We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

cFocus Software – Automating the Process of Securely Migrating U.S. Government Agencies to the Cloud

Gail Lobel Rand Technical Editor and Interviewer

Now that U.S. government agencies are required to migrate to the cloud, they must assure their information remains secure. And with many agencies having dozens, if not hundreds, of systems and limited manpower, manually fulfilling security requirements and continuing to monitor them for compliance is nearly impossible. cFocus Software’s proprietary software ATO (Authority To Operate) as a Service™, automates cyber security compliance, helping to get government agencies on the cloud quickly, effectively and securely.

Tell me a little about your background in IT and cybersecurity.

I went to Dartmouth College, and graduated with a BA in Mathematics in 1998. Right after school, I went to DC and worked for Optimus Corporation, a small business federal government contractor. I started at the help desk and after a few years, moved to their software development department. In 2006, I founded cFocus Software. We did a lot SharePoint work, and also provided certification and accreditation services for multiple IT systems within the Department of Defense. Along the way I earned several cybersecurity & Microsoft certifications including: Microsoft Certified Solutions Developer (MCSD) Azure Solutions Architect, Microsoft Certified Solutions Expert (MCSE) Cloud Platform, Certified Information Systems Security Professional (CISSP), Certified Penetration Tester (CPT), and Certified Ethical Hacker (CEH). We launched ATO as a Service™ this year to automate FedRAMP compliance for federal government IT systems in Microsoft Azure and Office 365.

Before we talk specifically about ATO as a Service™, can you please explain FedRAMP?

Sure, FedRAMP is the Federal Risk and Authorization Management Program. Basically, it’s a framework for implementing cyber security for federal government IT systems in the cloud.

What are the steps a system must go through to meet FedRAMP compliance?

FedRAMP is based on the Risk Management Framework which has 6 steps:

  1. Categorize the system as a low, moderate, or high impact system.
  2. Select the appropriate security controls for the system. There are baseline controls for low, moderate, or high impact systems. The higher the impact of the system, the more security control that need to be fulfilled.
  3. Implement the security controls for the system. These first 3 steps result in a System Security Plan (SSP) document.
  4. Assess whether the system fulfills the security controls. This is done by a third-party company that tests the system’s compliance with every single security control.
  5. Authorize the system. The authorizing official, typically the CIO of the agency, evaluates the system assessment, and decides if the risk of a system is sufficiently mitigated. If so, he/she issues an Authorization to Operate (ATO) for that system.
  6. Monitor the system. Once the system is operating on the cloud, it is important to assure continued compliance with FedRAMP as the system and its data evolves and grows.

How does ATO as a Service™ help government agencies achieve FedRAMP compliance?

ATO as a Service™ is a Software as a Service that helps government agencies automate and expedite FedRAMP compliance.  Specifically, ATO as a Service™ helps generate SSPs, and continuously monitors the systems in Microsoft Azure and Office 365.

Creating an SSP is a bear! Right now, it is a completely manual process. An agency would have to create a 900-1,000 page document - literally 1,000 pages! - for each system’s security plan.  With ATO as a Service™, we automate and expedite the process of generating the SSP.

ATO as a Service™ also automates and expedites the system’s monitoring, so that agencies don’t have to figure out and orchestrate all the different tools and services needed to come up with a continuous monitoring solution.  We take a portion of that away and manage it.

Now, we don’t automate the entire SSP generation or continuous monitoring processes, but we certainly make it much easier to complete these steps for your Microsoft Azure or Office 365 systems.

If ATO as a Service™ uncovers a vulnerability, does cFocus Software offer solutions to mitigate it?

As part of our continuous monitoring solution, ATO as a Service™ seamlessly integrates with third-party vulnerability assessment tools, which play a vital role in identifying and mitigating vulnerabilities.

What are some of the biggest challenges government agencies face when migrating to the cloud?

There are two major challenges we find with government agencies moving to the cloud. The first is a lack of resources. The agencies not only lack the funding necessary to move to the cloud, they are also lacking the expertise of their staff to design a solution to migrate and then to run their system in the cloud. The second major challenge is change management. Change management is the area people don’t often think about when it comes to running their system on the cloud versus running on-premises. It is a completely different model that requires a completely different set of expertise and policies and procedures.  Additionally, the way services in the cloud are purchased is very different from the way that government agencies typically buy services.

Why is Microsoft Azure your preferred cloud solution for government agencies?

We have been a Microsoft partner for 10+ years and have 2 Microsoft Gold certifications (Application Development, Collaboration and Content), so we have significant expertise when it comes to Microsoft services, and more recently the Microsoft cloud. Migration to Microsoft Azure is a natural progression for government agencies since many have already made a very heavy investment in Microsoft services prior to the cloud.

cFocus Software also creates government chatbots. How do you see chatbots evolving in the future?

Yeah, so in addition to offering ATO as a Service™, we also develop chatbots for government agencies. Chatbots are conversational apps that you interact with through text and talk.

I see chatbots and artificially intelligent personal assistants such as Alexa and Siri revolutionizing the industry at the same level as the point and click mouse did back in the 80s. In the future, you will no longer need to download or operate apps, you’ll just type or speak to your chatbot and it will follow your command.

Interviewer’s note: As if in agreement with Mr. Walker, despite thoroughly testing a recording app, my phone only recorded my side of our interview… Wouldn't it have been great if I could have just said "record conversation"?!

 

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

Gail’s first PC was a TRS-80 which required a cassette tape to boot up. In the decades that followed, she created and developed websites, emails, and banners as the perfect way to combine her love for design, technology, and writing.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address