Proofpoint Security Awareness Training Announces FedRAMP In Process Status

Proofpoint Security Awareness Training Announces FedRAMP In Process Status

August 07, 2019
Mike Bailey

Proofpoint is proud to announce that Proofpoint Security Awareness Training has achieved Federal Risk and Authorization Program (FedRAMP) In Process status. We’re working with the FedRAMP Program Management Office (PMO) toward a FedRAMP Agency Authorization.

This FedRAMP government-wide program reduces approximately 30–40 percent of government IT costs. When the process is complete, Proofpoint Security Awareness Training will be certified as a FedRAMP-defined Moderate-Impact software-as a-service (SaaS) offering, which enables Proofpoint to manage controlled, unclassified information such as personally identifiable information (PII) with over 300 controls.

Helping Government Agencies Improve Security by Leveraging the Cloud

This effort is part of Proofpoint’s broader commitment to help federal agencies protect their most valuable and most attacked asset: their people. We recently announced that Proofpoint email security solutions have received FedRAMP Authority to Operate (ATO) from the Federal Communications Commission. Our archiving solutions have had FedRAMP ATO since early 2017.

The email security ATO covers the Proofpoint Email Protection, Targeted Attack Protection (TAP), and Email Data Loss Prevention (DLP) products and marks a crucial step in receiving FedRAMP certification from the General Services Administration (GSA).

The archiving ATO covers our Enterprise Archive product. This is important for companies looking to meet National Archives and Records Administration (NARA) and Freedom of Information Act (FOIA) compliance mandates, including the Capstone approach for managing federal records electronically.

FedRAMP Moderate vs Low-Impact SaaS

There are two major reasons why government agencies should utilize a FedRAMP Moderate solution like Proofpoint Security Awareness Training vs. a Low-Impact SaaS solution:

First, agencies need to consider what is PII, and what PII is collected in their security awareness programs. Some agencies may determine PII includes attributes like email address, first or last names, department, age, title, office location, hire start date, and other common attributes many organizations want to include for reporting. With a Moderate solution, there is a strict security implementation as well as operational requirements that PII data be protected. With a Low-Impact SaaS implementation, there is no such assurance.

Second, agencies need to consider the sensitivity of the data surrounding the interactions of their employees with their security awareness training program. For example, a FedRAMP Moderate solution protects interactions with simulated phishing attacks, knowledge assessments, training modules, and reported phishing emails, as well as any other interaction with the platform, and enables these interactions to be reported on over time to gauge progress. With a Low-Impact SaaS implementation, the protection requirements are much weaker, and agencies may not want to take the risk of storing and reporting on that employee data.

FedRAMP itself says it best, noting that the Moderate-Impact level certification “accounts for nearly 80% of CSP applications that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations assets, or individuals.”

By contrast, security awareness training programs that are Low-Impact SaaS FedRAMP level are most appropriate, “for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals.”

Security Awareness Training Optimized for Federal Requirements

As an organization that works with many federal agencies performing critical missions, we felt that it was important to give our customers better peace of mind about protecting their data, assets, and people. This Moderate FedRAMP implementation, when completed, will provide our Federal customers with the confidence to securely store PII and report on their progress over time.

With this leadership position and our investment in FedRAMP, we are thrilled to better serve our Federal customers. We look forward to continuously innovating with our security awareness training solutions, recently recognized by Gartner as a Leader for the sixth year in a row in the Magic Quadrant, to meet the needs of this critical segment for best-in-class security.

To learn more about all our products for the Federal space, please visit our Federal Solutions page.

This is dependent upon the FedRAMP ATO blog going first with this to follow.