FedRAMP Compliance: Beyond the Letter of the Law

June 13, 2017

When I mention “compliance” to most people, I often get that cringe -- the one that says “ugh, what a pain.” I’m empathetic to folks who are just trying to get the job done, and whose only interaction with compliance is being told somewhere along the line that they have got to jump through more hoops. But having lived information security for several years, and having previously had some experience with risk frameworks and compliance efforts, I’ve developed a different viewpoint.


My colleagues in security immediately understand and connect with the statement that with compliance, "there is the letter of the law and the spirit of the law." They comprehend this divide deeply, because for many it is the difference between a successful security program (and sometimes security job) and a failing one. We become experts not just at risk management and security best practice, but also at seeing through the lip service and fluff that accompany an organization’s check-the-box mentality. Without strong leadership and executive buy-in, we see those organizations consistently and unnecessarily struggle against security, and eventually pay the price. The true spirit of compliance flows from, rather than blindly drives, secure practice. Compliance provides guidance, but if that guidance is watered down, minimized or avoided, it means that the culture and awareness of why we practice security was never there to begin with.

Before joining Centrify in 2014, I spoke with its CFO, VP of Cloud Operations and the Senior Director of Engineering, and in each of those conversations, we discussed security and compliance -- in each one I looked for the posture; was this company just another trying to “fake it,” or was Centrify really promoting a culture of security? The response spoke volumes, and I took the job. My experience here over the last two years has validated my assessment.

I not only have the chance to implement and work with innovative identity management tools; I’m also involved in team efforts around security and compliance, dealing with topics including operational key management, advanced threats, policy and practice, and product management discussions about which features can be leveraged by our customers to bolster their own environments and programs.

Which is why I am so pleased to announce that Centrify is pursuing its next goal in this area: FedRAMP compliance. We have completed our gap assessment and are entering the final stage as we prepare for audit and certification. Centrify has a strong background and experience with compliance frameworks such as Common Criteria, SOC 2, FIPS and NIST. FedRAMP compliance is a natural extension, and will be another way to give both federal agencies and private sector organizations assurance that the spirit of security and compliance is alive and well at Centrify.

For more information on Centrify’s federal compliance initiatives, see here.

Also please see Centrify’s Trust Statement, which includes certifications held by Centrify and our third parties.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.