FedRAMP Certification: The ‘New Normal’ for Public Sector Agencies?

In the realm of cloud security, public sector agencies have a lot on their plates. From keeping up with the barrage of constantly emerging security guidelines (see below) to the ongoing demands of maintaining software security, the pressure on the government to lock down cybersecurity is immense. Over the last couple of years, Federal Risk and Authorization Management Program (FedRAMP) certifications have emerged as a ubiquitous cybersecurity standard in the public sector – and it’s clear why.

As agencies move more IT functions to the cloud, FedRAMP enables cloud service providers to meet specific security requirements, such as those embedded in the Federal Information Security Management Act and the National Institute of Standards and Technology publications, allowing agencies to outsource with the confidence that their cloud provider partners are meeting those requirements.

Amid the recent cyberattacks – notably SolarWinds and Log4j – government agencies must double down on efforts to secure their software supply chains and implement zero trust. This is especially true given the results of Veracode’s annual report on the State of Software Security (SOSS), which showed that the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors.

Veracode’s research found that compared to other industries, the public sector has the highest proportion of applications with security flaws, at 82 percent. When it comes to how quickly organizations fix flaws once detected, the public sector posts the slowest times on average—roughly two times slower than other sectors. The research also revealed that 60 percent of flaws in third-party libraries in the public sector remain unfixed after two years, which is double that of other sectors and lags the cross-industry average by more than 15 months. Finally, with only a 22 percent fix rate overall, the public sector is challenged to keep software supply chain attacks from impacting critical government applications.

We Are FedRAMP Authorized 

This research points to the benefits that a Software as a Service (SaaS) application-level security platform would provide to government agencies by reducing the risk of security breaches through comprehensive analysis, developer enablement, and AppSec governance. It’s also why Veracode is proud to announce that we have officially received FedRAMP authority to operate (ATO) by the Securities and Exchange Commission (SEC) at the FedRAMP Moderate level for that exact platform.

The Veracode Platform is able to provide visibility into application status across all testing types, including static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA), in one centralized view. And soon this platform will be generally available to agencies across the government with the FedRAMP authorization, ensuring data protection and application-level security in cloud environments.

FedRAMP is the new normal in public-sector cybersecurity standards. The best way to ensure mission success, while delivering best-in-class customer experience and maintaining compliance, is to leverage a complete platform solution that has FedRAMP approval. The time is now (more so yesterday) for government agencies to secure their software supply chains and implement zero trust. Veracode can help.