Securing WordPress in the Cloud: A FedRAMP Compliant Solution
In this webinar, presented with WordPress VIP partner Infostride, discover how to strengthen the security of your WordPress website in the cloud while achieving FedRAMP compliance.
Learn how WordPress VIP’s cutting-edge security features and dependable cloud infrastructure give your website the highest level of data protection.
Understand the process of gaining FedRAMP compliance with real-world case studies and success stories, and confidently take the first step towards bolstering the security of your website.
Speakers
Ritu Mangla, Founder and CEO, InfoStride
Peter Slutsky, WordPress VIP
Moderator: Jodie Fiorenza, WordPress VIP
Transcript
Jodie Fiorenza:
Thank all of you for joining us today, and welcome. We actually have two companies here today presenting and sharing this webinar with you today. My name is Jodie Fiorenza. I’m from a company called WordPress VIP, which is part of the Automattic family. I’m a partner manager and one of the things that I get to do in this role is work with really incredible agencies all around the world, and I’m very proud to say that InfoStride, who has set up this webinar and created it for all of you today, is one of our newest public sector partners in our agency program at WordPress VIP. So, it’s a real honor to be working with them today and getting you out some important information about something called FedRAMP, and we’re going to jump in and talk about what all of that means.
As I said earlier in the webinar, we are going to be recording this for future reference. There is a Q&A section opened. Please leave your questions in the Q&A section. Towards the end of the webinar, we’ve left enough time to go ahead and get to all of those. So, if something pops up in your mind, just type it in there and we’ll be sure to get to it. For sure. I’d like to introduce you to the wonderful people that are joining me today. I’m very excited to have them. I’m going to start with my colleague here at WordPress VIP, Peter.
Peter Slutsky:
Hello, everyone. Thank you, Jodie. I’m Peter Slutsky. I’m actually based out of Philadelphia, but today am in Mexico City. So, I’m in a hotel room. Hoping for two things. One, that the internet is stable and two, that the lighting stays okay, because I had to change my hotel room around a bit to make this all work.
It’s wonderful that you all joined. We really appreciate it. I’m really excited to be here to talk about FedRAMP and some of our journey in the FedRAMP process, and then to answer questions. Just a little bit about me. I’ve been at WordPress VIP for over 10 years, just about 11 years, and since the beginning have always been focused on the public sector and politics and nonprofit in those areas. That’s my background. But really in the last couple years it’s accelerated as our team has built a public sector program and achieved our FedRAMP ATO, which I’ll talk about in a few minutes in more detail.
But it’s been an incredible journey and I think the real testament to that is the fact that we have these phenomenal partners that have joined our program, that can help accelerate our growth and be on the implementation side of these projects that we’re working on. So, with that, I will introduce InfoStride and Ritu, and we can kick it off from there.
Ritu Mangla:
Thank you. Thank you Jodie, and thank you Peter, and InfoStride team to make this webinar happen. Super excited to be here. My name is Ritu, I’m founder and CEO of InfoStride. We are the first public sector agency partner with WordPress VIP. So, we are really happy and excited about it.
Given my background and what InfoStride does, we are a IT services and solutions company. As the global pandemic continues, or we navigate through it, what we have realized is that digital transformation is much more important than it was before, and InfoStride specialize in that.
So, as of now, we are globally present in APAC, Middle East. Headquartered in San Jose, California with a team size of over 200-plus people, I would say, catering to our commercial and public sector clients and to providing digital transformation services and solutions.
Jodie Fiorenza:
Thank you both. I’m really excited. We’re going to go ahead and dive in. I will be working the slides. So, this is my favorite part because I overclick, and I always say that every time, because it’s true. So, Peter, we’re going to jump in. Take it away.
Peter Slutsky:
I love a good overclick, and thank you for running slides. I will just yell at you when we need to advance. I appreciate it, Jodie. Okay.
Jodie Fiorenza:
Love it.
Peter Slutsky:
So, let me start. Yeah. I’ll start with a quick introduction to FedRAMP. So, I’m looking at the attendee list and I recognize a lot of names and I know a lot of you folks will have context, but as we share this webinar out to people, I want to make sure that everyone has a baseline understanding of what FedRAMP is, why it’s important, and to give that context as to why it has been such a priority for our company as we’ve ascended into the public sector.
