On the road to FedRAMP and StateRAMP: Key considerations for public sector agencies seeking certification

Thank you for joining us for today's web seminar, On the Road to FedRAMP and StateRAMP, Key Considerations for Public Sector Agencies Seeking Certification. This webinar is being presented today by TTEC Digital and Verint. My name is Brian Coma, and I'm very pleased to be joined here today with Ed Johnson, who's vice president and program manager at TTEC Digital for government solutions. Welcome, Ed. Thanks for joining me today. Thank you, Brian. Let me very, very briefly go through today's agenda. We're first gonna give a very brief introduction to TTEC Digital and Verint just for those of you to to level set. We're gonna talk about some of the basics around FedRAMP and StateRAMP. What is it? How does it work? And very importantly, we're gonna talk about some key contracting and authorization points that every, state and federal department and agency need to keep in mind because it's a relatively new requirement, and there are a lot of pitfalls that, organizations need to understand during this process. One of the key elements we're gonna talk about is ATO. That's a term of art, in, FedRAMP and StateRAMP for what's called authority to operate. Very important element of how you can get, to being able to utilize this technology. We're gonna talk about what it is and how to get there. And then, Ed, who's really a a key domain expert, is gonna talk about FedRAMP and StateRAMP in-depth. What are some of the key considerations? What are the resources needed? What are the, areas that you need to keep in mind? And what resources might you need internally in order to be able to get, to FedRAMP or state ramp authorization, for your department or agency. So, with that, I'm gonna turn it over to Ed and have him talk for a minute about who TTEC Digital is and, some of the things that, the organization does and who they serve. Okay. Thanks, Brian. Yeah. TTEC Digital, is a CX customer experience focused company. We've been in business for about forty years, providing, contact center solutions, a list of the, the partners that we work with. We do a lot of work with Verint, Cisco, Amazon, Google. And, we have a public sector practice. We've been around for about three decades, working with the same industry partners. We have a range of, public sector clients in the civilian and DOD areas, also some state agencies. And, we have a FedRAMP moderate authorization through the joint authorization board. And we also have a DISA Impact Level four authorization for the cloud products that we support. A little bit about me, program manager for TTEC Government Solutions. Some notable projects I've worked on is, like the US Census Bureau, the twenty twenty decennial help desk, and the questionnaire assistance program. We operated a large contact center operation for that and supported telephony for the two hundred and fifty, area offices. The Internal Revenue Service and the Social Security Administration have, have, run our technology that, that, you know, I've helped them implement and support. We also operate the TTEC Humanify Enterprise for Government, which is a contact center as a service. We got Jab authorized for that FedRAMP JAB authorization for that in, twenty nineteen. And then in twenty twenty, we got, IO four authorization through DISA. And that's a platform that we continue to, support. Brian, can you tell us more about Verint? Yeah. Thank you, Ed. Verint is about an eight hundred and fifty million. Actually, it's slightly larger than that. We just announced our full year results for fiscal year twenty twenty four, which ended in January. As you can see, we serve, quite a few organizations, about a thousand organizations and hundred and seventy five countries and significant innovation with more than six hundred patents, which you'll also note, is that we have an extensive, set of government customers, including organizations like US Coast Guard, Social Security Administration, very much like like TTEC, Nexcom, Federal Bureau of Investigation, CDC. We have a lot of experience in working with public sector organizations at both the federal and state levels. I will mention that we have partnered with TTEC for FedRAMP. So, Verint has, implemented its voice of the customer solutions on TTEC's Humanify Enterprise government platform, and, that's helped us get to FedRAMP moderate and IL four authorization in a very timely manner. So, enough about us. We're gonna talk today about what are some of the technology requirements that federal agencies and state agencies need to keep in mind. A couple of things that we have we have seen, through our years of working, with public sector is that many public sector organizations are going through a major transformation from on premise legacy solutions to software as a service solutions because they need to be able to future proof their offerings. They need to keep up. It's very difficult to keep up keep up with changing technology and the expense of running technology on premise. And many, organizations are trying to move to software as a service. But, as you're most likely aware, all SaaS solutions, particularly for the federal government, must now be FedRAMP, authorized. And we'll talk about what that