What Is FedRAMP? (S1:E7)

March 9, 2022

Humans in Tech | What Is FedRAMP? (S1:E7) We bring on tech expert Dave Helbock Jr., Director of Product Management at Identiv, to unpack the Federal Risk and Authorization Management Program. FedRAMP is an initiative that aims to ensure government agency data is consistently and highly secured in the cloud. Dave dives into the options physical security specialists have in moving on-premises technology to a FedRAMP-approved cloud model.

Full Transcript

Speaker 1 (00:01): You're listening to Humans in Tech. Our podcast explores today's most transformative technology and the trends of tomorrow bringing together the brightest minds in and outside of our industry. We unpack what's new in Physical Access, identity verification, cybersecurity, and IoT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species and dive into the emerging figital experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. Today, Identiv is an innovative global leader in security and verifying identities in the IoT, but the company has been trusted by the US federal government to provide exceptional Physical Access Control system solutions for over four decades. It's PACS solutions are robust, extremely reliable, feature rich, and while designed with the most secure facilities in mind are priced to install anywhere. Leigh Dow, VP of global marketing at Identiv is joined today by Dave Helbock, Jr, senior sales engineer at Identiv to discuss the federal risk and authorization management program, or FedRAMP. Leigh Dow (01:19): FedRAMP is an initiative that aims to ensure government agency data is consistently highly secured in the cloud. We've brought Dave Helbock on today to discuss the options Physical Security Specialists have in moving on-premise servers and clients to a FedRAMP approved cloud model. Thanks for taking the time, Dave. Dave Helbock (01:35): Hey, no problem. Glad to be here. Leigh Dow (01:37): Before we get started, can you take us through your history prior to joining Identiv in 2019? Dave Helbock (01:42): Yeah. Over the last 20 some years now, I've been working in the Physical Security space. Started as an installer, then became more on the design and engineering side, Access Control, video surveillance. In the early 2000s around 2004, started getting heavily involved with smart cards and different type of credentialing technologies. Then eventually joined the government, worked there for a few years. Now I'm back, out into the industry side of the world and selling the solutions to various customers like the federal government and other commercial applications that need highly available and high security devices. And that brings me to today. Leigh Dow (02:29): Over those 20 years, what are the most significant changes you've noted in Physical Security in general? Dave Helbock (02:35): I think the adaptation of the IT piece of the industry moving into very intelligent applications, network-driven applications, the server side, the storage side of where a lot of the systems in prior decades at this point were very stove-piped, individual, no access systems, to them remotely. Where now you can set up almost everything that you need in a cloud infrastructure, in either an internal cloud or a hosted cloud. You can do your access control, you can do permissions and reporting and sort operations. In this way, it allows a lot of people visibility over the entire system and what the system's doing and its operational capabilities, where before it was very challenging to get to all the different systems. Now you can manage them all with one head-end and one scope in lieu of having to log into or 30 or 40 different applications, or buildings, or facilities. It's watching the systems merge into more of an enterprise applications, which has been really neat to see in the industry. Leigh Dow (03:52): What about federal PACs? Dave Helbock (03:54): On the fed side? It's a little bit slower on some of the merging. The IT teams and the Physical Security teams still have a lot of parts to work out when it comes to how the systems need to be designed. There are a lot of different types of sensitive spaces that have very specific access control requirements. And because of those requirements, it can become a bit combative between the two teams because of how the system has to operate due to one requirement. And then the IT teams have a separate requirement on how it needs to operate. And this causes some frustration. But I've seen it get better. There's definitely more visibility on how the IT teams can help the physical security teams and leverage a lot of the applications that they have and share those resources with Physical Security. So they don't have to keep maintaining workstations or maintaining servers. It can all be part of a package. Part of an IT operations package where the Physical Security teams can still call the shots, but they don't have to worry about IT maintenance and networks that can be done by SMEs on the IT side. Leigh Dow (05:14): When was FedRAMP introduced and why? Dave Helbock (05:17): The whole cloud computing process was generating over the last, probably, 20 years with the hosted solutions. And around 2011, a FedRAMP was introduced to move infrastructure from the government agencies in closets, or under people's desks, or wherever they decided to have their servers at the time, into more of a highly secure and available cloud operation system. So by 2012, I believe they actually had the FedRAMP process written and developed. It was only a few applications early on. They have now... I think there's up to four different types of applications you can actually apply to. So you could apply as a high system, media system, a low system. I think there's also an entry level system for if you want to do some sort of basic processing or basic open-level coding, or if you wanted to maybe have a program management guideline where it's a process that may not need to fit a high mold. But you can actually do a FedRAMP solution for a very low application since it's