Code42 and FedRAMP compliance
Who is this article for?
Incydr Professional, Enterprise, Horizon, and Gov F2, yes.
Incydr Basic, Advanced, and Gov F1, yes.
This article gives an overview of the FedRAMP program and describes the Code42 federal environment and its compliance with federal requirements.
- Code42 received FedRAMP authorization in December 2020 and is now available for use across the federal government. See the FedRAMP Marketplace for details, or go to https://www.code42.com/federal-solutions for more information about Code42's federal products and services.
- For more information on the features available in the Code42 federal environment, refer to our product plans.
- Code42 maintains several cloud environments, only one of which complies with FedRAMP requirements due to the configuration and hosting of its infrastructure.
The Code42 federal environment
The Code42 federal environment implements the same set of robust security measures and practices as all Code42 environments, but differs slightly in functionality due to its architecture. For the Code42 federal environment:
- The Code42 federal environment is categorized in the moderate impact level according to FIPS 199 requirements.
- The Code42 console, Code42 agent, and all data is encrypted according to FIPS 140-2 requirements, instead of via other strong encryption methods that may not be FIPS compliant. In all Code42 environments, data is encrypted both at rest and in transit.
- To ensure the use of FIPS encryption in the Code42 agent, app installations must be deployed with a deployment policy. Users cannot download the installation package from the Code42 console or an email message.
- External keystores (such as a Vault server) cannot be used to separately store encryption keys.
- Zip file restores from the Code42 console are not available. Administrators can still restore any files to any device using the device or "push" restore feature.
- Incydr Flows and Incydr Labs are not available in the Code42 federal environment.
- Code42 backs up data in the Code42 federal environment in the order that files were discovered and added to the to-do list, instead of backing up the most recent files first followed by older files.
Request the Code42 security package
Government agencies can request access to the Code42 security package using the request form available on the FedRAMP Marketplace. To access the form, select Code42 from the marketplace list and then click the Package Access Request Form link.
You can also contact your Customer Success Manager (CSM) for more information on Code42's FedRAMP compliance. If you do not know your CSM, please contact our Technical Support Engineers.
FedRAMP program overview
The Federal Risk and Authorization Management Program (FedRAMP) from the United States Government provides a standard method for the security assessment, authorization, and continual monitoring of cloud products and services. Government agencies (and companies who partner with them) are required to choose FedRAMP authorized providers when using cloud products and services to ensure the security of their data.
The Federal Information Security Management Act (FISMA) enacted in 2002 defines the IT security requirements that U.S. federal agencies are required to meet. The FedRAMP program clarifies how FISMA's requirements apply to cloud services.
Non-government, public sector companies may use FedRAMP authorized cloud services if they frequently partner with government agencies, want to leverage known approvals and standard practices, or value the robust assessment and continuous monitoring of security risks offered by FedRAMP.
The FedRAMP framework emerged from a need to modernize government agencies' aging IT infrastructure and systems that were cumbersome, individually managed, and inconsistent in the application of security practices. By standardizing the method by which providers can assess, manage, monitor, and report security risks, FedRAMP helps accelerate the adoption of cloud services and products across government agencies. This adoption helps make agencies more nimble and agile by:
- Leveraging existing security assessments to save agency time and resources: "do once, use many"
- Ensuring a standard approach to security risk assessments and mitigation
- Increasing confidence in the security of cloud services and products
- Increasing automation and data access
Development, maintenance, and operation of FedRAMP is governed by several U.S. entities:
- The Office of Management and Budget (OMB) issued the FedRAMP policy memo that defines the key requirements and capabilities of the program.
- The Joint Advisory Board (JAB) is responsible for primary governance and decision-making. This board is comprised of chief information officers from:
- The Department of Homeland Security (DHS)
The DHS also manages the FedRAMP continuous monitoring strategy that coordinates reporting, threat notification, and incident response.
- The General Services Administration (GSA)
- The Department of Defense (DOD)
- The Department of Homeland Security (DHS)
- The CIO Council distributes FedRAMP information for cross-agency coordination.
- The FedRAMP Program Management Office (PMO) is responsible for the development of the program and management of day-to-day operations.
- The National Institute for Standards and Technology (NIST) advises on FISMA compliance and develops the standards used to assess that compliance.
Applicable regulations and standards
Requirements for U.S. government agency's IT systems and security are defined in the following:
- The Federal Information Security Management Act (FISMA) of 2002 (revised in 2014) defines the IT security requirements that U.S. federal agencies are required to meet.
- The FedRAMP Policy Memo of 2011 establishes the FedRAMP program and clarifies how FISMA requirements apply to cloud services.
The National Institute for Standards and Technology (NIST) develops the standards by which organizations can demonstrate compliance to those regulations. Some of the NIST standards that form the backbone of FedRAMP authorization include:
- SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
- SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
- SP 800-61, Computer Security Incident Handling Guide
NIST also develops and maintains Federal Information Processing Standards (FIPS) that define how data and information systems should be categorized, encrypted, signed, verified, or authenticated in accordance with FISMA. These standards are also valuable resources to help public sector companies establish strong information security programs.
Under FedRAMP, cloud service providers are categorized into one of three impact levels, based on the impact an outage would have on the federal agencies using the CSP's services:
- Low: Loss of confidentiality, integrity, or availability results in limited impact to an agency's reputation, finances, or safety. Low impact systems typically store minimal personal identifiable information (PII) beyond that needed to authenticate users (such as usernames, passwords, and email addresses).
- Moderate: Loss of confidentiality, integrity, or availability results in serious impacts to an agency's operations, assets, or individuals. These impacts include significant operational disruption, financial loss, or non-physical harm to individuals. The Code42 federal environment falls into this moderate impact level.
- High: Loss of confidentiality, integrity, or availability results in catastrophic impacts to an agency, potentially including financial loss or closure, halting of operations, or loss of intellectual property or individual lives. CSPs at this level usually handle high-risk systems, such as defense, intelligence, healthcare, finance, or emergency or law enforcement systems.
Achieving FedRAMP authorization is a complex process. A high-level overview follows:
- The cloud service provider (CSP) connects with the FedRAMP Joint Advisory Board (JAB) and determines the type of authorization to pursue.
Two types of authorization are available: Provisional Authority to Operate (P-ATO) or Agency Authority to Operate (ATO). CSPs identify which type of authorization to pursue based on their processes, impact level, deployment model, and market demand.
- The CSP partners with a third party assessment organization (3PAO) as needed and completes a readiness assessment report detailing its cloud service offering or product.
If the JAB approves the provider's readiness assessment report, the CSP is then designated "FedRAMP Ready" and is advertised in the FedRAMP Marketplace.
- With the 3PAO, the CSP uses FedRAMP-provided templates to create and submit the following documentation:
- System Security Plan (SSP)
- Security Assessment Plan (SAP)
- Security Assessment Report (SAR)
- Plan of Actions and Milestones (POA&M)
- All documentation is reviewed and any questions or comments are submitted to the CSP for assessment. After all questions are addressed and remediation activities are completed, the CSP receives FedRAMP authorization.
- After receiving authorization, the CSP provides documents generated during continuous monitoring activities to the agencies using their service. The CSP also works with the 3PAO to complete an annual security assessment that is submitted to the FedRAMP repository to validate continued compliance.