⚙Mouseover to personalize your Kiteworks website experience

FedRAMP

Meet federal cloud security requirements with FedRAMP-authorized infrastructure providing standardized security assessments for government data protection.

How Kiteworks Supports FedRAMP

How Kiteworks Supports FedRAMP Compliance

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by U.S. federal agencies. FedRAMP leverages NIST SP 800-53 security controls to establish a baseline for cloud security, ensuring that cloud service providers meet rigorous security requirements before government data is entrusted to their platforms. Kiteworks holds FedRAMP High authorization, demonstrating the highest level of cloud security compliance.

FedRAMP Program Overview

FedRAMP was established to accelerate the adoption of secure cloud solutions by federal agencies while eliminating redundant security assessments. The program provides:

A standardized security framework based on NIST SP 800-53
A "do once, use many" authorization model that reduces duplicative assessments
Continuous monitoring requirements ensuring ongoing security compliance
A marketplace of authorized cloud service providers for agency selection

Authorization Levels (Low/Moderate/High)

FedRAMP defines three authorization levels based on the potential impact of a security breach:

Impact Level	Control Count	Data Types	Kiteworks Status
Low	156 controls	Non-sensitive data, public information	Exceeds requirements
Moderate	325 controls	PII, PHI, financial data, CUI	Exceeds requirements
High	421 controls	Law enforcement, emergency services, financial, health, defense	Fully authorized

Kiteworks FedRAMP High Authorization

Kiteworks has achieved FedRAMP High authorization, the most rigorous level of cloud security certification available. This authorization demonstrates:

421 Security Controls: Full implementation and assessment of all High baseline controls from NIST SP 800-53.
Independent Assessment: Rigorous evaluation by an accredited Third-Party Assessment Organization (3PAO).
Government Sponsorship: Federal agency sponsorship validating the operational need and security posture.
Continuous Compliance: Ongoing monitoring, annual assessments, and regular reporting to the FedRAMP PMO.

NIST 800-53 Control Baseline

Kiteworks implements the complete NIST SP 800-53 High baseline, covering 20 control families:

Access Control (AC): Role-based access, least privilege, separation of duties, remote access controls
Audit and Accountability (AU): Comprehensive logging, immutable records, real-time monitoring
Security Assessment and Authorization (CA): Continuous assessment, penetration testing, security plan maintenance
Configuration Management (CM): Baseline configurations, change control, software restrictions
Contingency Planning (CP): Business continuity, disaster recovery, system backup and restore
Identification and Authentication (IA): Multi-factor authentication, credential management, identity federation
Incident Response (IR): Detection, analysis, containment, recovery, and reporting procedures
System and Communications Protection (SC): Encryption, boundary protection, secure communications

Continuous Monitoring Program

FedRAMP requires an ongoing continuous monitoring (ConMon) program. Kiteworks maintains:

Monthly vulnerability scanning and remediation
Annual penetration testing by independent assessors
Continuous automated security monitoring
Monthly and annual ConMon deliverables to the FedRAMP PMO
Real-time security event correlation and alerting

Plan of Action and Milestones (POA&M)

Kiteworks maintains a comprehensive POA&M that tracks:

Identified security weaknesses and their remediation timelines
Resource allocation for addressing security findings
Risk-based prioritization of remediation activities
Progress tracking and milestone achievement

Third-Party Assessment Organization (3PAO) Audits

Kiteworks undergoes rigorous assessment by accredited 3PAOs, including:

Initial readiness assessment and gap analysis
Full security assessment of all applicable controls
Annual reassessment to validate continued compliance
Ad-hoc assessments for significant changes

Agency ATO Support

Kiteworks supports federal agencies in obtaining their own Authority to Operate (ATO) by providing:

FedRAMP Security Package: Complete documentation including System Security Plan (SSP), policies, and procedures.
Customer Responsibility Matrix: Clear delineation of security controls between Kiteworks and the agency.
Integration Support: Technical assistance for connecting agency systems to Kiteworks.
Compliance Evidence: Artifacts demonstrating control implementation for agency security teams.

Supply Chain Risk Management

FedRAMP High requires comprehensive supply chain risk management. Kiteworks addresses this through:

Vendor risk assessment and management processes
Software composition analysis for third-party components
Supply chain integrity verification
Provenance tracking for all software dependencies

Incident Response and Reporting

Kiteworks maintains a robust incident response program aligned with FedRAMP requirements:

24/7 security operations center monitoring
Incident detection, analysis, and containment procedures
Required reporting to FedRAMP PMO and sponsoring agencies within specified timeframes
Post-incident analysis and lessons learned
Integration with US-CERT reporting requirements

By leveraging Kiteworks' FedRAMP High authorized platform, federal agencies can confidently deploy secure file sharing, email, managed file transfer, and web forms knowing that the infrastructure meets the most stringent federal cloud security standards.