Vlog: 1Kosmos Achieves FedRAMP High Authorization

Hello everybody. Fadi Jarrar here with 1Kosmos and Vice President of Public Sector, and we have some exciting news to share with you everybody. I’m inviting Christine Owen. Christine, I’ll let you go ahead and introduce yourself and share a little bit of news.

Hi. So I’m Christine Owen and I’m the field CTO at 1Kosmos, and I am so excited, beyond excited to be able to tell everybody that we have achieved our FedRAMP High Authorization. This is a massive, massive achievement for us. We worked very hard over the last year to make sure that our product was exactly how it needed to be for federal requirements and also for that stricter, higher FedRAMP High requirements. So we are so excited to be able to say that we’re FedRAMP High authorized today.

Let’s step back a little bit. What is FedRAMP High? What does that mean exactly?

Right. So FedRAMP is a requirement for federal agencies and it essentially is for SaaS products. So if you are operating in the cloud and you’re a product, you need to have a FedRAMP authorized product. There’s a lot of different levels. Generally people operate in the Moderate space. Moderate has a certain number of NIST 800-53 Rev. 5 controls that you have to meet. We decided to just jump all of that and go straight to High for a lot of different reasons, partially because we are a security by design company and we wanted to make sure that we offered our clients the highest level of security that we could.

Rip off the bandaid and go straight to High. I like it. What sets FedRAMP High apart from other security certifications? I know we have Kantara, we have a bunch of different certifications. What differs FedRAMP High from all those?

Right. So we have a lot of different certifications actually. We have ISO 27001, we have SOC 2. We do our PAD-1 and 2 certifications. We have Kantara certification. And then on top of that we also do PIN testing. So we do a lot of certifications and testing of our product regularly. What we’ve decided to do when it comes to FedRAMP High is we decided to create and operate for the federal government in state and local jurisdictions and governments so that we could give them the highest level of security with our product. FedRAMP High has to be operated within a GovCloud, so a certified by the federal government cloud, we have that. So there are certain controls that are stricter than our ISO 27001 certification. So we have that. And then on top of that, there are certain encryption requirements for FedRAMP that essentially require FIPS 140-3 encryption standards and we also meet those.

Great. So I think you touched on this a little bit, but what really validates the security and reliability of the 1Kosmos platform in our FedRAMP High environment versus commercial and others?

Right. So we have stronger controls, so we have to operate within the US within a GovCloud, and we have to have US citizens who pass certain tests to be able to get into the environment, operating within the environment. But on top of that, we also have continuous monitoring. And in those cases with FedRAMP, we have to remediate any vulnerabilities we find in a certain period of time based on FedRAMP requirements and based on the criticality of that vulnerability. It’s not that we weren’t doing that before, but now it is a requirement for us to be able to maintain our authorization. So it’s something that we take very seriously and it’s something that we’re really excited to offer to all of our customers, quite frankly, because any vulnerability that has to get fixed in FedRAMP High also flow down into the commercial environment.

So what is the value as a credential service provider to onboard the FedRAMP High authorization to 1Kosmos?

Yeah. So we are the only Kantara certified product period that is FedRAMP High. So it’s a big differentiator security-wise against our competitors within the federal market space because we come to the federal government with the highest, strictest security controls in the civilian agencies.

Awesome. So tell us a little bit about the journey. You and I have conversed about FedRAMP almost every day of our lives together here. So what did the journey look like? What were the big challenges that we had to overcome?

There were a lot of tears, lots of yelling. No, honestly, I think it’s just, and this is for any product, company that’s getting ready to go through some sort of FedRAMP authorization and starting at the beginning like we did, what you realize is how much you don’t know and there is a lot to learn when it comes to FedRAMP requirements and also when it just comes to the process of getting through the FedRAMP PMO. So I think that was the biggest challenge for us. Now that we’ve gone through it once, I think we have a better understanding of how to go through it again. We already have plans to go back and get reassessed for additional enhancements.