means, but it there was a law that was passed, January of twenty twenty three signed by president Biden, HR seven thousand seven hundred and seventy six. It was part of the National Defense Authorization Act, and it includes the FedRAMP authorization act. This means that FedRAMP has been codified as the approach, to security assessment and authorization for cloud computing products and services. The concept is, authorized once and used many times. But this is now a requirement. And why this is important is because even, on the business side, we've noticed that there are a lot of, contacts that we've had are not necessarily aware that it's a hard requirement. It was more of a guideline prior to January of twenty twenty three. Now it's being required, with all contracts that are being, let for the government. So let's talk about some of the basics. What is FedRAMP? It stands for the Federal Risk and Authorization Management Program, and it's a US government wide program that simplifies security for the digital age by providing a standardized approach to security for the cloud. That means that instead of each department or agency defining their particular requirements, FedRAMP gives us a baseline from which to work. Each agency and department may have additional requirements on top of that. DOD is a good example with impact levels, for DOD. But FedRAMP is, I think, a common means, and you'll see an awful lot of vendors now trying to get to FedRAMP, particularly either at the agency level or through, as as Ed said, the joint authorization board level. State ramp is very similar. The the fifty state CIOs have gotten together and agreed on the state risk and authorization management program. It's modeled after FedRAMP, and it's essentially a complete once and use many concept. It relies on FedRAMP authorized what's called three PAOs. That's a term of art to mean third party audit organizations to conduct assessments. And each state can define whether to re to require state ramp on its own. So if you're a state level organization watching this, I'd encourage you to talk to your information security organization about whether you have a requirement for state ramp. We're seeing it, on a individual state basis and, again, something for you to consider as you start looking at SaaS solutions. So let's talk a little bit more about FedRAMP and StateRamp. Let's get to a little bit more detail behind it. It really is a partnership between government and industry, and it means that providers meet certain, key security, criteria. First, being able to implement all applicable information security controls. Many of you have heard of NIST, and FISMA. FedRAMP incorporates these components into a common framework. Once you've done that, once you have, installed this in a FedRAMP or StateRAMP authorized environment, it also has to pass audit by a third party audit organization, not just initially, but each year. So it's very important to know that any FedRAMP or state ramp authorized solution is continually monitored, and, each year, that audit must be conducted to ensure that we're adhering to all of the controls for each level. And then, ultimately, this results in what's called an authority to operate. As Ed mentioned, we have worked with the joint authorization board, which, consists of CIOs or or chief information security officers from across the federal government who have looked at the requirements and authorized the solution for use, with within all branches of government. You can also obtain an agency ATO, but it's good only for that agency at that that particular time. Again, it provides a common security framework for helping you to modernize, your information technology infrastructure. Ultimately, it helps you to save money because you don't have to define these requirements each time and increase the efficiency of being able to, handle security, ultimately reducing effort. So it's a it's a a great way to be able to, have, again, a common framework and not defining each one of these, depending upon your department or agency. Now there's within FedRAMP, there are three levels, low, moderate, and high. And as you can see, there are different controls that are put in place. For FedRAMP low, that's a hundred and twenty one different controls. FedRAMP low means data loss doesn't compromise an agency's mission, safety, finances, or reputation. FedRAMP moderate is a significant increase in the number of controls around how this SaaS solution is, managed. With FedRAMP moderate, any data that would be put in there, if the data is lost, it would result in a serious adverse effect on the agency's operations. What we find is that most stakeholder data typically requires FedRAMP Moderate, and as Ed mentioned, TTEC, Humanify Enterprise Government Platform, has achieved FedRAMP Moderate authorization, and that's where Verint's platform sits as well. FedRAMP high, another, almost one hundred controls on top of FedRAMP moderate with, sensitive information such as military, law enforcement, and emergency services. So you'll notice that most of what we'll be talking about is federal moderate because that's where the majority of, agencies have the requirement today. A couple of things, key considerations for implementation. And again, Ed's going to go into a