So, FedRAMP, it stands for the Federal Risk and Authorization Management Program. It is run out of the Federal Government, out of the GSA. It’s a government-wide program that essentially provides a standardized approach to security controls. And the most important piece of that is, I think, the ongoing, continuous monitoring, which is the way that the FedRAMP office and the FedRAMP PMO ensures that a company is doing what they say that they’re doing.
So, like anything, you can start in compliance, like let’s take 508, for example, you can be 508 when you launch a website, but you can fall out of 508 if you don’t do continuous monitoring on that effort and make tweaks and changes as the site continues to grow. The same thing can happen with security controls.
And what FedRAMP really is, is a series of many dozens or hundreds, depending on the level of FedRAMP, it’s a series of controls that the Federal Government has said they would like to see a cloud service provider, a CSP, have in place in order to host government data. And so, that is the overview of what FedRAMP is. We can advance the next one and I’ll talk a little bit more.
Okay. And then the purpose, there’s a couple purposes and it doesn’t encompass everything on this slide, but this is a good overview. So, first of all, security safeguards. So, the government wants to make sure that any federal website that is hosting data, has a shared standard of compliance. And there are differences, and I want to make sure it’s clear, between security and compliance. Security is the underlying effort around what your systems do and then compliance is in a lot of parts the effort to assure that that is done, to prove that it’s done, to show that it’s done, and then ongoing, to make sure that it continues to be done. So, those two efforts work together between security and compliance.
But the government really wants to make sure that if a federal agency is going to leverage a CSP, a cloud service provider, that is a private company like WordPress VIP, that they are doing it with a shared standard or shared understanding of what security practices and compliance practices look like.
It is also a cost savings. So, they want to eliminate efforts and ensure that costs are saved across the government, so that you’re not going out and having to reinvent the wheel every time you go and evaluate a cloud service provider. This is a standard. So, when a buyer in the government goes to the FedRAMP marketplace and looks at the list and sees, for example, WordPress VIP, they know that WordPress VIP has gone through this rigorous process, has spent the time, the effort and the resources to ensure that they are FedRAMP compliant. And they don’t have to then go out and procure something and have that company go through another whole process or have the government employee or contractor spend a lot of time and a lot of cycles, or months, or years sometimes, going through security assessments on their own. They know that there’s this standard, and that is a cost savings and a process savings for the government.
And then for procurement and information systems people, it’s a very important standard because it ensures that there’s efficiency. And when you’re a government agency that wants to use a product, you want to know that you can go and get that product. And I think the stories that I’ve heard, at least, before my time working in the public sector space, it was really hard to go out and procure products because, again, you had to go through these cycles of evaluations, security assessments, all those things, before there was a shared, unified standard. Those are the purposes of FedRAMP.
There’s a shared language and understanding around FedRAMP compliance and FedRAMP authorization. So, when I begin having a conversation with a federal agency, we’re all speaking that same security language. So, they know that we have been through the process. We know what they’re looking for in terms of their security and compliance structure.
And then again, with the continuous monitoring, every month or so, a CSP is required to not only go in and ensure that they are staying compliant, but also upload documentation into the Federal Government’s website, repository, and show evidence, evidentiary information that says, “Here’s what we’re doing to stay in compliance with the FedRAMP standards.”
So, it is an undertaking. For folks on this call who have been on my side of FedRAMP, so from a company standpoint, it’s a rigorous process, it’s a huge undertaking, and it’s honestly a game changing moment for a company to undertake. Because you really are not only saying, “We’re going to do these things now.” But, “We’re going to continue to do them.” And having that security and compliance posture is something that is very important ongoing.
So, I know, at least speaking for our team, it’s been a learning process, it’s been challenging at times, but it’s been incredibly rewarding because now we can go and have partners like InfoStride that are working in the space and also, we can go have these amazing conversations with public sector customers who want to leverage these tools, things like WordPress. So, it’s been a really exciting undertaking. Next slide, please.
Jodie Fiorenza:
Yeah. And just as a gentle reminder for those who may have joined us a little bit late, feel free to throw your questions in the question and answer box. And so, when we get through these slides, we’ll be able to go back and get them all addressed.
