Genesys recently announced its attainment of Federal Risk and Authorization Management Program (FedRAMP) authorization for its Genesys Cloud CX platform. It’s a significant milestone, enabling U.S. government agencies to securely transition their contact center and communication platforms to the cloud.
Understanding FedRAMP: A Government-Wide Cloud Security Program
While the private sector has widely adopted cloud solutions, the U.S. government faced unique challenges in adopting cloud services due to stringent security and compliance requirements. FedRAMP, established in 2011, is a U.S. government program that aims to promote the adoption of secure cloud products and services across federal agencies. It offers a standardized approach to security and risk assessment for cloud technologies and federal agencies, ensuring that modern cloud technologies are used while focusing on security and protecting federal information. With the signing of the FedRAMP Authorization Act in 2022, the program has been codified as the authoritative standardized approach for cloud computing products and services that process unclassified federal information. These requirements all must work within other legal frameworks, including the Federal Information Security Modernization Act (FISMA), the Office of Management and Budget (OMB) Circular A-130, and the National Institute of Standards and Technology (NIST) standards follow FedRamp Policy and Authorization Act as part of the National Defense Authorization Act.
Becoming FedRamped: The Authorization Process
To obtain FedRAMP Authorization, Cloud Service Providers (CSPs) need to undergo a series of steps. They can choose between two approaches: a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. The authorization steps can be boiled down to these three areas:
- Preparation: During this stage, the CSP formalizes its partnership with an agency, prepares for the authorization process, and addresses federal security requirements by making necessary technical and procedural adjustments.
- Authorization: The CSP’s system undergoes a Full Security Assessment performed by a Third-Party Assessment Organization (3PAO), ensuring compliance with security standards. This step involves various agency reviews, security assessment reports, and remediation measures if needed.
- Continuous Monitoring: After authorization, CSPs are required to provide periodic security deliverables to all agency customers, including vulnerability scans, updated plans of action and milestones (POA&M), annual security assessments, incident reports, and significant change requests.
Timelines for getting FedRamped range anywhere from 90 days to 9 months, depending on an organization’s preparation.
The Importance of FedRAMP
The importance of FedRAMP cannot be overstated, as it addresses the unique security needs of the U.S. government while fostering innovation and efficiency through cloud adoption.
Data Security and Sovereignty
FedRAMP’s rigorous security standards ensure that cloud service providers implement robust security measures to protect government information. By obtaining FedRAMP authorization, Genesys and other approved providers demonstrate their commitment to safeguarding data against cyber threats and unauthorized access. The assurance of data security and sovereignty not only boosts government agencies’ confidence in adopting cloud solutions but also encourages private sector businesses to collaborate with FedRamped providers, knowing their data is in safe hands.
Accelerating Cloud Adoption
FedRAMP streamlines the cloud authorization process, making it more efficient and cost-effective for both cloud service providers and government agencies. By eliminating the need for agencies to conduct redundant security assessments, FedRAMP accelerates the onboarding of new cloud services, reducing bureaucratic hurdles. This streamlined approach not only benefits cloud service providers by expediting their market entry but also allows government agencies to adopt new technologies to better serve their constituents quickly.
Raising the Industry Standard
FedRAMP sets a gold standard for cloud security, and its influence extends beyond government entities. Many businesses and organizations are recognizing the value of FedRAMP’s stringent security requirements and are considering them when selecting cloud service providers. By adhering to FedRAMP standards, cloud providers not only gain an edge in securing government contracts but also enhance their reputation and attract customers from various sectors seeking enhanced security measures.
Converging with Stricter Data Protection Regulations
The recent cases of high-profile data breaches and privacy violations have led to increased scrutiny of data protection practices across industries.
- Facebook was fined a record $1.3 billion in May 2023 by the European Union, which demanded the social media goliath stop transferring user data to the U.S. They were already fined $5 billion back in 2019 (the largest imposed on any company by US regulators for violating consumers’ privacy) for allowing companies such as Cambridge Analytica to harvest the personal information of more than 80 million users.
- According to a congressional report released this month, taxpayers who used Tax Act, H&R Block, or TaxSlayer to file tax returns may have had their personal data shared with Meta and Google. A probe involving enforcement agencies such as the IRS, the Treasury Inspector and General for Tax Administration, and the FTC and Department of Justice are investigating. Violating taxpayer privacy laws can lead to fines of up to $1,000 per violation and up to one year in prison.
- Didi Global, a ride-hailing app, was fined $1.19 billion in 2021 by China for mishandling customer information.
- Amazon was ordered to pay a $790 million penalty after a court in Luxembourg ruled that the tech giant had engaged in non-compliance with general data processing principles.
- Instagram was fined $429 million in September 2022 when Ireland’s Data Protection Commissioner (DPC) ruled that they had violated children’s privacy.
- WhatsApp was fined in 2021 by Ireland’s DPC commissioner after finding it didn’t properly inform EU citizens about how it collected and used their data and how that data was shared with Meta.
The Future of FedRAMP- Widespread Adoption
Amidst increasing cyber threats and the growing importance of data security and privacy in both the government and corporate sectors, FedRAMP’s importance is likely to grow further into the future. Cloud service providers seeking to work with government agencies and safeguard sensitive data are expected to follow suit, making FedRAMP the gold standard in cloud security. Congress’s call for stricter data protection underscores the urgency for adopting robust security measures. FedRAMP’s role in government technology adoption is crucial, and its influence is set to shape the future landscape of data protection and compliance, driving organizations outside the government to adhere to these stricter standards to uphold their reputation, avoid penalties, and safeguard sensitive data from unauthorized access. Moreover, as the global regulatory landscape evolves, being FedRamp authorized could become a proactive approach for solutions providers to demonstrate compliance with the most stringent data protection standards.
About the Author
Carlton Perkins
Principal Solutions Consultant, Alvaria/BP/Genesys/WFO/WEM
Waterfield Tech
Carlton is a results-driven professional with a proven record of leading technical solutions and digital transformation in complex contact center environments. With extensive industry knowledge, critical thinking, and effective communication skills, he guides cross-functional teams to resolve issues and design solutions. His innovative approach to strategic leadership has been recognized for its impact on large contact centers.
