What is FedRAMP?
Learn what FedRAMP is and why it's used to evaluate cloud security.
FedRAMP Impact Levels
What are FedRAMP impact levels, and where does your organization fall when it comes to cloud security?
Cisco UCM Solutions for Federal Government
Cisco's Collaboration Flex Plan for Public Sector can help streamline budgets, simplify purchasing and support your cloud growth.
November 07, 2023
Improve Collaboration in the Public Sector With Cisco Solutions
From the enterprise to the tactical edge, Cisco's UC Manager solution is an industry leader in enterprise call and session management platforms for federal agencies.
For Federal agencies tasked with protecting and serving our nation, effective collaboration is crucial in making strategic decisions. Despite the overwhelming need for effective communication tools, many agencies struggle to adopt the latest collaboration solutions. With varying communication needs, increased network demands, constant security threats, and stringent security guidelines, selecting the right solution can be daunting. Supply chain challenges combined with a shortage of qualified and cleared personnel make it imperative that Federal agencies find solutions that can be implemented quickly and easily. With the majority of the workforce operating flexibly from home due to changes since COVID-19, the need for these solutions has never been greater.
Even today, many Federal agencies still rely on Private Branch Exchange (PBX) telephone systems. This is especially true in larger, sprawling environments such as campuses or military bases. These locations are plagued with aging infrastructures, at-capacity copper cable plants, and IP networks that were never designed for real time voice and video traffic. Exorbitant maintenance contracts have kept these dying PBX systems barely alive for too long. As agencies look to support a more mobile and expansive workforce, solutions which historically focus on infrastructure in a single physical location must be modernized.
What is FedRAMP?
As agencies further develop modernization plans, compliance with cybersecurity policies and regulations is paramount. Traditionally, the Authority to Operate (ATO) security authorization process is used. The ATO security process is in place for an agency to determine whether to grant a particular information system authorization to operate for a certain period of time by evaluating if the security controls in place sufficiently mitigate risk. This security process can be extremely time consuming, delaying or even stopping the deployment of much needed communication technology. Agencies need collaboration solutions that are secure and compliant yet flexible enough to meet rapid growth timelines while allowing for open and interoperable communication with other agencies and mission partners.
Federal Risk Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment and monitoring for cloud-delivered products and services. FedRAMP helps steer agency cloud adoption by providing Cloud Service Providers (CSPs) with a single accreditation that is usable by all federal agencies. This “do once, use many times” framework saves 30-40% of government costs, and provides significant savings on time and resources. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the GSA, NIST, DHS, DOD, NSA, OMB, the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.
Agencies must take FedRAMP and their marketplace of approved solutions into account when evaluating any cloud service. Procuring a cloud service that is not FedRAMP certified would require that agency to follow lengthy and costly cyber accreditation processes.
FedRAMP Impact Levels
Borrowed from the Federal Information Processing Standard (FIPS), FedRAMP defines three ways of securing data according to Confidentiality, Availability, and Integrity. The security objectives are to prevent unauthorized access, guard against modification/destruction, and ensure timely/reliable access. In the event one of these objectives are not met, there is a potential impact to that Federal agency. The impact is categorized into either Low, Moderate, or High levels.
- Low Impact Level
Applies to cloud services that work with data that is already publicly available; a breach of this data would not cause significant damage to the government agency or its operations, assets, or individuals
- Moderate Impact Level
Correlates to Impact Level 2 in the DoD. The most common impact level, accounting for about 80% of cloud services that attain FedRAMP authorization. It applies to cloud services being used for data that is largely not available for public consumption, such as PII. If Moderate Impact data is breached, the agency’s operations, assets, or individuals would suffer serious adverse effects, such as operational damage, financial loss, or individual harm
- High Impact Level
Correlates to Impact Level 4 in the DoD. Released in 2016, this applies to cloud services being used by agencies that handle the most highly sensitive unclassified government data, such as law enforcement, emergency services, financial systems, and healthcare systems. A data breach could have catastrophic results, including loss of human life and economic crises.
As the impact level increases, so does the number of required security controls. These cloud services include hundreds of pre-configured and audited security control categories including Access Control, Contingency Planning, Media Protection, Personnel Security, and System/Service Acquisition. FedRAMP and overall security posture is crucial in the planning, procurement, and sustainment of any cloud service.
Cisco UCM Solutions for Federal Government
From the enterprise to the tactical edge, Cisco has been a trusted provider of voice and video technology to Federal agencies for decades. Cisco and their UC Manager solution is the industry leader in enterprise call and session management platforms, with more than 300,000 customers worldwide, and more than 120 million Cisco IP phones and soft clients deployed.
To streamline budgets, simplify purchasing, and support cloud growth, Cisco has developed an offer called “Collaboration Flex Plan for Public Sector”. This offer is a subscription-based term which entitles agencies to meeting, messaging, and calling capabilities. The flexibility of Flex allows agencies to choose a mix of capabilities & deployment models (on-premises or cloud) under a single subscription. The best buying model for an agency varies according to size, technology adoption, and budget. The current Cisco Collaboration solutions for Public Sector include:
Cisco Collaboration On-Premises
The traditional method of deploying Collaboration technology is on-premises and within an existing data center. This deployment model is NOT subject to FedRAMP authorization because it is not cloud-based. Many agencies see this as a great starting point for transitioning from PBX technology and introducing real time voice and video traffic to their network for the first time. Agencies must still submit for and receive an ATO through working with their Information Systems Security Manager. On-premise solutions require substantially more capital investment into servers, gateways, infrastructure, and power/cooling. Additionally, qualified resources must be hired or contracted to operate the system day to day.
Cisco Webex for Government
For agencies operating at the Moderate Impact Level (IL2), Cisco Webex for Government offers a highly secure platform that combines messaging, audio calling, video/web conferencing, and contact center in a single solution. With Cisco Webex for Government, agencies can allow employees to work remotely and collaborate in real time with co-workers and constituents. The Cisco Webex for Government service is hosted in datacenters that hold SOC 2 Type II attestation and ISO 27001 compliance to ensure proper risk assessment, identify and implement security controls and review their effectiveness regularly.
Cisco Unified Communications Manager (UCM) Cloud for Government
For agencies operating at the Moderate Impact Level (IL2) that no longer wish to procure/manage their own Cisco Collaboration architecture. Using the same products and technologies from the on-premise offering, UCM Cloud for Government deploys a FedRAMP authorized Collaboration service that is remotely managed by a Cisco partner. UCM Cloud for Government has complete feature and security parity with its on-premises counterpart combined with the additional resiliency inherent to a trusted cloud-solution provider. This architecture can be extended down to the agencies premises to address survivability and cloud-connectivity concerns. Combined with the Webex for Government offer, this packaged solution can deliver a power platform for Civilian agencies.
High Security Environments
For DoD and Intelligence agencies requiring communication at the Controlled Unclassified Information (Impact Level 5) or SECRET (Impact Level 6) classification level or higher, more secure solutions are needed. For these agencies, Cisco Collaboration On-Premises should be first considered as it complies with the DoDIN Approved Products List (APL) and can operate at any security level. For hosted solutions, offerings from the Defense Information Systems Agency (DISA) or other private-cloud hosted services are available.
Cisco is continuing to expand the Webex platform, with plans for Impact Level 5 and air-gapped network offerings.
CDW and Cisco
Cisco’s Collaboration solutions for Public Sector can help agencies of all sizes prepare for the monumental task of modernization. For an agency to maintain security compliance while supporting rapid growth and predictable costing, Cloud-delivered and subscription-based offerings must be evaluated first. Through the diligent efforts of Cisco and CDW working with FedRAMP and other key stakeholders, Cloud Collaboration for the Public Sector is now a reality.