Managed File Transfer With FedRAMP Compliance
With FedRAMP compliance for MFT, you can keep federal data secure, comply with FedRAMP requirements, and maintain the highest standards for cloud security.
Is Kiteworks FedRAMP compliant? Yes, Kiteworks’ hybrid cloud model is FedRAMP Authorized to securely handle federal data. Kiteworks is a trusted FedRAMP Authorized solution with six authorizations and is used by over eight agencies.
What Is FedRAMP?
FedRAMP is a compliance framework required by the federal government for all cloud service providers (CSPs) that want to partner with federal agencies. It leverages different technological and security specifications, primarily NIST Special Publication 800-53, to outline security requirements for any CSP handling federal governmental information.
While there are several additional federal compliance frameworks relevant for IT providers in the federal space, FedRAMP is a fundamental compliance framework for cloud providers that want to work with a federal agency.
The process for FedRAMP certification is long and rigorous, and it includes necessary testing and audits from qualified Third-Party Assessment Organizations (3PAOs). But once certification happens, the CSP is set to work with federal agencies and to stay in compliance in the future.
At its heart, FedRAMP calls for CSPs to adopt controls (specified in NIST 800-53) related to different potential areas of intrusion. This includes controls in families like:
- Access control
- Awareness and training
- Audit and accountability
- Risk assessment
- Physical and environmental protection
- Among others
These controls outline what a CSP must implement, given the data they manage. Depending on that information, the CSP may need more advanced controls in place to earn certification.
What Are FedRAMP Impact Levels, and Which One Do I Need?
The FedRAMP framework categorizes system requirements into different “Impact Levels” that emphasize different types of data that a CSP might store or manage. These levels are defined in FIPS 199, which categorizes data and the responsibilities of agencies using these kinds of data based on criteria like confidentiality, security, and necessary integrity.
Using these criteria, FedRAMP defines its three Impact Levels as Low, Moderate, and High:
- Low Impact references controls necessary to protect information where loss, theft, or damage will have minimal impact on the agency or citizens. Generally, this data is public through some method already, but still requires protection in a cloud environment.
- Moderate Impact refers to controls that protect data where loss, theft, or damage will have a significant impact on the operation of an agency or its constituents. These controls cover private data that can cause financial or in some cases even physical harm, depending on the information.
- High Impact refers to controls that protect private data where damage or theft will cause catastrophic impact to an agency or constituents. Loss of this data can significantly or completely negate the ability of an agency to even continue operation. Additionally, loss of this data could cause severe financial loss or physical harm, including loss of life.
As the stakes of protection and compliance increase across these three categories, the number of necessary controls for each category also increases.
The Impact Level, and the volume of controls you need to implement or have in place, depends on the kind of data you manage for a federal agency.
What Is MFT and Why Is It Important for FedRAMP?
At a minimum, any FedRAMP-compliant CSP will need to have some sort of encryption and security to manage the safety of data in transit. Most managed file transfer solutions use a secure file transfer, like SFTP, that can fit into a compliance strategy.
Additionally, many government agencies are also turning to more enterprise-grade solutions to handle data. That means that many aren’t just relying on something like cloud storage, but rather tools and features that help them optimize data use and their operation overall.
This fits well with many MFT solutions. What is managed file transfer? MFT is a complete suite of secure file transfer tools that allow users to have more control over their file transfer and data management. So, whereas a simple file transfer protocol will just move files from one location to another, a managed file transfer solution includes several features on top of that, such as:
- Analytics to help provide insights on data usage, transfer times, etc.
- Logging and audits to help with security and compliance
- Authorization and encryption for security and privacy
- Dashboards for data visibility and accessibility across an entire organization
With that in mind, it isn’t difficult to see why MFT could be an integral part of FedRAMP compliance for a CSP that provides these services. A federal agency may want to have complete and secure file transfer capabilities across their team, and any CSP that answered an RFP to provide that service would need to demonstrate that their solution was FedRAMP compliant.
How Does Kiteworks Support FedRAMP Compliance?
If you are a cloud provider that partners with a federal agency and you utilize managed file transfer service either as a product for customers or as part of your internal operations, then that secure file transfer product must meet compliance requirements. These include critical areas like:
- Logging and documentation: Kiteworks includes logging and reporting tools that can be made FedRAMP compliant. Some of the necessary security controls, particularly those at the Moderate and High Impact Levels, have a FedRAMP audit log or documentation requirement to track data use, access, and breaches.
- Data visibility and accessibility: The Kiteworks dashboard is accessible via the cloud and contains enterprise-grade tools to help manage, audit, and control data across an organization. More importantly, a visual CISO Dashboard coupled with extensive audit logs provide several effective layers of data and event visibility, including uploads, downloads, and attempted user access breaches.
- Security and compliance: Data on Kiteworks servers is encrypted to required levels of compliance for FedRAMP use, including data at rest on a server and in transit over an SFTP for FedRAMP connection. Likewise, other forms of communication like email for FedRAMP can also be utilized using encrypted connections.
- Physical and administrative safeguards: Kiteworks maintains the required physical and administrative safeguards for FedRAMP certification. This means appropriate protections against unauthorized physical access to a server room or workstation.
- Private cloud deployment: Shared public clouds can pose problems for agencies and providers that want to ensure their data is isolated from potential attack surfaces. With Kiteworks, you get private cloud infrastructure, including private content communication, file systems, database services, and visualization and logging tools, to track third-party traffic moving in and out of your system.
Kiteworks provides services for FedRAMP Low and Moderate Impact Levels for both federal agencies and FedRAMP-certified providers.
Find Out More About Kiteworks
If you’re interested in learning more about Kiteworks FedRAMP Authorized solutions, check out FedRAMP Authorization.