RISCPoint Uses AWS to Help Own Company Accelerate FedRAMP Journey
Executive Summary
RISCPoint, an AWS Partner, worked with Own Company (previously OwnBackup) to achieve a FedRAMP Moderate authorization for the Own Government Cloud, which is built on AWS GovCloud (US). Collaborating closely with the AWS Global Security & Compliance Acceleration Program partner RISCPoint, Own achieved an Authority to Operate (ATO) FedRAMP certification in under 12 months and can now offer data protection products to all U.S. federal, state, and local government agencies, as well as government contractors in specific use cases.
Navigating the Complexities of FedRAMP
Own Company is a leading data platform that thousands of global organizations use to protect and activate Software as a Service (SaaS) data to transform their businesses. “Own was born on the premise that no company operating in the cloud should ever lose data,” says Travis Howe, chief information security officer at Own Company. “We provide tools and services that empower customers to ensure the availability, compliance, and security of their mission-critical data.”
In late 2022, Own became authorized by the Federal Risk and Authorization Management Program (FedRAMP), a federal government compliance program that provides a standardized approach to security assessment and authorization and the continuous monitoring of cloud solutions. “We were working with an increasing number of government organizations, and we wanted to be able to sell them our products,” Howe says. “Becoming FedRAMP compliant was the only way to do that.” However, Own had reservations about being able to manage the complex authorization process. “FedRAMP takes a lot of time and planning in terms of technical steps and procedures,” says Howe. “We knew one of our biggest challenges would be getting all our teams to understand what FedRAMP is about and why certain steps were not negotiable. We wanted to find an outside expert that could help us accelerate the whole process.”
We were able to move quickly and efficiently through the FedRAMP ATO process because of RISCPoint.”
Travis Howe
Chief Information Security Officer, Own Company
Building the Own Government Cloud with RISCPoint and AWS
In late 2020, Own worked with RISCPoint, an AWS Partner that provides cybersecurity and compliance services, to meet compliance requirements for ISO 27001, an international information security management standard. RISCPoint provided technical guidance and support to help Own pass an ISO 27001 audit. Based on this experience, Own had the confidence to collaborate with RISCPoint again on its road to FedRAMP authorization. “As a smaller company, RISCPoint is very hands-on, from leadership on down. It also has the knowledge that comes with going through FedRAMP authorization with other cloud providers, and it knows how to address all the technical and procedural challenges we’d need to manage,” says Howe.
RISCPoint is also part of the Global Security & Compliance Acceleration (GSCA) Program, which helps AWS Partners meet customers’ authorization requirements through architecting, configuring, deploying, or integrating tools and controls. By participating in the GSCA Program, RISCPoint can provide specialized services to help companies navigate U.S. and global security compliance frameworks.
RISCPoint performed a comprehensive business strategy assessment for Own to review all aspects of the FedRAMP program and present key risks and opportunities. As part of the assessment, RISCPoint met with Own executives, including Howe, to carefully evaluate program design and implementation. “From my perspective, Own is one of the few organizations I’ve seen with an impactful mission and actions that carry that mission out in everything they do,” says Jake Nix, founder and chief executive officer of RISCPoint. “What Travis has built with the Security and Compliance team is the definition of a high-performing team that we love to work with and learn from.”
RISCPoint helped Own build the Own Government Cloud, which runs on AWS GovCloud (US). “AWS GovCloud (US) offers extensibility and expansion opportunities without re-architecting,” says Nix. “For example, if there is a need to move from FedRAMP Moderate to High authorization, this solution provides a higher level of comfort and flexibility to do that.”
Howe adds, “AWS GovCloud provides additional security enhancements around authentication, for example, so we didn’t have to be responsible for designing those ourselves. This means there are fewer things we needed to focus on because we can rely on the expertise and technology of AWS.”
Accelerating Time to FedRAMP Moderate Authorization
RISCPoint helped Own achieve an Authority to Operate (ATO) FedRAMP certification in less than 12 months, from the program design phase to a security assessment report and final ATO. The ATO gives Own the ability to officially provide services to government agencies. “We were able to move quickly and efficiently through the FedRAMP ATO process because of RISCPoint,” says Howe. “RISCPoint’s relationships with auditors and our teams were very beneficial as far as getting us answers to difficult questions throughout the process, whether those questions were about a partnership with our sponsor or some new mandate. Without RISCPoint helping us accelerate authorization, we would likely still be working through the process.”
RISCPoint also helped Own ultimately achieve formal FedRAMP Moderate authorization for Own Government Cloud. The designation demonstrates that Own meets rigorous federal security requirements for hosting sensitive data in the cloud.
Providing Data Protection Services to Federal Government Customers
By achieving the FedRAMP ATO and official FedRAMP authorization, Own was able to list Own Government Cloud on the FedRAMP Marketplace and begin offering data protection services to all U.S. federal government agencies. “Getting the initial FedRAMP ATO was critical because that means we’re authorized to operate on behalf of the government, and that really opened up the federal marketplace for us,” says Howe. “Subsequent to the ATO, we've had approval and authorization to expand the usage of Own Government Cloud to include state and local agencies as well as government contractors that manage federal data. That's a tremendous business value to Own, especially in the government contractor space, where there are significant initiatives with government contractors and regulations that pertain to protected data.”
RISCPoint continues to work with Own, consulting on additional technology projects. “The people I meet with on a weekly basis are the same people who actually built the Own Government Cloud platform,” says Devon Calvert, director of public sector services at RISCPoint. “That’s one of the main reasons why we were able to build a program that made it past the initial hurdle of audit and authorization while also becoming a sustainable commercial product.”
Howe concludes, “The insights and relationships RISCPoint has within the government and commercial sector regarding new technologies or processes put us in the best position to address compliance as well as the needs of our customers.”
About Own Company
Based in New Jersey, Own Company is a leading data platform used by thousands of organizations to protect and activate SaaS data to transform their businesses. By partnering with some of the world’s largest SaaS ecosystems, Own enables customers throughout the world to own the data that powers their businesses.
AWS Services Used
Benefits
- Achieved an ATO FedRAMP certification in under 12 months
- Can offer data protection products to all U.S. federal, U.S. state, and U.S. local government agencies
- Can offer products to government contractors in specific use cases
About AWS Partner RISCPoint
RISCPoint is an industry-leading management consulting firm that specializes in cybersecurity, compliance, and risk management, providing both strategy and tactical implementation. The company’s founding vision is to seamlessly integrate with its client’s team and focus on creating impactful solutions to help achieve its objectives.
Published May 2024