lot more detail behind this. As I mentioned, we've noticed that program offices within departments and agencies may not be aware that there is this FedRAMP requirement as of January of twenty three. Contracting officers, however, are including FedRAMP, or StateRAMP in their RFIs and RFQs independently of program office requirements. We've seen a dichotomy between asking business owners whether they need FedRAMP. Many of them, will will, say that they don't need it, and then the contracting officers will insert it into, the solicitation. So I would encourage you to talk to your contracting officers, talk to your contracting shop about what, requirements there are because you will have to budget for any increased costs associated with FedRAMP because there typically are modest increased costs. And you will also have to think about, obtaining internal security resources to be able to evaluate what's called a system security package. Ed's gonna talk to you about this in in a few minutes, to obtain what's called authority to operate. Each agency must perform under an authority to operate its own assessment of the risks of the SaaS platform in order to implement either FedRAMP or StateRAMP. And each agency must grant an authority to operate before any government data can be collected in the platform or any users, provisioned within there. Test systems can be set up. A lot of prework can be done, but no government data, no information can be collected until, the department or agency issues a formal authority to operate. Now depending upon the resources available to you, there are many, vendors who are competing for resources, with your information system security organization, and so there may be a delay in getting access to those resources. So having conversations with them early and often is very important. And as Ed will share with you, in just a minute, there are many steps along the way that, you need to be aware of. Verint and TTEC can guide you through that process, but, you need to be aware of them as you go into it. So with that, Ed, I'm gonna, turn the the floor over to you and have you talk about, much more detail behind this to give people an overview of, how this might work. Great. Thank you, Brian. Okay. So a little bit more background on FedRAMP. Why FedRAMP? So, I think Brian did a great job of outlet outlining why it's important. It was established back in twenty eleven, and they're just now starting to make modifications, to how the program works. But, you know, in addition to, standardizing the security requirements, for each agency, It also makes it much easier for us as software vendors, as solution providers, to provide one set of security solutions that can be leveraged across a bunch of different government agencies. So the guiding principle, do once you, many times, applies to the government as well as to the software vendors. And why do we care? There's a lot of executive orders, rules. And as Brian mentioned, contracting officers are requiring that, you know, agencies move to cloud, and the cloud has to be FedRAMP authorized. So, let me just go through the the different organizations and roles in FedRAMP. So first one is a joint authorization board. This currently consists of the CIOs of Department of Homeland Security, DOD, and GSA. They're responsible for the authorization and accreditation. And then there's another organization called the FedRAMP PMO, which oversees any agency authorizations, not JAB authorized solutions, but agency authorized solutions. There's a third party assessment organization. They are the auditor that go through and do the detailed review of the system security plan and all the controls. And they produce a readiness assessment report and a security assessment report. And they're the ones who give the final recommendation to the jab about whether to, approve, the authorization or not. Then there's a cloud service provider. TJAC is an example of a cloud service provider. Google and Amazon, Microsoft, as there are other other examples. But we install and operate the Cloud service offering offering. We we're responsible for performing the full security assessment and providing that to the three PAO. So we own the system security plan, the assessment report, and also any POEMs, plan of actions, and milestones for any gaps of any security gaps or vulnerabilities. We're also responsible for continuous monitoring, of the security, stature and also, for doing annual assessments. And then the end user agency. So the end user agency, they're responsible for defining the impact level of the solution that they need, whether it needs to be a moderate solution or a FedRAMP high level solution. And that really just governs a number of controls that are affected. Now it's important to note that when the jab issues an a an ATO, they issue a provisional, authorization operator or PATO. And, and the reason for that is they cannot do any risk acceptance, if there if there's any risks, that need to be accepted in the solution. They can't do that on behalf of agencies. And also, if there's any customer responsible controls, they can't accept that on the behalf of the agencies. That's the job of the agencies. So the end user agency has to pull the package, download the package from the FedRAMP Marketplace, review