Cloud Security – FEDRAMP Standards

The US Federal Risk and Authorization Management Program ( FedRAMP )is a “government-wide program that provides a standardized approach to security assessment authorization” for cloud service provider (CSP) solutions. As a Canadian, that standard provides us guidelines on how to build our own cloud solutions on native soil, but it also lets us take advantage of a lawful standard that commonly used providers, like Amazon, Google, Microsoft, already adhere to.

FedRAMP ensures cloud offerings are secure enough to be used by federal agencies, including agencies handling sensitive information and data.

Sometimes cloud providers must have slightly different offerings for private enterprise vs government. Cloud engineers will note that Amazon has a dedicated “region” exclusively for the United States Government.

FEDRAMP Approvals are based on NIST Security and Privacy Controls

Best practices for the rest of us!

Many cloud providers have published whitepapers, sometimes hundreds of pages long which assist in securing your use of those resources.

Sample List

Box.com – Very quick security resource section, generic.

Freshbooks – security safeguards section at https://www.freshbooks.com/policies/security-safeguards

Salesforce – comprehensive. 200+ pages comprehensive. https://resources.docs.salesforce.com/220/latest/en-us/sfdc/pdf/salesforce_security_impl_guide.pdf

The PCI Data Security Standard– https://www.pcisecuritystandards.org/security_standards/documents.ph p?document=pci_dss_v2- 0#pci_dss_v2-0

Amazon Web Services – an excellent whitepaper, aging but relevant.

https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

Approved Vendors List

Vendors who are approved and already come with security baked in, or can be brought up to FedRAMP standards by the general public.

  • 18F
  • 1901 Group
  • 4tell Solutions
  • Accellion
  • Accenture
  • Acendre, Inc.
  • ACL Services Ltd
  • Aconex Limited
  • Acquia Inc.
  • Adobe
  • AINS
  • AirWatch
  • Akamai
  • Amazon
  • Appian
  • Apptio
  • Armedia, LLC
  • Asure Software
  • Autonomic Resources a wholly-owned subsidiary of CSRA LLC
  • Avaya, Inc.
  • Avue Technologies
  • Axon
  • BlackBerry
  • Blackboard
  • BMC Software
  • Box Inc.
  • BrightWork
  • BroadSoft Inc.
  • CA Technologies Inc.
  • Centrify
  • CFI Group
  • CGI Federal
  • CircleCI
  • Cisco Systems Inc.
  • Cloud Service Provider
  • Collab9
  • Collibra
  • Companion Data Services
  • Complete Discovery Source
  • Compusearch Software Systems, Inc.
  • Contegix
  • Coras
  • Cornerstone OnDemand
  • CoSo Cloud, LLC.
  • CrowdStrike, Inc.
  • Cylance, Inc.
  • Decision Lens Inc.
  • Deloitte
  • Distributed Solutions, Inc.
  • DNAnexus, Inc.
  • DocuSign
  • DOMA Technologies, LLC
  • Druva, Inc.
  • Economic Systems
  • Edge Hosting, A DataBank Company
  • Envisage Technologies, LLC
  • EPAY Systems
  • Equinix, Inc.
  • Esri
  • Everbridge
  • Ex Libris
  • FireEye, Inc.
  • Forcepoint
  • Frame, Inc.
  • General Dynamics Information Technology (GDIT)
  • GitHub
  • Google
  • Gordian
  • GPS Insight, Inc.
  • Granicus
  • HireVue
  • Hootsuite
  • Huddle US
  • Human Resources Technologies, Inc. (HRTec)
  • IBM
  • IdeaScale
  • Infor Public Sector
  • Innovative Discovery, LLC
  • Innovest Systems, LLC
  • Intelliworx
  • iSite LLC
  • IT-CNP
  • Ivanti
  • Jive Software
  • Knight Point Systems
  • Leidos Digital Solutions, Inc.
  • Lookout, Inc.
  • MAXIMUS Inc.
  • Medallia, Inc.
  • MicroFocus
  • MicroPact
  • Microsoft
  • MIS Sciences Corporation
  • mLINQS
  • MobileIron
  • MuleSoft, Inc.
  • Navman Wireless North America Ltd.
  • NetComm
  • Netskope
  • New Relic
  • New York University
  • NICE inContact
  • Northrop Grumman
  • Okta
  • OMB
  • OneStream Software
  • OnSolve
  • Oracle
  • ORock Technologies
  • Palo Alto Networks, Inc.
  • Pegasystems Inc
  • PEO Missiles and Space
  • Perspecta
  • PowerTrain Inc.
  • Project Hosts
  • Proofpoint, Inc.
  • PTC
  • QTS
  • Qualtrics
  • Qualys
  • QuestionMark
  • Rackspace Government Solutions
  • Rave Mobile Safety
  • REAN Cloud Inc.
  • Recovery Point Systems, Inc.
  • Replicon
  • Ricoh USA, Inc.
  • R&K Solutions, Inc
  • SAIC
  • Salesforce
  • SAP National Security Services Inc. (SAP NS2)
  • Saviynt Security Manager
  • ServiceNow
  • Skillsoft
  • Skyhigh
  • Slack Technologies
  • Smarsh
  • Smartronix, Inc.
  • Snowflake Computing, Inc.
  • Socrata
  • Splunk
  • SpringCM
  • SumTotal Systems
  • Symantec Corporation
  • TalaTek, LLC
  • The Arcanum Group Inc.
  • TIBCO
  • TRAPWIRE
  • United States Department of Agriculture
  • United States Department of the Treasury
  • Valimail
  • VASCO
  • VBrick Systems, Inc.
  • Veracode
  • Veritone, Inc.
  • Virtru
  • Virtustream
  • Waggl, Inc.
  • Workiva
  • Xerox Corporation
  • Zapproved LLC
  • Zendesk Inc.
  • Zimperium
  • Zoom Video Communications, LLC
  • Zscaler