So clearly I am a glutton for pain, but it’s totally worth it because as we continue to enhance and grow the product, on the commercial side, we are planning on doing as much parity within the FedRAMP High environment as possible. So what that means is on the commercial side, we will be building with the FedRAMP High encryption and other standards within our codes and making sure that vulnerabilities are caught before they go into our product. And on the FedRAMP High side, it means that we will be going back to the assessor quite often to make sure that we can provide the best product to our customers. We’re really excited about that.

So now that we’ve got to FedRAMP High, I’m not sure if we’re at the top of the mountain or if there’s other things in the foreseeable future that we’re focused on and in different markets in public sector, what are your thoughts?

So we’re never going to be at the top of the mountain. We’re always going to be climbing to the top to achieve the best that we can achieve, so be that as product enhancements and going back to get reassessed multiple times a year. And then next we’ve decided why not? We’re going to strive to become IL4 authorized. And the reason is really because we want to make sure that we are able to operate within any of the agencies in the federal space and we want to make sure that we stay in the strongest, most secure controls. So the difference between High and IL4 is really about 20 controls. And we did the math and we did look through all of this and we decided, you know what? It’s worth it because if something gets compromised within the FedRAMP High environment, we’ll always be able to pivot to the IL4 environment.

So for basic people like myself, the assumption I have is the FedRAMP environment is extremely restrictive and maybe affects some flexibility. Can you shed a little bit about how the user experience, how we can maintain the user experience and build upon that in our FedRAMP environment?

Yeah. So the FedRAMP environment is just essentially, I like to think of it as it’s the boundary around our product. So that is really strict. So essentially our engineers have a very strong DevSecOps game. And so what this means is that the perimeter is very hardened, but on the inside it’s still a little squishy. And what I mean by that is it’s the exact same product that we have on the commercial side, which means that user experience, the flexibility of the platform, the flexibility of the workflows, the strong authenticators, that’s all still there. So I’m really excited because the user experience is something that we care about, probably equal to security and privacy. And so we are still iterating on our product and we will still bring a very strong user experience to our product.

Great. So let me ask you this. There’s a traditional model of achieving FedRAMP and another model which we went to, the endeavor that we took. Can you kind of explain how we were able to get the FedRAMP High so quickly and what users that are looking us up in the marketplace can look for and all that good stuff?

Right. So we decided to piggyback off of a platform that already was FedRAMP High authorized, which means that we had to go through a significant change request on that platform to be able to achieve FedRAMP High. In theory, it does make it faster, but in practice it’s still a long process when it’s your first time at the rodeo. The platform that we decided to use was FedHIVE. We actually believe that they are the best in the business for various reasons, including the fact that they believe in strong compliance measures and they are very strict and very fair when it comes to how they run their platform. So we are on their platform and if you go to the Marketplace and you can request FedHIVE’s package and we are within that package. You could also go to FedHIVE itself and we have a page on FedHIVE about our FedRAMP High Authorization.

So our platform is known to be highly flexible and we’re known for our privacy preserving principles and so forth. What impact does FedRAMP have on that? Does it affect our flexibility? Does it affect our privacy preserving principles, anything of that sort?

No, it doesn’t. Again, all it does is make sure that we adhere to very strong security practices that meet the highest level of the civilian government and we still have a very flexible platform. Our customers can still either just do doc verification or do doc verification with a biometric match or use a biometric to be able to log into their computer. There’s a lot of different things that our customers can still do with our product because we made sure that, I would say 95% of our features ended up in the FedRAMP offering. Now, just like any other product offering that migrates from commercial to FedRAMP, maybe there was one or two features that we are putting in this year once we achieved the authorization. But I am very, very clear to say that that does not affect our privacy. It does not affect our very flexible platform and it won’t affect our security either. So I’m really excited that we’ve worked really hard on this and we’ve achieved a FedRAMP High Authorization with 1Kosmos.

Well, I think that wraps us up. Appreciate your time, Christine. We got a lot of work to do onward and upward, and we’re looking forward to really working with our clients to really build that security and privacy story and go help defend fraud.

We’re excited that we’re bringing the most secure full-service Kantara certified CSP to the marketplace today.

Overcoming Resistance to Change on the Journey to Passwordless MFA

Read More