The advent of the Biden administration brings new priorities for improving digital technology and infrastructure that the government uses.
Cybersecurity continues to remain a vital concern and is a primary reason the administration is emphasizing the modernization of IT infrastructure.
This will have a profound impact on budgets, staffing and technologies.
The Biden administration is spearheading a renewed effort and increased investments in tech infrastructure, tools and the workforce: areas that are critical for delivering modern and secure citizen services, data and networks.
Recent announcements have highlighted the administration’s direction and overall funding requests. The administration believes IT modernization efforts will help to accelerate delivery of enhanced digital services.
On March 11, 2021, Biden signed the America Rescue Plan that includes $1B for the Technology Modernization Fund—a 3900% increase over the $25 million the Fund received in 2020. The money will be used to fund large-scale, enterprise-wide IT modernization efforts across some or all federal agencies.
In addition, in a January 14 transition fact sheet, the president called on Congress to change the Fund’s reimbursement structure to “fund more innovative and impactful projects” since the current reimbursement requirements hinder the number and quality of proposals.
Biden’s plan also calls for the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security to receive $650 million to “bolster cybersecurity across federal civilian networks and support the piloting of new shared security and cloud computing services.” This would be in addition to the $2B already appropriated for CISA in 2021.
The Alliance for Digital Innovation, a leading technology advocacy organization comprised of a number of forward-looking technology companies recently released its 2021 priorities for action for the incoming Biden administration and Congress.
This is a set of legislative and policy proposals that will help the government build a robust foundation for long-term digital transformation.
Government agencies will need highly responsive, trustworthy support from skilled IT teams with a deep understanding of both security and regulatory requirements for their infrastructure.
Since so many of the government’s citizen services, data and networks live on the cloud, secure cloud technology will be a critical piece of the government’s IT modernization effort.
SAP NS2 provides government organizations within the DoD, intelligence and civilian agencies secure cloud hosting and software support for SAP products, along with NS2 Mission and cyber defense products.
Products are FedRAMP-moderate and DoD IL4 compliant. All SAP NS2 cloud solutions are managed on US soil and are built to achieve the most stringent security compliance standards.
Does your agency need assistance with navigating its digital transformation? Contact SAP NS2 to find out how we can help.
Co-authored by John Wookey, President, SAP Intelligent Spend and Business Network, and Harish Luthra, President, SAP National Security Services, NS2 Secure Cloud
The COVID-19 pandemic was a wake-up call that global supply chains were fragile and that issues of national security surrounding them were, and remain, critical. Modernizing procurement and supply chain operations tops the priority list of most government organizations, as they require agility in the face of disruption just as much as those in the private sector. Simultaneously, they must be able to adapt quickly to adhere to strict and ever-evolving privacy and security standards. To help them get there, SAP National Security Services (SAP NS2) and SAP are accelerating plans to add SAP Ariba solutions to the SAP NS2 portfolio.
SAP NS2 is a wholly owned subsidiary of SAP focused on security issues for the U.S. government so that SAP can bring technology and innovation to customers across government and regulated industries. One hundred percent U.S.-based and U.S.-staffed, with expert personnel working around the clock to keep data safe and solutions running, SAP NS2 brings leading analytics insight and data fusion technologies from SAP and applies them to mission-critical workloads.
SAP NS2 has brought government and regulated industries customers of SAP S/4HANA Cloud, SAP SuccessFactors, SAP Integrated Business Planning for Supply Chain, and SAP Analytics Cloud solutions into highly secure environments. The FedRAMP-authorized Cloud Intelligent Enterprise from SAP NS2 is providing immense value across different lines of business and market segments, including access to real-time data for better decision-making, an intuitive user experience for more effective collaboration, and enhanced security.
SAP NS2 plans to deploy SAP Ariba solutions for U.S. federal, state, and local governments and other regulated industries customers including aerospace and defense, utilities, and higher education in the future. These market-leading solutions are proven to help procurement leaders enhance visibility into spend, increase efficiency across the supply chain, reduce costs and risks, and gain data-driven insights to drive more strategic operations from sourcing and orders through invoice and payment. SAP is committed to bringing these same efficiencies to government and regulated industries customers while also addressing their security concerns and needs.
