In June 2019, AppDynamics joined a group of 60+ companies whose services are listed as “in process” on the FedRAMP federal marketplace. With FedRAMP, we now have an opportunity to offer our federal customers a curated set of security controls aligned with industry-recognized NIST standards.
“Building this FedRAMP environment for our SaaS fleet demonstrates the breadth of our capability and commitment to boosting confidence in cloud security as our customer needs for higher levels of assurance grow within industry segments,” said Craig Rosen, Vice President, and Chief Information Security Officer, AppDynamics.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a secure framework for service providers to follow so that government agencies can more seamlessly adopt cloud-based services. The FedRAMP framework establishes a baseline set of security requirements and enables a common understanding, language, and approach to security that can be reused by multiple agencies, once authorized.
The benefits of the cloud are well-known: It offers users access to scalable, cutting-edge technologies without the expense of hardware, software licenses, installation, patching, updating, or other maintenance. And, with this latest development, AppDynamics makes it possible for federal agencies to take advantage of those benefits while gaining enhanced visibility and insights into their application environment powered by our well-known AppDynamics SaaS.
The AppDynamics SaaS commercial service today has a long list of security protections put in place to provide our customers with high levels of assurance. This includes a set of controls that provide resilient operations, security by design, and compliance and privacy assurance. These controls have earned us a SOC 2 attestation that has been in place for about five years and covers four trust services criteria: security, availability, confidentiality, and privacy.
So, what does an “In process” certification mean?
This status indicates that a cloud service provider is actively working with a government agency sponsor to achieve an “Authority to Operate” (ATO). In the case of AppDynamics, we’re working with our sponsor, the Department of Health and Human Services. Cisco, our parent company, has multiple FedRAMP authorizations for Cisco Webex, Cisco Hosted Collaboration Solution for Government and Cisco Cloudlock.
AppDynamics FedRAMP SaaS will be deployed in a specific region of Amazon Web Services (AWS). This region, known as AWS GovCloud, received FedRAMP authorization in 2016. This enables AppDynamics to inherit some of the AWS platform security controls already authorized through the program. For the entire SaaS offering, AppDynamics is seeking authorization at the “Moderate” impact level. Out of the 143 cloud service providers that currently hold FedRAMP authorization, 7 hold it at the highest level, 13 hold it at the lowest level, and 123 hold it at the moderate level.
Once AppDynamics is granted its Authority to Operate status, it will be moved from FedRAMP “In Process” to “Authorized.” This enables other federal agencies to leverage the work completed to issue additional authorizations. For companies in the private sector, as well as state and local governments, this is a clear signal that AppDynamics’ level of security meets the well-established NIST framework. This level of rigor also sets FedRAMP apart from other types of industry certifications.
“It’s not just the 300+ security controls and rigorous documentation necessary for achieving Moderate Impact Level that cast FedRAMP in a different light,” Rosen said. “It’s also the focus on the operational discipline that sits alongside and includes things like continuous monitoring and reporting. These attributes really highlight the notion that security isn’t just a single point-in-time measurement, but an ongoing and constant risk management process.”
Adding FedRAMP authorization aligns with our strategic focus and current practice for advancing customer trust through transparency and independent third-party verification. Through our participation in the FedRAMP program, AppDynamics is eager to provide federal customers the tools they need to get application visibility, gain business insight, and accelerate digital transformation.