Peter Slutsky:
Yep. Please. Okay. So, why is it important? This slide covers the importance of it. I covered some of it. I think that the most important point here is risk reduction. So, if you’re a government agency, again, and you want to go use WordPress, for example, open source software, you want to … WordPress is a technology that’s used across the world. It’s the most heavily and commonly used CMS, but it’s used at all different levels, from small businesses all the way up to large enterprise sites. You want to make sure that the flavor of WordPress that you’re leveraging is done in a way that matches your security needs, which is a risk reduction activity.
So, I think that that is the most important reason why compliance with FedRAMP has really kicked off in a big way in the last couple years. I think a lot of the conversations I have, I’m seeing that folks are using cloud service providers that are not FedRAMP authorized and are quickly needing to move, because FedRAMP compliance is becoming mandatory across the Federal Government.
There’s been memos put out by the White House, and there’s also been, I wouldn’t say, laws passed, but there are regulations and standards passed by each of the government agencies that are really requiring FedRAMP and making sure that all of the departments and all the agencies and sub-agencies are looking at FedRAMP authorized CSPs, so that they’re not just going on their own, with their own security posture. And again, this ensures that there is a commonality and common security standard and language across the Federal Government, which is very important.
There’s a point here about 3PAOs, so I want to quickly talk about those. 3PAOs, 3PAOs, they’re third-party assessors and essentially a CSP like WordPress VIP works with the 3PAO throughout the process. So, in our case, we were sponsored by the VA, which was a wonderful relationship for us, and they helped, as our sponsor, get us through the initial FedRAMP process. That is where we got our LI-SaaS authorization.
We then are now moving up to moderate also working with the VA, but we obviously have brought in a third-party assessor to help essentially ensure that the things that we say we’re doing, they can put their stamp on and say, “Okay, we see the same thing, we’ve reviewed the documentation.” And then all of that information gets sent to the FedRAMP PMO, and then the FedRAMP PMO is the one that puts their final approval on it. And that’s when you get put into the FedRAMP marketplace as authorized. So, the 3PAO relationship is very important between the CSP and that outside assessor. Next slide.
Jodie Fiorenza:
Actually, Ritu, if you don’t mind, I’m going to tag you in for a moment because I’d love to hear from-
Peter Slutsky:
Sure.
Jodie Fiorenza:
… the agency perspective, a little bit about the customers that you’re working with and what they’re asking for when it comes to things like FedRAMP, security, all of that.
Ritu Mangla:
Absolutely, and I was going to jump into that. And Peter said it right, because it’s just not the cost saving or the business continuity or be in compliance, but what we have seen lately, the trend has shifted even for the accessibility side of things that we have been working with 20-plus straight contracts. And lately what we have seen that they all are being very … Of course, there are, like the state of Colorado, there’s bill has been passed that they have to be accessibility compliant. Whatever local or state platform, they have to be compliant by July 1st 2024. And that shift is happening across the board, not just federal, but into local and state government, too.
So, with FedRAMP … Because earlier when we were talking to these customers and working on the proposals or working on the digital transformation solutions for them, there were a lot of documentation that needed to be secured because of third-party assessment that’s been happening. And how do we make sure that the business continuity happens or the VPAT, or accessibility, everything? But FedRAMP does solve all that problems. It’s like one umbrella that is catering to everything, and it’s ongoing. I mean, they don’t have to worry about any upgrades or be in compliance in future. So, we see the conversations have changed with those clients when we talk about security compliance using VIP. So, it is a shift.
Peter Slutsky:
That’s a great point.
Jodie Fiorenza:
Thank you for that.
Peter Slutsky:
Yeah. And we’re seeing that as well. I mean, there’s so many different ways that the Federal Government and state and local as well, are bringing controls into their workflows that help the end users. And accessibility is a huge piece of that, securities under the water, behind the wall, things that happen on the platform side and on the infrastructure side, but certainly, accessibility, 508 compliance and those types of things are huge, huge benefits to the public. And they would all fall under this umbrella as well.
Ritu Mangla:
Absolutely. Absolutely.