Bringing SAP Ariba solutions into the fold will help customers advance their digital transformation journeys for their supply chains. This is the next step in helping them gain situational awareness over their supply chains and protect against the infiltration of counterfeit goods into U.S. national defense programs, pharmaceutical compounds, and technology components. As SAP advances on the path to FedRAMP authorization for SAP Ariba solutions, we look forward to enabling the government to scale the benefits that digital procurement delivers across agencies.
Contact Naveen Agarwal (firstname.lastname@example.org), Vice President for Digital Supply Chain at SAP NS2 to learn more.
While it’s no secret that cloud computing has positively transformed the way government agencies work, it’s become apparent that different types of risks can emerge if infrastructure is not implemented and safeguarded properly. With the increased frequency of data breaches being reported year after year, the security of government agencies is more important than ever. To ensure that compliance activities are thorough and efficient, NS2 is working with our government and regulated customers to find ways to better automate their compliance processes and provide the best possible foundation for security.
To better protect your agency data, it’s important to understand the difference between security and compliance. While compliance is a snapshot of how a security program meets a specific standard at a certain time, security is an ongoing effort to protect your information systems. Your agency may find that the adoption of strong compliance standards takes time and resources, but once gained, it will establish an excellent baseline security posture. To truly protect sensitive data, it’s critical to have the proper security program in place and be compliant.
Security and compliance are different components of a necessary and crucial system. And it’s only when the two are combined that agencies can truly safeguard their data. However, a lot of this is easier said than done. The following are a few reasons why government agencies run into compliance and security issues:
Your agency may find compliance takes a bit of time and resources to achieve, but once established, a good baseline security posture will ensure your data is protected. Common best practices for continuous cloud compliance include:
Many federal agencies support their mission-critical operations with agile and innovative cloud deployments that incorporate a range of technologies. By implementing best practices and automating your compliance processes, your agency will be better positioned to mediate configuration drifts, detect anomalies, and decrease cloud spend.
Any evaluation of a cloud solution, especially a SaaS solution, should always include a robust review of the environment, as well as the solution’s security posture.
Moving sensitive data from an on-premises environment to a cloud environment can be a daunting prospect when it comes to security. It also places a tremendous amount of responsibility in the hands of a cloud service provider (CSP). If the data isn’t properly protected, a single security incident could have a devastating impact. For this reason, many organizations are increasingly seeking out solutions that meet the security standards of the Federal Risk and Authorization Management Program (FedRAMP).
Many of today’s SaaS vendors leverage the term “FedRAMP authorized” to indicate that their solutions meet a federally defined security standard. But although the FedRAMP follows a defined set of security standards, FedRAMP authorization is not a static state, a one-time certification, or a standard. Rather, FedRAMP authorization refers to the completion of a security review process and the subsequent authorization from a federal agency or the Joint Authorization Board (JAB) to operate a cloud-based solution that handles government data.
To obtain FedRAMP authorization, a solution must be sponsored by a federal agency and go through a rigorous review and assessment process. The results provide either a provisional authority to operate or an agency-specific authority to operate, depending on the path taken through the process. Both are specific to federal agencies.
When a vendor states that their solution is FedRAMP authorized, it means that they have gone through the evaluation process, met the criteria and standards, and will be deploying their solution in one or more federal agencies. It is incorrect to use “FedRAMP authorized” as a commercial standard or generic term.
The FedRAMP baseline security controls implement the NIST 200 and 800-53 standards, with identified parameters. NIST 800-53 is a listing of more than 325 security controls, with multiple variants, organized into 18 families. The FedRAMP baseline provides guidance on how the controls should be implemented. An assessment by an independent FedRAMP PMO-accredited third-party assessment organization (3PAO) validates compliance with the control implementation guidelines.
Many cloud IaaS providers (also known as hyperscalers) like Amazon, Microsoft, and Google have gone through the FedRAMP process for specific physical data centers. This is good because a CSP running solutions on one of these hyperscalers inherits its infrastructure controls. A SaaS solution vendor can leverage the hyperscaler’s authorization, but this only covers the controls specific to the infrastructure layer, which is around 50 of the more than 325 controls.
