New York, NY – TTEC is about to receive FedRAMP (moderate) certification in January 2020, and DoD IL4 certification a few months after that. How did they accomplish this esteemed status, and what does this mean for the future of the award-winning enterprise?
First, let’s define some terms. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that saves cost, time, and staff required to conduct redundant Agency security assessments.[1] The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond the common set of requirements established by the Federal Risk and Authorization Management Program (FedRAMP) program. [2] Impact Level 4 (IL4) from Defense Information Systems Agency (DISA) provides authorized contractors the ability to manage Controlled Unclassified Information (CUI), including Personal Identifiable Information (PII) and Protected Health Information (PHI). This also includes data requiring protection from unauthorized disclosure and other mission-critical data.[3]
TTEC is a leading global customer experience technology and services company focused on the design, implementation and delivery of transformative customer experience for many of the world’s most iconic and disruptive brands.[4] “Before Cloud was a big deal, we would install systems for Agencies, then we would make sure the systems were hardened and secure, and then the government would build the wall around the platform, so it was impenetrable,” explains Stephen Parowski, vice president at TTEC Digital. “Now, with the FedRAMP (moderate) we’re going forward with and the IL4 security accreditation we’re doing with the DoD, we’re building that same kind of infrastructure-as-a-service, but for cloud technology.”
So, what’s the big deal about getting these federal certifications? “We’re in the process of going through the FedRAMP Joint Authorization Board (JAB) authorization,” Parowski explains, “and what that entitles us to is, kind of, like the Good Housekeeping ‘Seal of Approval’ that people used to get on their appliances. But in this case, the JAB approval is a security authorization that’s formally approved by [the chief information officers of the] DoD, DHS, and GSA.” Ultimately, with these certifications, TTEC will be able to offer its solutions to all branches of the U.S. government at a lower cost and shorter approval time, since agencies will be able to procure the TTEC platform without a requisite audit. This cuts the approval period from an average of 9-12 months, down to about 90 days. Moreover, once FedRAMP and IL4 certifications are finalized, TTEC will be the only Cisco-based Contact-Center-As-A-Solution provider that is JAB authorized across the DoD, DHS, and GSA, giving them a tremendous competitive advantage in the industry.
The initiative to move beyond simple agency-sponsored status into FedRAMP and IL4 was spearheaded by TTEC’s chief information security officer, Paul (Kip) James. “We chose, kind of, the hardest route, and that was really Kip’s doing,” says Parowski. “He saw that as a way to lower our costs, and [enable] agencies to adopt our technology and our solutions faster.”
It has not been an easy journey. TTEC first began its FedRAMP authorization efforts in 2014, but the efforts really ramped up in 2018. “There has to be enough demand in the marketplace for the solution to warrant the government investing the time to secure and authorize the platform, and get all those [agency] CIO’s and their support staff to sign off,” Parowski explains. “The first time [we submitted the business case], we didn’t have enough demand. We later added additional clients, and that created enough demand for the JAB to authorize us into the program.” Now, after years of hard work and persistence, TTEC expects to be FedRAMP authorized in January 2020.
Meeting the rigorous standards of scrutiny to achieve FedRAMP or IL4 status is no small task, especially for a company of more than 50,000 employees. On the infrastructure side of things, Parowski boasts, “TTEC’s contact-center-as-a-service platform for government is powered by Cisco, so the computers, the servers, the software, all of that is coming from a world-class company.” This close relationship with Cisco also covers the supply-chain security concerns for authorization, which requires traceability and accountability all the way back to the chip level.
Then, there’s the omnipresent concern about employee (end-user) vulnerability. Despite having over 50,000 employees, TTEC manages its systems with optimum security practices in mind. “Almost the entire stack of what we’re offering is not accessible via the internet,” Parowski asserts, “we believe that that type of solution, with our Cisco partner, makes it more secure, so that the number of cyber attacks and the ability to get into the system is much harder for an outside user. The number of people that have access [to the main platform] would be less than 50, and all of those authorizations are managed by our CISO and our SOC.”
Finally, there are physical security measures that must be in place to pass muster during the JAB approval process. TTEC has that covered, as well. At each of their data centers, there is a gated parking lot, a limited access walkway with a turnstile, hardened doorways accessible only by key cards, and a second room door requiring key access, then finally a cage within the data center requiring eye-scan and thumbprint verification.
With such beefed up security, it naturally begs the question, “why not go for IL6 authorization for top-secret systems?!”
“I think it’s the [lack of] marketplace demand [at the moment],” says Parowski. “We want to walk before we run. We’ve entertained some bids for IL5 and IL6 for the Army, but we made a conscious decision that we’re not ready right now. We will revisit those opportunities in 2021, after our FedRAMP (moderate) and our DoD IL4 authorization, so that’s really our path forward from there.”
There is no doubt that the FedRAMP and IL4 certifications soon-to-be-conferred upon TTEC will put the company head-and-shoulders above its competitors, and their team deserves major kudos for achieving this substantial undertaking. “I would say the team of individuals we have working on this secure platform are some of the best people I’ve worked with in the world,” Parowski concludes. “They are some of the smartest engineers and cyber guys. It’s been a heavy lift.”
Olivier Vallez, JD, MBA – Lead Writer/Cybersecurity Reporter
Olivier Vallez is a contributing writer for Cyber Defense Magazine, covering various cybersecurity topics and events. He is the Head of Business Development at The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic platform that distills complex cybersecurity information into fun and engaging superhero stories, and makes cyber hygiene easy-to-understand for non-technical people.
Gary Berman, Cybersecurity Reporter
Gary Berman is a contributing reporter for Cyber Defense Magazine. He was the victim of a series of insider hacks for several years until he made the pivot from victim to advocate. He is creator and CEO of The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic series that distills complex cybersecurity information into entertaining and educational superhero stories, making cyber hygiene accessible for non-technical people.
[1] Source: https://www.fedramp.gov/faqs/
[2] Source: https://compliance.salesforce.com/en/dod-il4
[3] Source: https://compliance.salesforce.com/en/dod-il4
[4] Source: https://www.ttec.com/about-us