Two percent. In 2014, that’s the percentage of IT budgets governmental agencies devoted to cloud services across the broad pantheon of infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), mobility-as-a-service (MaaS) and every other as-a-service option that has elevated IT processes from capital expenditures with years of implementation costs to $70 million in savings with faster time to deploy.

Forty-one percent. That’s the percent increase in the number of federally funded and operated trendsetters from inside the Beltway and beyond now using FedRAMP to speed up access to this on-demand world of data control and dissemination.

Mobile, until recently, has been a laggard behind other service offerings. While bring-your-own-device (BYOD) abated cost concerns in the private sector, the federal government’s stronger needs for security kept this consumerization of IT at bay. That was then.

FedRAMP Shifts Into Fifth Gear With Mobile

Recently, IBM MaaS360 (previously IBM MobileFirst Protect) received the coveted FedRAMP authorization for enterprise mobility management (EMM) over smartphones, tablets, laptops and wearables as they replace ruggedized devices across countless federal field services. Jeff Ward, federal sales leader for IBM MaaS360, shared his thoughts on EMM adoption in government before and after FedRAMP.

Question: Jeff, what winds of resistance were against the federal elevation to cloud services for mobile security before FedRAMP?

Answer: Actually, MaaS360 was enjoying what I call a quasi-FedRAMP success before there was FedRAMP. In 2011, we received FISMA Moderate Authority to Operate (ATO) from the General Services Administration (GSA), so when new agencies were looking to use our EMM SaaS platform, they simply took our system security plan and supporting artifacts to review. FedRAMP formalizes this process under the purview of the Joint Authorization Board (JAB), which is comprised of the CIOs from the DoD, DHS and GSA, as well as support from the Federal CIO Council and NIST.

Most EMM vendors simply host their appliance in somebody else’s data center, giving them no direct influence over the hosting facility’s security status. Since IBM owns our own network operations center (NOC), we are responsible for maintaining the security of the MaaS360 platform. This credibility proved valuable, as agency after agency simply reviewed our GSA FISMA package and approved the artifacts as acceptable to meeting their security standards. Exactly the spirit of FedRAMP: “Do once, use many.”

Where was the first as-a-service traction started, and when did mobile start to enter FedRAMP considerations?

Because of our existing FISMA certification, and since GSA was a member of the FedRAMP JAB, we could have simply submitted our ATO for the agency level of authorization under FedRAMP. For instance, many Web service providers have an agency ATO level of authorization, which means that only a single agency has reviewed and approved their security package.

Instead, we decided to go for the full-blown JAB Provisional ATO, which meant that we had to unpack our entire GSA package, reconstruct and add information on the FedRAMP JAB templates, have a 3PAO test and certify our security posture, then submit to the Department of Defense, Department of Homeland Security and GSA Technical Representatives to the FedRAMP Joint Advisory Board for review, questions and approval — a much more involved and intense process than simply the single agency level of authorization.

Can you describe the barriers in adoption of smartphones and tablets overall prior to FedRAMP approval?

Keep in mind that FedRAMP is specifically designed for cloud service providers, so it has accelerated the adoption of smart devices in government by providing a secure path for agencies to move off appliance-based mobile device management (MDM) that struggle to keep up with the rapid pace of change and scalability requirements of mobile IT.

Two important things happened to instigate this change: First, in 2009, the first federal CIO was appointed. He immediately started transforming government IT with initiatives like Cloud First, Green IT, Telework, Shared Services, etc. This clarion call paved the way for the federal government’s move to cloud-based services like MaaS360.

Second, the early adopters of on-premises MDM and EMM solutions quickly realized that they could not scale appliances to the exponential growth numbers of smartphone and tablet usage. Both of these key MDM requirements, speed and scalability, are cornerstones to the value that MaaS360 offers as the only true SaaS EMM service.

How does FedRAMP now change the scope of project time to completion? In other words, what steps specifically are now easier to climb in government cloud services?

The concept of FedRAMP is great in that it is designed to speed the time to certification of a new system acquired by a federal agency. In the past, each agency would have to go through their own certification and accreditation process when acquiring a new system. FedRAMP is great because it removes this redundant process and enables government IT delivery to be more efficient by leveraging best practices across agencies.

The Digital Government Strategy also provided a way to acquire IT services like EMM more expediently by establishing programs like the GSA Federal Acquisition Service (FAS) Managed Mobility Program.

As the first EMM to go through FedRAMP certification, MaaS360 encountered a few unique challenges — primarily, the fact that we are truly a SaaS delivery platform, while FedRAMP was primarily used to certifying IaaS and PaaS solutions that stored and managed critical customer application and email data. The fact that our EMM does not store any customer email or application data on our platform is one of the primary drivers for our wide adoption across the federal government. Hopefully we have blazed some new trails so that other SaaS providers can consider hosting their own solution and security.

Do you see FedRAMP being applied to other industries? Which ones would benefit right now?

Security is one of the biggest concerns to cloud adoption. Any regulated industry should feel confident using IBM MaaS360 given that our platform has met the stringent security requirements set forth by the tenets of FedRAMP. Financial, health care, law enforcement and retail sectors at a minimum [would benefit]. Their regulatory compliance issues grow more challenging each year and more focused on the particulars of how data is transmitted and stored. In short, that’s showing a deeper concern for all mobile endpoints. We should also mention that the lower total cost of ownership of SaaS makes EMM a reality at local government levels that would’ve been previously crushed by the cost of implementing and maintaining an on-premises solution. Cloud allows the organizations to focus their resources on the more value-added IT strategy and services.

More from Endpoint

X-Force Prevents Zero Day from Going Anywhere

This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The X-Force Vulnerability and Exploit Database shows that the number of zero days being released each year is on the rise, but X-Force has observed that only a few of these zero days are rapidly adopted by cyber criminals each year. While every zero day is important and organizations should still devote efforts to patching zero days once a patch is released, there are characteristics of certain…

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…