Collabware Blog

Collabspace RM Cloud Solution Gets FedRAMP® High Authorization

Written by Angela Dion | Feb 7, 2023 2:00:00 PM

 

Tested and validated by the Immigration & Customs Enforcement (ICE) of the U.S. Department of Homeland Security (DHS) to ensure software’s compliance and adherence to over 400 security controls. 

For Immediate Release

February 7, 2023 - Washington, DC –  After over a year and a half of intensive assessment and examination, Collabware is thrilled to finally announce the confirmation of Collabspace meeting FedRAMP® High security. Collabspace is now a NARA-compliant, cloud Software as a Service (SaaS) solution available with archival, discovery and end-to-end records management capabilities to prove this impressive level of security.  

About FedRAMP Authorization 

FedRAMP compliance is one of the most comprehensive and stringent testing benchmarks in the world. The purpose of FedRAMP is to provide a standardized approach to security assessments, authorization and continuous monitoring for cloud products and services government-wide in order to promote secure cloud adoption. We've written an article further detailing what FedRAMP High is, and its role protecting data.

The testing process, set out by the U.S. Federal Risk and Authorization Management Program (FedRAMP), was performed by our third-party assessment organization (3PAO), and approved by the U.S. ICE under the U.S. Department of Homeland Security (DHS). Upon successful completion, Collabware was given a confirmation letter and the agency authorization for a FedRAMP® Authority to Operate (ATO). 

What is an Authority to Operate? 

An Authority to Operate (ATO) is a formal authorization for a product or system to operate in an agency, and that the system or product in question has gone through rigorous security testing and reviews.


2 Paths to FedRAMP Security Compliance 

There are two avenues to FedRAMP authorization: an Agency Authorization to Operate (ATO) and a Joint Authorization Board (JAB) Provisional ATO (P-ATO). With either of these authorizations in place, other agencies can use them to their advantage to streamline security reviews for their own agency leading to faster implementation of critical systems.

1. FedRAMP Federal Agency ATO

“In the Agency Authorization path, agencies may work directly with a Cloud Service Provider (CSP) for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an ATO will work with the agency throughout the FedRAMP process.”

- Get Authorized: Agency Authorization | FedRAMP.gov  

2. FedRAMP Provisional Authority to Operate (P-ATO) from JAB 

“The JAB is the primary governing body for FedRAMP and includes the DoD, DHS and GSA. The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO).”

- Get Authorized: JAB Authorization | FedRAMP.gov  

Not only was Collabware the first NARA Compliant SaaS RM tool to be assessed at FedRAMP High and receive Authorization, but we were also the first to be selected by the JAB for a P-ATO. In fact, we ended up in both processes at the same time. How this works: 

The FedRAMP website displays the status of only the current process and past processes in the Authorizations field.  

Below is a graphic showing our status as we were moving through our Agency Authorization at FedRAMP High. As you can see the level is High, status is In Process and Authorizations are 0.  

Below is our current status; as you can see the level is Moderate, status is In Process and our Authorization is 1. The “1” in the Authorizations field represents our achieved Agency Authorization! 

While we are authorized at High with 421 Security Controls and the JAB continues to assess us at High, we will likely be authorized at Moderate from the JAB perspective first. Collabware intends to uplift to High as soon as possible, since all the security controls and previous High authorizations are already in place.  

This brings up an interesting question: Can we be authorized at multiple levels?  

The answer is YES, any agency is free to make its own decision to authorize at a different level. Again, since we have the High-level controls in place and the previous Authorization, we will continue to work on more authorizations at High as we continue to offer the government the most secure option available for NARA compliance.  

“FedRAMP testing isn’t for the faint hearted,” says Doug Converse, Director of Compliance for Collabware. “This process takes a massive investment of time and resources to not only evaluate each criterion, but in some cases, rejig processes and update features to the standard FedRAMP insists on.”   

FedRAMP is sanctioned by the U.S. government’s Federal Chief Information Officers Council and controlled by a JAB that comprises representatives from:  

  • the Department of Defense (DoD),  
  • the General Services Administration (GSA), and
  • the Department of Homeland Security (DHS).  

“This is one more tick on the always growing list of security control benchmarks we intend to earn” says Graham Sibley, CEO of Collabware. “We are and have been developing Collabspace to even higher security ranks, including DoD IL5. But we are happy to now have Collabspace vetted to this level so other agencies can quickly rollout the needed data protection they need and Collabspace provides.”  

US Agencies can contact us to receive a copy of Collabware’s Agency FedRAMP ATO letter. 

Find Collabspace listed on FedRAMP Marketplace under SaaS providers and more information can be found about the Collabspace suite of information governance products at www.collabware.com/collabspace. Read Collabware’s full list of certifications. To learn more about Collabspace or our security measures, download our free brochures below: