Cyber Security & Government Agencies: FedRAMP Compliant FOIA Software Advice

Posted by James Bailey

FOIA agencies need FedRAMP Compliant FOIA Software for securing their data

It’s no secret that cyber security threats loom over federal agencies. According to the report the White House’s Office of Management and Budget (OMB) issued 2 months ago, three out of four federal agencies are at risk from cyber attacks.

From 96 federal agencies that participated in the assessment, only 25 agencies were reported of managing risk by using recommended tools and policies.

This means that the rest of 71 federal agencies were reported to have cyber security programs that were either ‘At Risk’ or at ‘High Risk.’

government agencies risk performance

Source: OMB 2018 report

Turn these numbers into percents, and what you’ll get is that over 70% of federal agencies are at risk of cyber attacks.

We are talking about the security of content held by federal agencies. Content, that concerns and belongs to all of us.

But that’s not even the worst part. According to the OMB report, only 40% of the assessed agencies reported the ability to detect and investigate signs of a data breach. Only 25% of the agencies can detect attempts to access large volumes of data in their systems. And fewer are still actually bothering to test these data breach detection capabilities on an annual basis.

But, what’s the reason behind these numbers? Why do federal agencies fail so short when it comes to cyber security?

Let’s take FOIA Agencies as an example.

Why FOIA Agencies Fail To Protect Themselves From Cyber Security Threats?

Cyber risks can manifest in different ways, but they all strongly affect the security of FOIA agencies. And very often, these agencies can do nothing to protect themselves when data theft is under way. This incapability comes from the fact that they don’t always have all the necessary means to respond to the threat.

Let’s take a look at some of the reasons why FOIA agencies fail to protect themselves from cyber attacks:

  1. FOIA agencies are not always equipped appropriately to determine how perpetrators find their ways into their information systems. Their IT tools are often outdated and unsupported. This alone is more than enough for FOIA agencies to fail to protect themselves from cyber security threats.
  2. Another vital reason why FOIA agencies fail short on protecting themselves from cyber attacks is the lack of standardization of common operating procedures. Malicious links, emails, attachments can easily infect unsuspecting users’ machines with malware.
  3. The defense-ability of FOIA agencies has largely stagnated while perpetrators become more sophisticated and advanced in their actions and techniques to attack and compromise information systems.

All of these reasons create enterprise-wide gaps in network security and standardization of common operating procedures. This results in up to 70% of federal agencies ‘At Risk’ or in ‘High Risk’ positions.

These numbers emphasize the dire need for change across agencies. Federal agencies working with FOIA requests need immediate and highly-effective improvements that will make a turnaround on this situation and dramatically improve their level of security.

The solution? FedRAMP Compliant FOIA Software Solutions.

What Is FedRAMP And Why Do FOIA Agencies Need It?

Federal Risk and Authorization Management Program (FedRAMP) is a Government-wide information security program.

FedRAMP was developed by the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the Department of Defense (DOD), and the Department of Homeland Security (DHS).

It was reviewed and affirmed by many FOIA Agencies.

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud computing products and services. Basically, it is more of an assessment and authorization process that cloud computing services must use to ensure cyber security of their cloud-based information systems.

As directed by OMB, FOIA agencies must use FedRAMP when choosing cloud computing products and services. Choosing a FedRAMP Compliant FOIA Software solution does not only guarantee security and protection of Governmental data. It also saves time, money, and effort required for these security assessments.

As such, FedRAMP exists as a guarantee that no FOIA related record will ever be unprotected. The existence of such a program significantly reduces the burden FOIA Agencies carry every day.

Now, let’s see how FedRAMP Compliant FOIA Software Solution ensures data security in FOIA agencies.

FedRAMP Security Assessment Framework

As stated in the official FedRAMP Security Assessment Framework  report from 2017, FedRAMP uses a “do once, use many times” framework which includes the following four stages:

  1. Documentation of Security Controls. This stage includes the categorization of Information Systems (IS), selection of security controls, implementation of those security controls and finally their documentation in System Security Plan (SSP).
  2. Assessment of the SSP. This is the second stage at which an independent assessor examines the IS to determine whether the selected security controls documented in the SSP are effective and implemented according to the FedRAMP template.
  3. Authorization of the Security Assessment Report (SAR). Once the testing is done, the next step is authorization. At this stage, based on the SSP an Authorizing Official (AO) makes an authorization decision.
  4. Monitoring of the FedRAMP Compliant Cloud Service Providers (CSP). After the cloud computing service has been authorized (if authorized) it must be under continuous monitoring. The reason for this final stage is to make sure the cloud system maintains an acceptable risk posture.

If a cloud computing service passes through all of the stages of FedRAMP assessment framework, it becomes FedRAMP Authorized.

Unfortunately, there are very few FedRAMP compliant cloud computing services. And this is one of the reasons why federal agencies fail to protect themselves from cyber attacks. There simply aren’t too many providers and solutions to choose from.

The FedRAMP Compliant Armedia FOIA Module

Form the OMB report we elaborated earlier, we saw that 70% of federal agencies fail to protect their data when it comes to cyber attacks. And, FOIA agencies are not excluded.

To protect themselves from cyber attacks, OBM directs FOIA agencies to rely on FedRAMP Compliant FOIA Software solutions.

Being well aware of this problem, we’ve collaborated with ArkCase, Alfresco, EphesoftAWS, and we’ve developed the Armedia FOIA Module which is available as a FedRAMP Moderate cloud offering.

What does this mean?

It means that the Armedia FOIA Module is ticking all the boxes needed in order to pass repeated reviews under the FedRAMP guidelines.

It means that FOIA agencies that decide to pursue FedRAMP compliance, can simply start using the Armedia FOIA Module listed within the FedRAMP MarketPlace, and become a FedRAMP Compliant FOIA Agency immediately.

If you want to find out more about the FedRAMP Compliant FOIA Software by Armedia, please feel free to ask for more info.

And, don’t forget to share this article with your colleagues on social media. Help them learn more and make better decisions when it comes to choosing a secure cloud computing service.

Leave a Reply