it, identify any agency specific controls that they need to fulfill somehow, agency specific controls that they want to impose on the cloud service provider, us, and also review all the customer responsibility controls and also, the risks. And then they issue the authority to operate for the ATO. So, there's a little bit different process for a JAP authorization versus an agency authorization. For the JAP authorization process, the cloud service provider needs to go through a process to, you know, submit a business case to the, to the jab saying that there's a market. There's agencies that would take advantage of it. We do the readiness assessment report, and then we, we we work with the jab and the three PO to get authorization. And then after after it's authorized, we go into a continuous monitoring cycle, which includes monthly monitoring deliverables and an annual assessment. At the agency, authorization works a little bit different. This is where the cloud service provider works directly with an agency. Once they decide the agency wants to sponsor them for a FedRAMP authorization, they put together a package. They work with the FedRAMP PMO to get a pre authorization. And at that point, they do the full security assessment. The agency authorizes it, submits that to the FedRAMP PMO organization. They review all the materials. And at that point, it's in, then it's agency authorized. Let's see. The, I talked a little bit about the the number of controls that are affected. So the moderate, FedRAMP moderate controls is about three hundred twenty five that need to be met, and the FedRAMP high is about four hundred and twenty one. And then, the DISA I o four is in between that. That's about three hundred and eighty or so. And this is an example of a control, one of the hundreds of controls that needs to be documented, in the SSP. You know, this one has to do with, using nonprivileged accounts for accessing information. So the, you know, so for each one of these controls, you need to go through and check, is it implemented, partially implemented, something planned or not applicable? And then, how is the control met? Is it met through the cloud service provider's corporate policies? Is it system specific? Is it something that's configured by the customer or to shared responsibility? Or it's inherited from another FedRAMP authorized product. And then detail about, what is a solution and how is it implemented. So that's a lot of information, a lot of detail that needs to be gathered and documented. And it all gets reviewed by the 3PAO. And then the JAB looks at summary reports of it. But it's a pretty significant undertaking to go through this process. So I talked a little bit about the JAB authorization. There's first a prioritization, where the Cloud Server, the provider, submits the business case, proves there's demand. And then, the JAB makes a prioritization announcement a couple of times a year and decides which of the five or six packages, they've selected to go through this process. There's a readiness assessment where the, the the third party assessment organization gets involved. They do the, readiness assessment report. And then, there's a full security assessment done between the CSP and the three PAO. All these deliverables are produced. And then we present that to the jab, and then there's a we do a kickoff meeting. There's a couple of months' worth of reviews, remediations, questions, and answering. And then, and then there there needs to be thirty days thirty day period of clean, continuous monitoring reports, which means there can be no critical and no high vulnerabilities that come up on the platform during this thirty day period. And then if you pass all that, then you can get jabbed authorized. And then maintaining it is, is also a significant effort. There's monthly continuous monitoring reports, which are vulnerability scans and compliance scans on each and every component in the cloud service. And then there is a, an updated OEM that needs to be updated every month. OEM is a plan of action and milestone. So anytime there is a a risk item that's identified, if it's critical or high, it needs to be resolved within thirty days. If it's moderate, it needs to be resolved within ninety days. And low risk items, can have one hundred and eighty days. Now a lot of these times, you're dependent on a vendor to, fix these vulnerabilities. And so in that case, there's a plan of action and milestones. If the, you know, the dependency is you cannot get, like, a high risk item resolved within thirty days, then that would be a POEM item. And those all have to be updated every month. So we have to work with, all the all the different vendors that are providing, products in the in our cloud, to to get those addressed. And there's an annual assessment. We basically repeat the process every single year. And then the JAB issues a PAYTO renewal letter. So how agencies can leverage FedRAMP. So we talked a little bit about the provisional ATO that the FedRAMP organization issues. The JAB doesn't accept any risks or fulfill any customer responsible controls on behalf of an agency. And therefore, the agency must do its own review and issue its own ATO. So one of the things that needs to be done early in the acquisition process is to