If you are evaluating hyperscalers for a private cloud, understanding that the hyperscaler has successfully completed the FedRAMP evaluation provides assurance that the infrastructure has proper security controls in place.
If you are planning to implement a PaaS or SaaS solution, understanding that they will be running on a hyperscaler that has completed the FedRAMP evaluation provides assurance for the infrastructure layer. Yet, it doesn’t convey any level of authorization for the higher levels.
If you’re utilizing the FedRAMP security profile as guidance for a SaaS solution, you should confirm that the vendor providing the solution can demonstrate that the SaaS environment, including the solution, has been evaluated against the FedRAMP baseline by a FedRAMP 3PAO. Even better, it should demonstrate that the solution itself has received FedRAMP authorization and is being utilized by a federal agency. The vendor should be able to validate that the full set of FedRAMP-defined security controls have been implemented and evaluated across all three layers (solution, platform, and infrastructure).
FedRAMP authorization cannot be inherited by a solution or application running on a FedRAMP-authorized infrastructure. The authorization applies to only the layers and components defined in the security boundary. Likewise, a solution can only be compliant with the FedRAMP baseline if it has been evaluated against that baseline. While some security controls can be inherited, they don’t convey compliance to other layers of the solution stack.
For more information on FedRAMP authorization, please email me or visit our cloud page.
The wealth of government and intelligence data is far more valuable when integrated with powerful analytics tools, but in addition government agencies need a simple but secure way to access this data and make informed decisions. SAP Analytics Cloud (SAC) integrates and analyzes data from multiple sources to provide government departments and agencies unified insights, visualizations, plans, and predictions. These powerful analytics capabilities are now available as part of the secure and growing FedRAMP-authorized portfolio of government cloud capabilities designed and supported by SAP National Security Services (SAP NS2).
Data and analytics are most effective when available in a unified solution, enabling easier comparisons, more effective insights, and faster responses. SAC combines a wide array of features into a single, scalable, secure cloud-based solution. Business Intelligence, predictive analytics, and organizational planning enable government agencies to explore data from multiple sources to quickly visualize relationships and potential outcomes. With the embedded artificial intelligence and machine learning technologies, customers can discover, analyze, predict, and plan in one integrated experience.
SAC is just one part of the FedRAMP portfolio of cloud capabilities from SAP NS2 that are specifically designed to fit the unique security requirements of US government agencies. Cloud services operate from DoD compliant facilities, managed 100% by background-checked U.S. citizens on U.S. soil. In addition to analytics, SAP NS2 Cloud Intelligent Enterprise includes applications and tools for HR and people management, enhanced payroll and time-management processing, and other operational transactions. SuccessFactors is SAP’s HR and people management Software-as-a-Service that helps government agencies optimize talent management to build and deliver mission-critical edge performance. Employee Central Payroll, integrated with the core HR software, removes the distraction of worrying about pay and timekeeping with enhanced process automation, ensuring that payroll is accurate, fast, and compliant. All SAP applications offer a consistent and intuitive user interface and are ready for integration into existing and legacy systems.
The U.S. Government’s FedRAMP Program Management Office and Joint Authorization Board are responsible for developing and implementing a standardized approach to cloud security assessment and authority to operate. With their “do once, use many times” framework, the group is helping all government agencies save time and money when migrating to cloud
products and services. FedRAMP approval provides a clear indication of the security posture and operational competence of a cloud service provider’s infrastructure and applications. Dozens of federal departments and agencies, plus other levels of government, are using SAP NS2 Cloud solutions for their strategic, tactical, or operational activities. By taking on a central role, FedRAMP removes the need for repeated security assessments, and also provides ongoing monitoring of approved services.
Modern analytics, intelligence, and national security operations rely on enormous volumes of data and quick access to massive computing power. Cloud services are making these seemingly overwhelming tasks achievable with the technology that powers the world’s largest enterprises. Mission-critical government workloads powered by secure cloud services are already producing more informed decisions and faster reactions. SAP NS2 is focused on providing the best possible support for this assignment, combining leading data analytics and fusion technologies from SAP with 100% U.S.-based operations and expert U.S. personnel.
For information on the secure and scalable capabilities of SAP NS2 Cloud Intelligent Enterprise, go to https://www.sapns2.com/cloud
As cloud services have evolved, so has FedRAMP and their security authorization processes. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It’s a mandatory certification companies must have if they want to prove their cloud offerings are secure enough for U.S. government data.
Meanwhile, a SOC 2 report is a self-governed review of the security profile and confidentially of the solution/data center. SOC 2 has become the go-to for commercial companies to quickly understand the security profile of a cloud service provider (CSP). Even so, while an SOC 2 provides guidance it does not mandate a standard for a CSP to be measured against.
“FedRAMP recognizes that ISO 27001’s Management Standard and SOC 2 are both respected security regimes within industry, and compliance can indicate that CSPs have security in place.
However, it is important to understand that the Federal Information Security Modernization Act (FISMA) – and by extension, FedRAMP – views security through a different lens than these security regimes. FedRAMP’s assessment is focused on the security of data within a system, and what can impact the security of that data.
ISO and SOC 2 generally focus on how a vendor handles security, and validate whether they follow their stated policies and procedures. FedRAMP’s risk assessment and authorization decision is contingent on the ability of a CSP to adequately scope their authorization boundary to account for the secure management of data within their system.
We recognize this is a shift in how industry may be used to working, and we are committed to supporting CSPs in understanding how to view security from this vantage point and fully understand their authorization boundaries in the context of FISMA.”1
To obtain FedRAMP authorization, a CSP must evaluate their current security profile against the FedRAMP standard. Many times, this requires changes to the underlying technology as well as company procedures and policies. Additionally, a CSP must implement continuous monitoring and regular evaluation against this standard to maintain their status.
FedRAMP authorization goes through the FedRAMP Joint Authorization Board. This applies across the Federal Government, or by a single agency which applies only for that agency.
CSPs can self-attest that their solutions meet FedRAMP standards and leverage approved independent 3rd party organizations to audit their compliance and issue attestations.
CSPs, like SAP NS2, who have invested in meeting FedRAMP standards for their solutions, demonstrate that they provide a security profile that meets these standards and have established procedures and policies, that commercial companies desire and should demand, for their cloud based solutions.
A SOC 2 report is a measurement against self-established security controls, procedures, and policies, while FedRAMP compliance is a measurement against a standard set of security controls, procedures, and policies established by the Federal Government, based on NIST and FISMA standards.
Commercial companies can leverage the standards created by FedRAMP to improve the security profile delivered by CSPs. FedRAMP establishes a minimum level of security that all CSPs should be measured against.
In today’s world of SaaS solutions, security is a big concern. Companies implementing SaaS apps want to be certain their data is safe and that security risks aren’t introduced into their IT infrastructure. Security breaches not only expose critical company data, they also impact a company’s reputation and brand. No company wants to see their name associated with a major data breach.
Current industry cloud security standards provide many and differing recommendations regarding what should be considered as the security controls you should implement. NIST Special publication 800-144 provides guidelines and you will find many companies that provide consulting services to help define and implement cloud security. Here is recommended guidance for Cloud Solution Providers (CSP) to consider when deciding which controls to implement and how to implement them.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It created and manages a core set of processes to ensure effective, repeatable cloud security for the government.
To create the FedRAMP standard, a group of CIOs and CISOs across the federal government defined the necessary security controls, processes, and methods for implementing them. FedRAMP started with the 350+ controls defined in the NIST 800-53 standards and guidelines for securing federal systems and then went a step further. As they reviewed each control, they established the guidelines for implementing the controls for cloud systems.
Using passwords as an example, FedRAMP provides the following guidance to ensure implementation of complex passwords. When processing requests to establish and change memorized secrets (passwords), verifiers will need to compare the prospective secrets against a list that contains values known to be commonly used, expected, or compromised.
For example, the list may include, but isn’t limited to:
If the chosen secret is found in the list, the CSP or verifier will advise that the subscriber select a different secret, provide the reason for rejection, and will require the subscriber to choose a different value.
