continuous monitoring.
The authorization was intended for the US government only, but the robust designation is valued by state, local, and foreign governments as well as private sector companies around the world.
FedRamp is conceptually similar to the older Joint Interoperability Test Command (JITC) from the Department of Defense (DoD). While FedRAMP ensures the security of the cloud environment for broad government use, JITC ensures the functional compatibility, performance, and security of IT and communications equipment within the DoD. Mitel OpenScape Voice was recently added to the DoD’s Approved Products List. Some federal use cases for hybrid solutions require both FedRAMP authorization and JITC certification.
FedRAMP applies to all government offices; however, not all government data poses the same level of risk. To accommodate different tiers, FedRAMP has three levels: Low, Moderate, and High. These groups represent risk and compliance impact levels, each with a progressively stringent set of controls based on the potential impacts of a breach. The three levels are explained:
- FedRAMP Low applies to cloud systems where the loss of confidentiality, integrity, or availability would have a limited adverse effect. This can include public-facing websites, collaboration tools that do not contain sensitive data, or training systems. It involves implementing around 125 security controls.
- FedRAMP Moderate is the most common authorization level for cloud providers. It applies to systems where a breach could have a serious adverse effect on agency operations, assets, or individuals. The data may have Personally Identifiable Information (PII) or financial data, and also generally applies to internal communications platforms. FedRAMP Moderate requires the implementation of approximately 325 security controls.
- FedRAMP High is the most stringent level, reserved for cloud systems that handle the government’s most sensitive, unclassified data, where a breach could have a severe or catastrophic adverse effect. This level is critical for mission-critical operations, law enforcement, emergency services, healthcare, and financial systems. FedRAMP High requires over 400 security controls.
Most CCaaS (and UCaaS) providers that have FedRAMP authorizations meet the Moderate level, such as NiCE CXone, Talkdesk CX Cloud, and Zoom for Government. Content Guru Storm recently became the first CCaaS provider authorized at FedRAMP High. I asked Sean Taylor, the CEO of Content Guru, why the company sought the highest level, and he dismissed it with a “why not?”
Content Guru has some of the largest CCaaS government implementations already. That likely helped, as FedRAMP did not introduce significant new requirements or operational changes. Taylor indicated that obtaining FedRAMP High last quarter has increased its brand awareness and interest. The designation implies that Content Guru has stronger processes and procedures in place to protect its customers (and their customers) than many of its competitors. Most CCaaS providers have not obtained FedRAMP authorization (at any level) at this time.
FedRAMP authorization is essential for sales to the US government, but it also plays well in the private sector. FedRAMP solutions pass as many as 400 (for High) stringent security checks. This can alleviate concerns that the cloud is secure for those who are hesitant to move to cloud-delivered services in both public and private firms.
Content Guru’s achievement of FedRAMP High authorization plays into the perception that European companies are more secure and privacy-conscious than US providers.
The EU has enacted numerous laws to protect privacy, including the GDPR, the Right to be Forgotten, the ePrivacy Directive (also known as the Cookie Law), the Digital Services Act, the Digital Markets Act, the Data Governance Act, and the AI Act. While some argue that Europe’s protections have restricted its technological dominance, others consider that outcome to be a winning trade.
Conversely, the last time the US Congress passed new consumer privacy legislation was in 1988. Signed into law by Ronald Reagan, the Video Privacy Protection Act prohibited video stores from disclosing customer rental information.
Achieving FedRAMP authorization is not a one-time event; it requires ongoing maintenance. The program emphasizes continuous monitoring, requiring providers to regularly perform vulnerability scans, annual penetration testing, and provide ongoing reports to ensure that their security posture remains strong and compliant over time.
In essence, FedRAMP is more than just a compliance hurdle; it’s a foundational program that enables the federal government to confidently embrace modern cloud technologies while upholding the highest standards of cybersecurity. FedRAMP has become the pinnacle of cloud security, providing a level of assurance that is increasingly valued by organizations around the world and across sectors.
