Zscaler Becomes The First Cloud Services Provider to Receive FedRAMP Authorization For A Dedicated Zero Trust Remote Access Platform
ZPA-Government, Zscaler Cloud Security Granted Authority to Operate by FCC
San Jose, California, August 13, 2018
Zscaler, Inc., the leader in cloud security, today announced that Zscaler Private Access-Government (ZPA™-Government), its application access platform, meets the Federal Risk and Authorization Management Program (FedRAMP) Moderate security requirements and was granted Authority to Operate (ATO) by the Federal Communications Commission (FCC). ZPA-Government is the first Zero Trust remote access platform that has received FedRAMP approval. FedRAMP Authorization enables Zscaler to expand its sales pursuit of Federal market share.
FedRAMP is a federal program which assures a standardized, government-wide approach to security assessment, authorization, and continuous monitoring for cloud products and services.
With this milestone, Zscaler can market and sell the company’s ZPA-Government cloud service to government agencies wanting to access sensitive applications and data from anywhere on any device, while maintaining the highest levels of security and performance set by FedRAMP’s stringent security compliance standards.
"We've found Zscaler to be a valuable partner as we move to a Zero Trust architecture to better secure our users as they access the ever-increasing number of applications delivered on cloud services," said Byron Caswell, Senior Advisor for FCC's Information Technology organization, and core member of the FCC's FedRAMP Authorization program. "Our decision to sponsor ZPA-Government for a FedRAMP Moderate Authorization is evidence of the Commission’s belief that the cloud offers a more secure, efficient, and cost-effective way to secure core Federal missions. With ZPA-Government we’re able to connect trusted users to trusted internal applications over a Zero Trust platform, eliminating issues associated with traditional Trusted Internet Connections (TIC)-based VPN solutions that require significant maintenance and excessive backhauling.”
TIC, a mandate from the Office of Management and Budget (OMB), was issued in 2007 to ensure that all external connections are routed through a government agency that has been designated as an approved TIC Access Provider. It is widely considered to cause latency for remote users accessing modern day cloud and external hosted applications.
ZPA-Government is a cloud-based service that provides seamless and secure Zero Trust access to internal applications for authorized users. The service uses a software-defined perimeter, not appliances, to provide comprehensive security and a fast, seamless user experience. Access is the same whether agency applications are hosted in the government data center, in the AWS GovCloud, or in another service. ZPA-Government replaces legacy VPN technology and provides encrypted (TLS 1.2) connections to applications. ZPA-Government uses signaling technology over the internet to create this encrypted connection without the inherent risks of a VPN, which can expose critical data. ZPA-Government allows users to create a trust-to-trust connection, meeting the federal government’s encryption guidelines and allowing traffic to bypass the TIC mandate.
ZPA-Government connects users to applications without placing the users on the network, not only eliminating the risks introduced by unmanaged devices but also reducing the threat of lateral access. Inside-out connectivity ensures that applications are “dark” to unauthorized users and that they are never exposed to the internet, reducing the possibility of DDoS or other internet-based attacks. In addition, ZPA-Government provides visibility into an agency’s full internal application environment, enabling IT to understand user activity and discover and define access policy for internal applications.
“The rise of the mobile workforce and the increased use of cloud-based applications have eroded the security perimeter,” said Stephen Kovac, Vice President of Global Government and Compliance, Zscaler. “Agencies need cloud-based security solutions to securely connect trusted users to trusted internal applications. ZPA-Government’s Zero Trust approach does just that, without using a VPN, and without the backhaul latency of the TIC based VPN solutions.”
FedRAMP is a government-wide program with input from numerous departments, agencies, and government groups. The program’s primary decision-making body is the Joint Authorization Board (JAB), comprised of the CIOs from DOD, DHS, and GSA. In addition to the JAB, other organizations such as OMB, the Federal CIO Council, NIST, DHS, and the FedRAMP Program Management Office (PMO) also play key roles in effectively running FedRAMP.
Using a “do once, use many times” framework, the program ensures information systems/services used government-wide have adequate information security; eliminates duplication of effort and reduces risk management costs; and enables rapid and cost-effective procurement of information systems/services for federal agencies.