The short answer? Absolutely. The FedRAMP is a defined set of security controls for cloud systems that commercial companies would benefit from leveraging. By understanding how FedRAMP has defined the security controls, companies will understand how to properly leverage it as a solution to measure cloud security. To obtain FedRAMP Authorization a CSP must demonstrate that they have implemented the defined controls following the guidance through an audit by a FedRAMP certified independent third party and pass a review by the FedRAMP Joint Authorization Board. This is no easy task and is a high standard to achieve.
Companies researching cloud solutions can leverage the FedRAMP security control baseline as a standard to measure the CSP against. A CSP that has taken the time to implement the NIST 800-53 family of security controls, following FedRAMP guidance, and achieved FedRAMP Authorization status has a proven level of security across the infrastructure, platform, and application levels of the solution. It also demonstrates a level of competence across the CSP’s Operations and Security teams.
The fiscal 2021 budget suggests emerging technology ranks among the federal government’s top priorities. Consequently, agencies are feeling more pressure than ever to adopt tools such as artificial intelligence (AI).
Digital transformation doesn’t happen overnight, however. At most agencies, integrating emerging technologies takes significant energy, money and time.
Furthermore, the impact of emerging technologies extends beyond innovation and modernization. Any new technology, whatever benefits it brings, will also introduce new vulnerabilities that must be addressed. That double-edged sword can hinder the speed of adoption.
“It’s about the accelerated pace of emerging technology. With any emerging technology, there’s enormous potential. But there’s a lag before we can put it to use.” – Dean Pianta, Cloud Director at SAP NS2
Unfortunately, technology environments that constantly change can create multiple risks for agencies. For starters, every shift in technology opens fresh security vulnerabilities that weren’t there before.
“It’s easy to take advantage of cheaper, quicker infrastructure that isn’t as locked down,” Pianta said. “There’s so much coming out that we as humans can’t consume all of it.”
Cost overruns are another risk for agencies. As their technology environments evolve, many agencies are surprised by the spending it takes to keep up.
“These are the things that you figure out as you stub your toe,” Pianta said. “But you don’t figure that out on Day One.”
Finally, agencies are notorious for being risk-averse, and their technology environments may lack a key factor for success: Agility. In turn, these agencies won’t be able to react to the fluid demands of their citizens and missions.
Currently, agencies are navigating the COVID-19 pandemic. Within days of starting, the viral outbreak has forced agencies to operate in ways they had not prepared for. Presently, which agencies can handle the bandwidth requirements for their entire workforce to telework? Which agencies have the tools to collaborate, gain insight and shape outcomes in real time? Saying “no” to emerging technology could reduce risks and costs the most during this period but standing still is not an option. Agencies need a comprehensive innovation strategy for keeping up with a world that never slows down.
Cloud is crucial for a comprehensive innovation strategy for several key reasons:
“If done properly, you can add new features and drive business value with the click of a button,” Pianta said. “This is where commercial innovation supporting millions of users around the world can make its way efficiently, effectively and securely to the ‘tip of the spear.’”
This article is an excerpt from GovLoop’s recent report, “A Comprehensive Strategy for Driving Innovation.”
Download the full report here.
It’s no secret that cloud computing can radically change the IT infrastructure of government organizations.
It delivers consistent performance and the ability to monitor and manage resources at any time for mission-critical workloads. Cloud computing also helps agencies by having a dramatic increase in operational efficiency, performance, and security. What is missing from most cloud commodity providers is the ability to deliver Application Service Level Agreements as part of their cloud contracts.
Choosing a cloud provider who can offer a guaranteed up-time gives you the ability to have a clear understanding and vision of what to expect in terms of service and performance from your provider.
So, do you go at it alone? You can, but from what I have seen, organizations using more traditional implementation methods have limited visibility and understanding into the vast number of operational tasks that keep you up and running.
A lot can go wrong if components like the operating system, database provisioning, firewalls, or networking/bandwidth delivery are executed incorrectly. Inexperience with cloud commodity providers can also lead to incredibly expensive cloud resources when not managed correctly.
So, the real question becomes: What technology does your organization actually need and who will securely provision these systems? The balance of science and art is what makes the SAP NS2 Cloud such a success.