identify the security officer that's gonna be involved in the project to go through the, the security package and do and and basically lead the authorization. So one of the things, work within the agency to determine what reports and forms are gonna be required, who is gonna be the authorizing official, determine who the what the review and the approval process and timeline is gonna look like. You request a security package from the marketplace at FedRAMP. There's a one of the documents in there is the CIS workbook or control implementation summary that contains a summary of all the customer responsibilities that needs to be reviewed and accepted. And then identify any agency specific controls. And then once that's all reviewed and done and the authorizing official signs off, then send the signed ATO letter to the FedRAMP PMO saying that you're now going to be using this product. All right. Brian, anything to add to that? No. Ed, I think this level of detail is excellent. As you can see, FedRAMP really does give, both federal and state and, state ramp obviously gives, departments and agencies a level of protection from a security standpoint that goes far beyond what, you can you have experienced in the past. And it it also requires a a fair amount of work upfront. I will also suggest to you that once that work is done, it becomes far easier once a, platform has been accepted and you've been granted ATO for you to be able to conduct your business. So while there's a lot of upwork upfront work that needs to happen, it is important to go into it with the knowledge that you will need to get additional resources, from your information system security office. You will need to make sure you coordinate with, your contracting shop to ensure that there is a requirement and that there is funding for it. Once you go through it, and while there's a lot of detail behind it, it does make, your implementation that much easier as you go ahead. And as you know, with SaaS solutions, the onus is on the vendor to be able to provide updates to do, product enhancements, to be able to make sure that they're keeping, up to date with, evolving, security controls for FedRAMP because these controls do evolve, on a yearly basis. So a couple of things we wanted to have you keep in mind. I think it's important as, you know, you've taken the time today to to go through our web seminar. We wanted to give you a couple of key points to, take away, on this. Again, make sure that you understand that, particularly at the federal level, there is a statutory requirement to utilize FedRAMP authorized solutions if they are SaaS at state ramp, that is coming in depending upon the size of the state. We've seen some of the larger states, have these requirements more than others, but it is, being implemented on a state by state basis. Your contracting officers are including FedRAMP or StateRAMP in their RFIs and RFQs, so make sure you understand what, they are putting in there. And make sure you understand, exactly what the requirements are from a budget standpoint for any additional expense associated with this, because there are, as you can see, quite a few steps that vendors have to go through. There are some, let's say, modest increases in, in budget required, but something for you to plan for. And then make sure that you are getting those security resources available to be able to help you expedite, the process of obtaining an authority to operate. So just a few things to to take away. Engage with your, ISSO team about FedRAMP. Make sure that your ISSO knows how to request what's called the system security plan from the fedramp dot gov marketplace. They can also request it directly, from the vendor, whether it's TTEC or others. Your ISSO will then assemble a team and review that SSP. And we found that in many cases, they have questions about certain elements of how vendors manage that system. Very, very common for there to be several sessions with your ISSO team, the business owners, and the vendor to be able to, answer those questions. And then go through your own internal process. We've seen a lot of variation between departments and agencies as to how they handle it. Make sure that they understand that we, as vendors, cannot put any data, any government data or any government users in that environment until that ATO is issued. And then, make sure that you're continuing to work as you normally do with your KO team to be able to contract for the solution. It's not particularly complex, but it is something for departments and agencies to keep in mind. So, with that, that concludes the, the majority of the the content for today. We would encourage you to mark your calendar for future episodes by scanning the QR codes on the screen with lots of other content that Verint and TTEC are putting together for you. You see on, eighteenth of April, we're talking about how how artificial intelligence and customer experience automation can help you better serve your community. And on May the ninth, we're also talking about how you can best use data, that you already have to be able to help, provide additional insights. Ed, I really want to thank you for your time today. It's been great having you. It's always a pleasure to present with you. And with that, we conclude today's webinar.