OneStream Cloud and FedRAMP: A Chat with Mark Angle

OneStream recently received the Federal Risk and Authorization Management Program (FedRAMP) Moderate authorization, an important qualification for federal agencies seeking cloud solutions that are secure and meet federal standards. In fact, OneStream is the first cloud CPM provider to achieve the FedRAMP Moderate authorization.

In my recent chat with Mark Angle on Cloud solutions, he mentioned the FedRAMP authorization. I circled back for a deeper dive into this distinction to understand what it means.

John: Welcome back Mark.  What exactly is FedRAMP?

Mark: FedRAMP, short for Federal Risk and Authorization Management Program, is an authorization for federal government agencies that helps to pre-qualify that service providers and vendors can deliver cloud services with the levels of security required by the federal government.

John: I know we went through a rigorous audit to achieve FedRAMP authorization.  Can you provide some insights into that process?

Mark: The FedRAMP process is based on the National Institute of Standards and Technology (NIST) 800-53r4 standards, which lists out a wealth of hundreds of controls. Each control has an area that it focuses on within our service, all the way from how we destroy our backup copies to how we control how engineers get into the environment and how we track the different activities that happen in the environment.

Everything that happens to provide the service from the physical layer, all the way up to providing the software itself – has to have logging, track named events and has to follow this 800-53 standard or greater to make sure that we are acceptable for their service.

The FedRAMP audit goes through these hundreds of controls, making sure that we have provided evidence for each instance and to show that we are following guidelines. And if, for some reason, we’re not meeting those standards, we will be notified via a finding report. There are high, moderate and low levels for informational findings that come across after the audit report. Our OneStream team goes through those findings and have a remediation period where we go through and fix them.

We were one of the only companies to ever come out with “no high findings” after our initial audit. That’s pretty great and really, unheard of.

John: So, now we’ve got the FedRAMP authorization. What are the advantages of that for customers and partners that are federal agencies or working with federal agencies?

Mark: The obvious advantages are that if a federal agency has a requirement to meet a federal standard, then we’re already pre-approved. All they have to do is go to the internal FedRAMP listing and look up our documentation. They can verify all the documentation, so we don’t have to go through an entirely new process for procurement with each agency. They internally agree to confirm, and we can move forward with the process. That can save months of having to do re-auditing and background checking and all kinds of things that you have to go through when you’re working with a government customer.

In addition to that, this verifies a level of security for an agency, even if it is not formally required to meet the full FedRAMP requirements. Let’s say they are only required to meet an internal set of controls. Generally, those controls will align pretty closely with what is in the FedRAMP standard, or the controls may be a subset of that. If we have met a higher bar already, the auditor is immediately going to look at this and say, “well we don’t really have to worry about it, because they’re already better than what we need.” That will happen for lesser national government entities, but also for state and local entities that will look at that and see that we have achieved that model.

John: Let’s talk about FedRAMP Moderate vs Low vs High-Impact authorization.

Mark: When you look at the Low, Moderate and High Impact authorization levels, Moderate is where most providers will come in, because that’s going to hit the highest need for the majority of agencies throughout the US government. With Low, there’s going to be fewer controls and the controls that are there are not going to be quite as stringent.

High, by the way, is mostly for law enforcement, military and intelligence services. OneStream targeted Moderate Impact instead of High because Moderate covers us for the type of information that we control.  The High impact certification is typically for military plans, personnel secrets from oversees, and intelligence. These kinds of things would require an extremely high level of security controls. OneStream doesn’t see anyone that’s in our target market that would require that.

John: This sounds like something that could validate our capabilities for enterprises and non-government businesses too.

Mark: Absolutely. It is specifically developed for federal agencies, but the stringent testing and validation is a strong proof point of the security of our Cloud offering for anyone. In fact, we are already hearing about conversations with prospective customers who saw our FedRAMP announcement and were excited about it. It’s more proof of what we can offer.

To learn more about OneStream Cloud, see our previous Q&A with Mark.