The SAP NS2 Cloud offers customers a single point of contact for all their cloud needs. Combining infrastructure, SAP Applications, and a fully managed cloud delivery team, we can implement even the most complex landscapes in record time.
We take the burden of planning, provisioning, and managing the IT landscape off of our customers. Using SAP best practices, custom built tools for automation, and a team of cleared SAP cloud experts, our customers have peace of mind knowing we are there to help every step of the way, while giving them room to grow and change.
In today’s world, there are always new and unanticipated challenges and the world of cloud computing is no different. The only way to consistently overcome these challenges is to create an Application Service Level Agreement (ASLA), guaranteeing that the entire solution stack from networking and infrastructure to the application is securely provisioned.
ASLAs ensure these SAP applications are accessible at a moment’s notice with the data you need to complete your mission. As the only provider of SAP Cloud currently offering ASLAs to the federal government, we are committed to ensuring that the hundreds of tasks you need to be completed are properly implemented and managed by SAP Cloud Experts for the life of the contract, not just the provisioning process.
There has never been a better time to make the move to the cloud for your agency.
If you’d like more information on how SAP NS2 Cloud can help you make a seamless, secure, and scalable transition, visit https://sapns2.com/cloud/ to learn more.
As the COVID-19 pandemic began to threaten lives around the world, SAP NS2 realized something needed to be done. So we followed a logical approach, focusing on our expertise, to help.
Our focus was to collect and leverage data to better understand, track, plan for, and help others identify ways to contain the virus. Because we realized the importance of data insights early on in the pandemic, we were able to find analytic solution sets that could be quickly and effectively deployed to keep pace with the growing data landscape.
And it was all done by using SAP Analytics Cloud.
We chose SAP Analytics Cloud (SAC) for its codeless, drag-and-drop UX simplicity, as well as its multi-functional capabilities. This would prove to make the process of developing a comprehensive and visually appealing overview possible in a short amount of time.
The software combines predictive and forecasting capabilities, such as triple exponential smoothing or linear regression, with customizable canvases for building analytic dashboards. The end result is a set of data visualizations that turn complex information into situational awareness.
Built from the SAP Cloud Platform as an entirely web-based SaaS solution, SAC takes full advantage of the most fundamental cloud capabilities: scalability, agility, and on-demand deployment.
It also has full integration with SAP, third-party, and open-source databases, apps, and services. This connection provides live insights into multiple data sets without the need to load it directly into the system.
End users can then see the latest updates without having to initiate any formal extract, transform, load (ETL) process.
This flexible integration goes one step further with automatic access and connection to an R server and an Esri server. What this means is that it is possible to instantly take advantage of the geospatial capabilities of SAC while visualizing those geo-objects on Esri maps and to write custom R scripts to use bleeding-edge machine learning algorithms on your data.
Data for the SAP NS2 analytic sessions came from two sources: A Johns Hopkins GitHub repository that had aggregated official confirmed cases, total deaths, and total recoveries counts from health organizations all around the world and the official IHME forecasts from their site dedicated to the COVID-19.
After uploading into the system, the individual columns of data were immediately categorized as numeric, categorical, a date, or a timestamp. From there, we were able to build out relationships and hierarchies between data columns, both logically and geospatially.
There are many different template design options, including blank canvases, all of which can serve to give important insights into the design of dashboards with maps, graphics, KPI trackers, and reactive filters. Even though charts in the dashboard must call out to an R server, the load times for these complex graphics takes only seconds.
SAC was designed to incorporate ease of use with powerful analytics and visualization tools. The democratization of data analytics opens the door to users of all skill levels to build compelling stories, predictive tools, and complex maps.
This also gives business analysts, statisticians, and data scientists avenues for low-level operations with more advanced features such as R integration.
Moving forward, SAC has proven to be a fundamental tool for office processes such as supply chain and accounting. It can also be applied to mission-focused requirements such as tracking of a global pandemic.
Agencies can now access invaluable data insights quickly and without a lot of expensive overhead or highly trained personnel.
You can find out more about SAP Analytics Cloud here.