What does FedRAMP Authorization Mean & Why It Matters to Businesses Beyond Government Agencies
December 9, 2021
Identity verification solutions for federal governments have long been a necessity. However, the rampant fraud amidst the global pandemic, including Paycheck Protection Program (PPP) fraud as a result (in part) of identity theft and synthetic identity fraud, has accelerated the need for modernization and security of these solutions. Use cases requiring digital identity solutions that allow government services to securely distribute disaster relief, retirement and citizen benefits program systems, to name a few, are increasing. The highly sensitive information federal agencies handle on a daily basis requires that the identity proofing solutions being utilized meet the highest standards.
What is FedRAMP?
FedRAMP in the US is one of the most rigorous software-as-a-service (SaaS) certifications in the world. To enable government agencies to more quickly do business with vetted vendors, the Federal Risk and Authorization Management Program (FedRAMP) was created. This is a government-wide program that promotes the adoption of secure cloud services across the US federal government by providing a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale. FedRAMP is mandatory for all executive agency cloud deployments and service models at the Low, Moderate and High-risk impact levels.
How FedRAMP Authorization Works
A Cloud Service Provider (CSP) goes through the authorization process once, as Acuant did, and after achieving an authorization for their Cloud Service Offering (CSO), the security package can be reused by any federal agency. The authorized designation that Acuant has been granted is provided to CSPs that have successfully completed the FedRAMP Authorization process with the Joint Authorization Board (JAB) or a federal agency. This designation indicates the CSPs security package is available for agency review and reuse.
JAB Provisional Authorization to Operate (P-ATO) allows agencies to readily accept the authorization by the Joint Authorization Board and eliminates the need to perform an agency-specific ATO process before allowing agency systems to connect to the Acuant COFRS services. The P-ATO not only provides a thorough assessment of the Federal Information Security Management Act (FISMA) risk management controls against the National institute of Technology and Standards (NIST) SP800-53 Risk Management Framework, but also provides continuous monitoring and an annual assessment of the ongoing risk posture of the cloud services, thereby significantly reducing the risk management load.
What it Means for Businesses Beyond Government Agencies
FedRAMP is important because it ensures consistency in the security of the US government’s cloud services—and because it ensures consistency in evaluating and monitoring that security. It provides one set of standards for all government agencies and all cloud providers. This translates to assurance and security standards for any and all businesses that are seeking the gold standard in identity proofing technology and providers. FedRAMP authorization represents an ongoing commitment to meeting the highest security standards.
Acuant is adding this accreditation to ISO 27001 , PCI DSS, and SOC 2 Type II, as well as CCPA and GDPR compliance. By passing the rigorous process of receiving FedRAMP Moderate JAB P-ATO authorization, Acuant has committed to and has proven to uphold standards required by the US government to power secure identity verification for government agencies with its AssureID™, Ozone® and Facial Recognition System (COFRS) offerings. These offerings support identity proofing processes that meet NIST SP800-63 requirements for Identity Assurance Level 2 (IAL2).
The following COFRS services are currently approved by the JAB under this FedRAMP authorization:
- AssureID™ SaaS – Document Authentication / Physical Security Feature Assessment
- Ozone® ePassport Authentication SaaS – Passive Authentication / Cryptographic Assessment
- Acuant FaceID: Government SaaS – NIST FRVT Program certified Facial Recognition Matching
- Passive Liveness SaaS – iBeta certified Presentation Attach Detection
Acuant is one of the only identity verification providers to accomplish FedRAMP authorization. Cloud Service Providers that are FedRAMP authorized are listed in the FedRAMP Marketplace.
To learn more about Acuant’s FedRAMP Moderate JAB P-ATO authorization, book a meeting.