FedRAMP, or the Federal Risk and Authorization Management Program, is designed to ensure that Cloud Service Providers (CSPs) that provide services to US government agencies employ the proper level of information security.
Essentially, it standardizes CSPs’ approach to security assessment, authorization, and continuous monitoring and provides federal agencies with a secure and efficient way of accessing their services.
To comply with Federal Risk and Authorization Management Program requirements, cloud service providers must implement several baseline security controls based on the data they’re handling in their Cloud Service Offerings (CSOs).
Depending on whether the data is low, moderate, or high impact, the CSP is required to put in place the corresponding security controls.
Understanding the impact levels
The National Institute of Standards and Technology (NIST) released The Federal Information Processing Standards (FIPS) 199 to serve as a guide for classifying federal information systems and data based on the level of concern for its confidentiality, integrity, and availability.
Low impact level
Data that is classified as low impact can lose integrity, confidentiality, and availability and still not lead to any drastic effect on an agency’s mission, operations, individuals, finances, or assets.
There are two baseline levels for systems containing low-impact data: low impact SaaS and low baseline. The latter is aimed at cloud service providers handling federal information intended for public use, and it comprises 125 security controls. Meanwhile, the former baseline level was designed for software as a service system with low-impact data, and it comprises 38 security controls.
Moderate impact level
This category includes controlled, unclassified information, such as personally identifiable information, that isn’t available to the public. Breaches to this data can lead to the agency’s operations being severely affected, causing damage to its mission, finances, assets, and individuals.
With 325 baseline controls, this data is supposed to be protected by the use of means, like automated mechanisms to notify account managers when a user is transferred/ terminated.
High impact level
Data in this category, when compromised, can have catastrophic consequences. Potentially, it can lead to government shutdowns, economic derailment, investigative dead ends, and even loss of human life or property.
Usually, high-impact data includes sensitive information, such as data from healthcare, law enforcement, and emergency services agencies.
Manage FedRAMP compliance with TeleMessage across all your Microsoft 365 Government compliance solutions
Cloud service providers for federal agencies demonstrate their FedRAMP compliance with a Provisional Authority to Operate (P-ATO) or an Authority to Operate (ATO) from specific agencies themselves or the Joint Authorization Board (JAB). Notably, the CSPs need to implement mobile archiving and call archiving as well to be compliant.
One of the most trusted and versatile CSPs that meet all the requirements for use by federal agencies handling all kinds of data is Microsoft. It is worth mentioning that the software giant’s 365 Government compliance solutions, such as GCC and GCC High are designed for agencies handling controlled, unclassified information on behalf of the federal government in compliance with the FedRAMP, CMMC, and DFARS 7012.
Now, the Government Community Cloud (GCC) High is a cloud platform powered by Azure Government that is used by cleared personnel and agencies supporting the US Department of Defense, such as DoD contractors, Defense Industrial Base (DIB), etc. Meanwhile, for the exclusive use of the Department of Defense, Microsoft has come up with 365 DoD, a solution with data that even contractors can’t access. This solution even has features, like compliance manager, Defender ATP, Calling Plans, etc.
Despite all these features, FedRAMP compliance can be achieved only when the right connections are established with the Microsoft 365 GCC solutions for the flow of data from mobile devices.
This is where TeleMessage comes in. As a Microsoft-partnered mobile archiving solution, TeleMessage allows Microsoft 365 compliance centers to import, archive, and monitor for compliance purposes the text messages and calls of regulated employees directly from the instant messaging software used by the organization.
Importantly, mobile communication from all the important carriers, including AT&T, FirstNet, Verizon, etc., can be archived directly for compliance. Employers can capture information directly from Android and iPhones, while also having access to communication happening via instant messengers, such as WhatsApp and Signal.
Given that the solution integrates with Microsoft Compliance solutions, including Advanced eDiscovery, Information Governance, and Communication Compliance, federal agencies can have a single repository for their mobile archiving needs. This repository can go a long way in helping the agencies meet Public Records, National Archives and Records Administration (NARA), and Freedom of Information Act (FOIA) requests.
Another major benefit of the TeleMessage archiving solution for federal agencies is that it can enable proactive monitoring of text messages and calls, a key aspect of ensuring mobile compliance. Federal agencies using the solution can get alerts when there is a breach of sensitive data. Aside from that, the solution acts as a source of truth when there are investigations into the agencies, meaning perpetrators of data breaches can easily be identified.
Conclusion
TeleMessage can go a long way in enabling regulatory compliance by working with Microsoft to capture, archive, and maintain text messages, voice calls, and other files, leading to stress-free adherence to all the security controls required as per FedRAMP. Crucially, the mobile archiver supports Microsoft 365 Government Community Cloud, Government Community Cloud High, and Department of Defense solutions across all devices, carriers, and instant messengers.
Federal agencies and contractors can issue their own phones to personnel or have their employees use their own BYOD devices because TeleMessage can still securely retain all the communication within its servers or have it forwarded to a data storage vendor of choice. There is also the option of cross-carrier and international mobile text and calls archiving.
You can learn more about TeleMessage’s Microsoft compliance solutions here.
About TeleMessage
TeleMessage captures and retains mobile content, including mobile SMS messages, voice calls, WhatsApp, and WeChat conversations from corporate or BYOD mobile phones to ensure compliance with various data protection regulations. The messages are securely and reliably retained within TeleMessage servers or forwarded to your choice of archiving data storage vendor.
Our mobile archiving products securely record content from mobile carriers and mobile devices for various ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
- Network Archiver
- Enterprise Number Archiver
- Android Archiver
- WhatsApp Archiver
- WeChat Archiver
- Signal Archiver
- Telegram Archiver
TeleMessage offers cross-carrier and international mobile text & call archiving for corporate and BYOD phones. Visit our website at www.telemessage.com to learn more about our mobile archiving products.
