This blog originally appeared on Workiva.com on Nov. 27, 2018.
Advances in cloud technology have resulted in significant gains for the private sector in terms of workplace collaboration and efficiency, and government finance teams are starting to follow suit.
To ensure data privacy and security, the United States federal government has established standards that are much more onerous than the SOC 1/SOC 2 standards accepted by many corporations. For cloud service providers (CSPs) who serve government entities, the standardized approach is known as the Federal Risk and Authorization Management Program, or FedRAMP, for short.
Workiva became an approved FedRAMP vendor in 2018, with Wdesk listed as a FedRAMP Authorized cloud solution. We sat down with the Workiva team responsible for achieving FedRAMP compliance and discussed the growing need for security, the impact FedRAMP will have on accounting and finance teams, and what the future holds. Here is what they had to say.
What led to Workiva becoming FedRAMP Authorized?
Jeff Bivens (JB), Technical Program Manager: Workiva has made a name for itself as a leading SaaS (software as a service) innovator. We create software that is powerful, yet simple to use. Over 3,000 customers enjoy the benefits of Wdesk, especially the process efficiencies and higher productivity that come with it. We are being asked to solve even more complex challenges for larger organizations, including commercial enterprises and government agencies. We are also being asked to earn additional compliance. In the case of government agencies, that's FedRAMP.
How does FedRAMP differ from other security compliance standards?
Lee Marks (LM), Information Systems Security Officer: Strong cybersecurity is a prerequisite for any SaaS offering, and third-party assurance is expected in order to serve enterprise customers, including federal and state agencies. Specifically, federal agencies require FedRAMP compliance.
FedRAMP certification is a rigorous process that brings together federal agencies, CSPs, and independent assessors for a common purpose: to ensure that cloud-based services procured by the federal government meet and continually adhere to adequate security standards.
While FedRAMP has roots that stretch all the way back to the Federal Information Security Management Act of 2002, it is a modern program with innovative practices that offers benefits to both government and industry.
What are the advantages of being FedRAMP Authorized?
LM: Workiva embraced the opportunity to pursue a FedRAMP authorization to operate (ATO) for two main reasons. The first was to be able to serve government agencies, especially United States federal agencies. The second objective was for improved security at scale, which not only benefits government organizations but all of our corporate clients as well.
As a security program, FedRAMP compliance serves as a spotlight to probe into all aspects of a vendor's technology stack to identify those areas that can be better secured. No matter how safe you are today, you always want to be even safer tomorrow. Thankfully, this same spotlight also highlights the best aspects of our security architecture.
JB: FedRAMP compliance was a significant accomplishment and validated the scalable and secure platform that we deliver. Unlike some compliance efforts, however, FedRAMP is not a one-and-done endeavor. It's an ongoing recertification process that we need to work to retain each year.
What did you learn from your FedRAMP experience?
JB: You might think, given such compelling security, operational, and business benefits, that most CSPs would be actively involved with the FedRAMP program, but that simply is not the case. At the time of this interview, fewer than 160 companies representing less than 200 cloud service offerings are listed on the FedRAMP Marketplace. While that number will grow, there are a few reasons for the exclusivity of this group—not the least of which is that attaining FedRAMP Authorization is downright difficult.
No matter who you are or where you start from, achieving this rigorous, independently verified security standard is going to be a challenge.
LM: Challenges don't intimidate Workiva. Not only do we supply the right tools for the job, we have a tradition of innovation and we are committed to greatness—especially when it comes to meeting the high expectations of our customers and keeping their information secure.
What are some of the challenges involved in becoming FedRAMP Authorized?
LM: FedRAMP includes a process known as continuous monitoring, or ConMon. ConMon requires annual independent assessments, with the expectation that CSPs will perform security operations on a daily and weekly basis and provide compliance performance reports at least monthly. The security principle behind ConMon is automation, which encourages cloud systems to design automatic security operations. Building upon the benefits of ConMon, our engineers and architects evaluated the design of each control implementation to ensure scalability across infrastructure that supports many thousands of customers, is maintainable with minimal human intervention, and is continuously secure, not just at a point in time.
Thankfully, we already have a powerful tool that can manage the ConMon process: Wdesk. In fact, we used Wdesk to manage the security package for our ATO.
Wdesk includes capabilities for risk management, live data-linking, and regulatory reporting, which increases automation, minimizes effort, increases trust and quality of outputs, and allows our internal teams and partners to collaborate simultaneously in a shared workspace. FedRAMP ConMon gives Wdesk the chance to put its security strengths on display all day, every day, and our customers appreciate this assurance as much as we do.
Watch this video to see how Workiva helps government teams collaborate while keeping data secure.