What does FedRAMP authorized mean to your federal agency?
What Security Protections are Offered by FedHR Navigator?
EconSys is committed to providing our clients with the highest levels of data and system security, ensuring their data and the Personally Identifiable Information (PII) of federal employees remain secure. It was for this reason that EconSys became an early implementer of FedRAMP (Federal Risk and Authorization Management Program), which defines FISMA security that apply to cloud-based solutions, such as FedHR Navigator.
FedRAMP is a government-wide program—sponsored by the General Services Administration (GSA), Department of Defense, and Department of Homeland Security—that provides a standardized approach to security assessment, authorization, and continuous monitoring for products and services in the Federal Cloud.
To support this effort, FedHR Navigator was moved to a FedRAMP authorized facility effective February 2013, and FedHR Navigator itself was granted a Joint Authorization Board (JAB) Provisional Authority to Operate (P-ATO) that meets the FedRAMP requirements on April 25th, 2014. Economic Systems works closely with the FedRAMP program management office and its FedRAMP accredited 3rd Party Assessor Organization (3PAO), SecureIT, to FedRAMP requirements for continuous monitoring and undergoes and annual assessment. Under the terms of this authorization, FedHR Navigator requires multi-factor authentication. Users authenticate using their personal identity verification (PIV) card or time-based one-time passwords sent via SMS. In March 2016, EconSys was certified as operating at Rev 4 under FedRAMP, incorporating 80 new security controls from Revision 4 of the NIST Special Publication SP-800-53.
FedHR Navigator is hosted in the Autonomic Resources Cloud Platform (ARC-P), one of the Infrastructure as a Service Providers (IaaS), which maintains a P-ATO with FedRAMP for FIPS 199 High categorization. EconSys was the first HR Software-as-a-Service (SaaS) provider to receive a FedRAMP authorization. EconSys complies with FedRAMP and FISMA security controls regarding data protection and continuous monitoring. Furthermore, FedHR Navigator has been granted ATOs by Department of Homeland Security, Department of Defense, Department of the Interior, Department of Transportation and others. Information about the FedRAMP Charter can be found at FedRAMP.gov.
Advantages of a FedRAMP Authorized Cloud Solution
The chief advantage that FedHR Navigator offers over an on-premise solution is that the cost for hosting, and for certification and accreditation is largely covered in the cost to use FedHR Navigator. In order to issue an ATO for a moderate risk system under FISMA, there are about 200 controls and 100 control enhancements. EconSys has implemented nearly all of the applicable controls, leaving only about 30 with a customer responsibility or customer-shared responsibility. EconSys has documented and maintains the System Security Plan (SSP) using the FedRAMP template and pays for an annual assessment, including a System Assessment Plan (SAP) and System Assessment Result (SAR). EconSys also performs continuous monitoring (CM) and makes CM artifacts available to authorized parties, EconSys covers all hosting costs. EconSys can provide this service at an economical price due to economies of scale.
With an on-premise solution that provides the same functionality as FedHR Navigator, the Government would be responsible for writing the SSP, completing an annual assessment, and performing CM for the 300 controls and control enhancements. The Government would also pay for hosting and the maintenance work required to do the hosting, such as applying security updates to software and replacing hardware when it fails. The Government would need to establish an Information System Security Officer and assemble a team of systems administrators, including a database administrator, to maintain the system.
The purpose of a web-based solutions, such as FedHR Navigator, is to allow HR Specialists to save their work and continue working on it at another time, as well as allow HR Specialists to share work and for management to monitor work. With software installed on individual desktops and laptops, none of this is possible. Locally running software cannot pre-populate service or salary history, and it cannot pre-populate information needed retirement application forms. It also cannot provide employees with on-demand access to perform their own estimates and view estimates prepared by specialists.