Peter Slutsky:
Should I pick it back up?
Jodie Fiorenza:
Oh, yeah. Pick it back up. I over-advanced already.
Peter Slutsky:
Pick it back up?
Jodie Fiorenza:
Go for it.
Peter Slutsky:
It’s okay. It’s okay. It’s totally fine. Again, I love a happy trigger finger. Okay. So, more look at security features. So, I’ll read these off and then we’ll talk a little bit more about them and we can answer questions specifically if people have them.
Strict security controls to protect government data and systems. This is obviously a big one. Security categorizations, security controls, continuous monitoring, incident response. Incident response is a huge one. It’s software and we live in a environment where there’s a lot of security incidents that happen, whether it’s DDoS or whatever, foreign actors. As part of the FedRAMP process, you need to have a very defined incident response process. So, that’s a big part of what we work with the FedRAMP PMO on and work with our customers on, to ensure that that is in place for them.
Secure development process, code review, security testing, that can come in the form of many different things from code review, like a manual code review or using automated tooling, security testing, penetration testing, front end and backend. And those things are all done as part of the FedRAMP process, but it can also be done by customers using our platform. We allow third-party pen testing. But again, all those things are to test and verify the elements that we’ve submitted to FedRAMP to say that we have in place to mitigate brute force attacks, DDoS, those types of things.
And then, compliance certifications that are needed to handle sensitive data and protect against cyber threats. Pretty self-explanatory, but again, that speaks to the continuous monitoring aspect of what we do with FedRAMP. And when I am speaking to customers or folks that are using CMSs or evaluating CMSs in the government or public sector space, these are all the questions that we’re getting asked by their IT folks and they want to know, “How do we do these things and do we have a plan in place for all the various components?”
And again, the nice thing about FedRAMP is, and this honestly speaks to also the private sector, because we get asked this with private sector customers as well, is that with FedRAMP, you have this all living in a single place, in a single package. And any government agency, anyone with a .gov email address can request the package and can review it themselves. And then, typically what happens is they would then be able to issue their own ATO authorization within their agency once their team has gotten a chance to review the security package, which encompasses all these different elements.
Okay. So, this is talking a little bit more about VIP’s infrastructure and how we do what we say we do. So, WordPress VIP, we provide a cloud infrastructure for WordPress hosting. It is super secure. It’s super scalable. We work with large customers. We also benefit greatly from working with our parent company, Automattic, which has super global reach and data centers throughout the world. So, we co-locate within those data centers. We don’t leverage AWS, or Azure, or Google Cloud. We have our own infrastructure that is FedRAMP authorized.
And what this does is it, A, gives our systems and security team a very unique opportunity to own the end-to-end experience from the data warehouses to the server, the infrastructure, all those pieces. And we can then super fine tune the way that we want this platform to work. And we really optimize it for uptime, security, and performance. That’s what people really want. They want to be able to use WordPress at scale, because WordPress is such a beloved piece of software, but they want to make sure that it can be done in a way that’s super performant and that scales during big traffic events like the State of the Union with whitehouse.gov, or sites like FiveThirtyEight during election night, or sites, when the Queen died, we host a lot of big news sites that got hammered with just gobs of traffic, concurrent traffic. And our platform was able to ensure that all the sites stayed performant and stayed up and all those kinds of things.
We do things like backups, SSL certs, and just ensuring data integrity. We do managing and monitoring logs. We allow you to log ship, so you can actually ship out logs from our platform into your S3 bucket. And so, both of our teams could be evaluating the site performance, the application layer as needed in real-time. And then, this is just the beauty of WordPress VIP, but the infrastructure is really optimized for the fastest WordPress experience and that’s taken 15 years to optimize, but it’s a benefit of working with a company that is dedicated 100% to running performant and scalable WordPress. So, that is a quick overview of our infrastructure.
Jodie Fiorenza:
We’ll breeze through this one.
Peter Slutsky:
A breeze. A breeze. How did WordPress VIP become FedRAMP compliant? We started the process, as I said, with the VA and we went through agency sponsorship with 3PAO, and we got our LI-SaaS authorization about a year-and-a-half ago, which opened up the marketplace to us and gave us the ability to bring on partners.
And then immediately realized that we needed to get into the next phase, which was moving up to FedRAMP moderate, which is where we are right now. We’re just about to achieve our ATO for the moderate level. And then, we are now again in this continuous monitoring cycle, which will be ongoing throughout the life of our time in the FedRAMP marketplace and bringing on more and more customers and having some really great conversations around the public sector and working with folks like InfoStride, who also bring so many amazing customers and experience to the table. Did I breeze?
Jodie Fiorenza:
Thank you, Peter. You did.
Peter Slutsky:
I breezed. Good.
Jodie Fiorenza:
Fantastic.
Peter Slutsky:
Good.
Jodie Fiorenza:
Yes. That was excellent. And I want to thank both of you actually for taking us through all that information. It was a lot. I just wanted to make sure we had some time for questions.
So, a couple quick reminders. If you haven’t already, please subscribe to the InfoStride mailing list to be notified of any upcoming webinars that they may be having and just to stay up-to-date on what’s happening. Also, if you’re interested in learning more about if FedRAMP is right for you, your business or maybe a customer you’re working with, Ritu and Peter are both available for questions at any time, even to consult with you to make sure that this is a right fit. One of the questions that we got in is, “What is NIST and how does it relate to FedRAMP?”
Peter Slutsky:
Yeah, okay. Do you want me to take that one?
Jodie Fiorenza:
Do it.
Ritu Mangla:
Yeah.
Jodie Fiorenza:
Get started.
Peter Slutsky:
Sure. So, NIST is another security control. FedRAMP is about equal or equivalent to NIST 800-53 standard. So, if you have a NIST requirement, FedRAMP can also cover that requirement for you, is the short answer.
Jodie Fiorenza:
Another question that came through, and Ritu, you alluded to this a little bit, but, “Does FedRAMP help with any kind of accessibility standards or compliance?”
Ritu Mangla:
It does, and I was going to talk about it as well that if you think you can be benefited from FedRAMP, let’s say, not everything, but accessibility part of it, we can provide assessment, not just a security assessment, but accessibility assessment, why your website needs it, why platform needs it, or product. We can build VPAT reports for you, so that you can decide whether FedRAMP can be a viable solution for you or not.
So, we’ll be happy to give that assessment anytime, if your business requires that, and then you can decide it forward. But absolutely, FedRAMP, definitely solve multiple problems, not just one. And accessibility, I feel is really, really big one there.
Jodie Fiorenza:
Another question that came in, and I think this is pretty interesting, “Do agencies themselves need any kind of equivalent certification like FedRAMP, or is FedRAMP specifically just for the hosting environment in this situation?” In other words, is there an equivalent for agencies that are working with the Federal Government?
Peter Slutsky:
No, it’s for cloud service. FedRAMP is specific to cloud service providers. So, it would be for companies like ours that have a platform or a cloud offering. Now, there are some agencies that have their own hosting, on-prem solution or they use their own cloud service, and they would probably be subject to FedRAMP. But for the most part it’s on the CSPs, and if you go to the marketplace, you can peruse and see the types of products and companies that are in the marketplace, those are the ones that would fall under the FedRAMP bucket.
Jodie Fiorenza:
Perfect. And we’re right on the dot at 2:30. I want to thank InfoStride and the entire team. You worked so tirelessly putting this all together and it really is greatly appreciated. We value partners like you so much, you have no idea. And Peter, thank you for taking time out in Mexico-
Peter Slutsky:
Of course.
Jodie Fiorenza:
… while you’re there, to join us today. This was fantastic and I think it just scratches the surface on what InfoStride and VIP can do together, having this FedRAMP certification.
For all of you that joined us today, thanks again for taking time with us. We’ll be sure to follow up with more information. And stay tuned for future webinars that will be coming, especially on this topic. Everybody, enjoy the rest of your day. Thank you.
Peter Slutsky:
Thank you.
Ritu Mangla:
Thank you.
Peter Slutsky:
Have a wonderful day.
Ritu Mangla:
Thank you, Jodie. Thank you, Peter. Bye-bye.
Peter Slutsky:
Bye-bye. Thanks.
Jodie Fiorenza:
Bye-bye.