not sharing anything specific. No one's going to be interrupted, or processes interrupted, if there's an integrity issue. But the actual program itself has definitely been growing since 2012. And I think today there's well over 200 applications that are approved, and there are dozens in the queue. We're going through the process as well. So it's really neat watching the commercial world get involved with assisting the government and providing high-secure cloud operations that are actually tested, and certified, and continuously monitored in one location in lieu of the government having to test and accredit these systems in multiple locations constantly. You can take the accreditation for that one package and now reuse it. So it's a lot of money... is getting saved with that process. Leigh Dow (07:38): Why is the FedRAMP certification becoming so important? Dave Helbock (07:41): It's coming important because of the burden of having to ATO all these separate systems inside of your infrastructure. If you are using the same application as maybe GSA, or DHS, and DOJ, and DOE, and all of those teams, when they put something on their network, now they have to have the accreditation for it to write on their network. If they're all going to use the same application, then they could actually just use one FedRAMP application inside the cloud, like say an access control system, or maybe a video surveillance system. And, and now that system only has to be accredited that one time instead of four separate accreditations, which can take months and months. It's an extremely process... heavy process to have systems accredited. Leigh Dow (08:34): So Bloomberg did a spending analysis and found that US federal agencies spent 6.6 billion on cloud computing services in 2020, and then 6.1 billion the year before that. Have you noticed a spike in the number of providers that are seeking certification? Dave Helbock (08:50): Right now I think there is definitely a spike. There's, even internally at Identiv, it's one of the processes that we're looking at here to offer to our end users as a service. I think it's also good for our commercial applications too. You have to go through quite a rigorous process in order to even be a FedRAMP approved solution. And one of the primary benefits of actually using a FedRAMP cloud service is now you don't have to maintain all those servers individually. You're not doing all the controls and monitoring. You're using that and reciprocating that ATO inside of your agency. And having to not become a IT support maintenance team and desktop sport maintenance team, your application can be hosted, used and delivered to you, and then have that management stuff done by the host by the provider of that FedRAMP solution. So I think it's going to continue to grow. I also think, in the commercial world, that they're going to see these FedRAMP listed systems as a benefit. They went through that rigorous process. They know the teams that are doing it. Now that they're at hundreds of systems that are approved, they're going to say, "Wow, we have to use this risk management framework. We need to apply certain controls to our systems. But we could also go this other route with a hosted route and then not have to recreate building that entire application internally to our infrastructure. We can use the hosted application and know it's highly secure and available for the end users using that platform." Leigh Dow (10:38): Is FedRAMP a realistic requirement for PACS hosted and managed by a commercial vendor? Dave Helbock (10:43): The FedRAMP applications... there are definitely a lot of different use cases. It's going to be up to agency specific guidance, agency specific requirements. The integrity of the system is there, and it can be used, but it's going to be determined by those federal agencies. If they want to use a fed rank application to do Physical Access Control activities, the systems are definitely available to do it. It's going to be a culture shift for the actual Physical Security Specialists who accept using a FedRAMP infrastructure to host their data, host their alarms, host the credential management applications, to host all the access levels and the door groups, and time zones and controls. And that's going to be an interesting next couple years... will be interesting watching those applications and understanding if the government is going to move in that direction. Right now, we are getting, you know, a lot of interest, a lot of calls. It is definitely becoming a priority internally as well, to be able to offer it. Will it eventually become the go-to solution for the government? I think in some cases, it probably will. In other cases, they may keep their standalone systems and that's going to be the direction of those agencies. Leigh Dow (12:18): So FedRAMP is here to stay? Dave Helbock (12:20): I believe so. Yep. At this point, we are definitely going to see a lot of activity and we're going to offer our own solutions at Identiv, and we're also going to team up with other solutions to make sure that we are giving our end users everything they need. Leigh Dow (12:38): Well, thank you so much for joining us today and taking the time to walk us through FedRAMP. Dave Helbock (12:42): You got it, no problem. Thanks for having me. Speaker 1 (12:44): The problem isn't security it's awareness. Velocity Vision is the future of visual surveillance. An intelligent video management solution that delivers real-time situational awareness in an open security platform. Integrate with your existing systems, verify your environment in one pane of glass and increase the efficiency of your security operation. Get full control of your environment when and where you need it. Learn more at Identiv.com. Physical Security. Identity verification. The IOT, the hyper-connectivity of our lives will only grow more pervasive. As technology becomes more automated, and experiences more augmented, it's up to us to preserve our humanity and use new tools and trends for good. The only question is: are we up for the challenge?