In today’s world of widespread adoption of cloud-based software, security is top of mind. Organizations are taking steps to protect sensitive data and their IT infrastructure. Internal Audit has a new option available to help mitigate data security risks while still taking advantage of the many benefits offered by cloud-hosted software – TeamMate+ FedRAMP.
TeamMate+ FedRAMP is our latest and most secure cloud-hosting environment, available for organizations who wish to optimize their data security posture. This article provides background on FedRAMP, the authorization process, and why it may be the right choice for your team.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP.gov - the basics), established in 2011, provides “a cost-effective, risk-based approach to the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.”
FedRAMP achieves this mission by acting as an oversight function for cloud-service providers (like TeamMate) to be independently vetted, verified, authorized, and continuously monitored. FedRAMP Authorized solutions are currently available for use by businesses.
Does FedRAMP apply to only government agencies?
There are different levels and approaches for cloud-service providers to achieve and maintain FedRAMP Authorization. TeamMate has chosen a path forward known as FedRAMP Public Cloud that supports many federal-level agencies— such as the National Institutes of Health and the Department of Energy — and can be deployed for private or commercial businesses as well.
This means that Internal Audit teams now have an option to use TeamMate+ within our highest security environment: TeamMate+ FedRAMP cloud hosting.
What are the security standards?
FedRAMP currently follows and verifies against NIST 800-53 Rev 4, which are set by the National Institute of Standards (About NIST). These standards, and the established controls to meet them, are the underlying basis for review, authorization, and continuous monitoring. The graphic below compares the number of controls for HIPAA and SOC2 against FedRAMP and represents a comprehensive set of requirements that involves rigorous testing.
FedRAMP NIST Controls
What is the Authorization process?
The process for cloud-service providers like TeamMate to become FedRAMP Authorized involves several steps and requires a significant commitment:
- Gap analysis: Review against NIST standards. TeamMate partnered with Coalfire, a leading security advisory firm, to augment our own internal review.
- Addressing the gaps: The investment of time and resources needed to understand and document our product and hosting environment to meet the FedRAMP development effort and test against FedRAMP standards.
- Working with a sponsoring agency: TeamMate aligned with the National Institutes of Health (NIH), a sponsoring agency, to assist with our development and testing efforts and verify that underlying FedRAMP standards were met.
- Independent review: FedRAMP procedure requires review by an independent third-party assessment organization (3PAO) to review and verify. To accomplish this, TeamMate worked with Schellman, a leading business in this space.
- FedRAMP Authorization: This involves documentation and presentation to the FedRAMP Project Management Office, as well as addressing any open items or questions before final review and approval. In May 2022, TeamMate achieved FedRAMP Authorization, both at the product level and for our TeamMate+ FedRAMP cloud hosting environment.
What does this mean for you?
It means you can work with leading audit management tools to enhance your security posture by conducting your audit work in a FedRAMP Authorized environment: TeamMate+.
It means you can verify that TeamMate+ meets the underlying standards set by the FedRAMP by viewing our listing on the FedRAMP Marketplace, the official source to determine whether a cloud service provider has completed the vetting process.
It means you can take comfort in knowing that as part of maintaining FedRAMP Authorization, TeamMate will be continuously monitored against current and future standards. Cybersecurity is never a one-time activity!
It means that having the best of all worlds is more than a possibility.
