Workiva FedRAMP Li-SaaS ATO
InfusionPoints Helps Workiva achieve a FedRAMP LI-SaaS ATO
Workiva is a leading SaaS provider of Wdesk, an enterprise cloud platform for data collaboration, reporting, and compliance technology.
Wdesk has been utilized by thousands of organizations worldwide and was initially developed for commercial use. Workiva saw a clear business advantage in achieving a FedRAMP Low-Impact Software-as-a-Service (LI-SaaS) authorization for obtaining future federal, state, and local government, education, and commercial customers.
The FedRAMP Authority to Operate (ATO) process proves out the rigor of a company’s cyber security process and technology they use to protect and defend their environment, but Workiva would need a trusted advisor to support them through the process.
"The can-do attitude and domain expertise that InfusionPoints brought to our ATO pursuit project accelerated our success. Not only did they quickly produce our system security plan and attachments, we earned compliments from the FedRAMP PMO for the high quality of this work." Jeff Bivens - Technical Program Manager at Workiva
Securing Workiva’s customer data with FedRAMP on AWS
To achieve a FedRAMP ATO, Workiva needed a seasoned FedRAMP advisor who had both FedRAMP experience and expertise with infrastructure layers including Amazon Web Services.
Adhering to FedRAMP government security requirements can be challenging for commercial organizations who are unfamiliar with federal requirements. InfusionPoints applied our expertise and strong understanding of FedRAMP requirements and AWS infrastructure capabilities to develop a solid plan of action for obtaining a FedRAMP LI-SaaS ATO.
InfusionPoints leveraged Wdesk and Agile to rapidly achieve ATO
The joint team used Wdesk to document the FedRAMP security controls allowing for easy collaboration on all documentation required for the FedRAMP LI-SaaS ATO package. We also leveraged an agile methodology using sprints and a point system to provide structure to keep focus on areas that needed the most attention.
InfusionPoints conducted a series of workshops with Workiva, which included stakeholders, cloud and security engineers, and control owners, to assess Wdesk against the FedRAMP and AWS requirements.
Next, we established the system boundary and inventory by determining the in-scope processes, data locations, ingress and egress points for federal data, and inherited AWS security controls. Then, we developed security control language for the FedRAMP LI-SaaS System Security Plan (SSP) by leveraging our expert knowledge of FedRAMP compliance, and analysis of Wdesk.
InfusionPoints provided an onsite audit support team who has successfully worked with 3PAOs on other FedRAMP audits, ensuring a smooth audit process. As a result, Workiva was granted the ATO in only 5 months from when the team started, becoming fully compliant with FedRAMP’s strict cyber security requirements.
"We are fortunate to have a trusted adviser with InfusionPoints - their knowledge and experience is invaluable, and their approach is pragmatic and effective."
Jason Wille, VP of IT at Workiva
Through collaboration, Workiva and InfusionPoints will continue to work together
Through a team with a high degree of FedRAMP and AWS knowledge, InfusionPoints helped Workiva understand how their SaaS offering aligned with FedRAMP's requirements and were able to:
- Clarify the FedRAMP authorization process
- Enhance current processes and technology to meet requirements
- Document the required controls
- Establish a continuous monitoring program
The efforts of Workiva and InfusionPoints team allowed Workiva to meet the stringent cyber security requirements of FedRAMP and achieve an ATO from the FedRAMP PMO.