Last week we announced that the BlackBerry® Government Mobility Suite (BGMS) had achieved Federal Risk and Authorization Management Program (FedRAMP) certification. For those of you unfamiliar with the government space, BGMS is a cloud-based endpoint management solution developed specifically for U.S. government agencies to provide end-to-end protection for the most sensitive data, and further allows secure access for authorized users to agency applications and data residing behind government network firewalls.
BGMS joins BlackBerry’s portfolio of FedRAMP-authorized cloud products that include BlackBerry® AtHoc® crisis communication and BlackBerry® Protect endpoint security solutions. To date, BlackBerry has received 14 Authorities to Operate (ATOs) from Federal agencies including the Department of Energy, the Department of Homeland Security, the Consumer Financial Protection Bureau, the National Science Foundation and the Office of Personnel Management. The BGSM FedRAMP certification is a significant milestone for our company, and here’s why…
The BGMS FedRAMP Authorization Journey
In 2017, many U.S. Federal Agencies were starting to move from on-premises IT solutions to commercial cloud offerings of software and infrastructure as a service. A key element for this transition was the requirement for the commercial cloud solutions to achieve FedRAMP authorization, a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
FedRAMP requires that Cloud Service providers create and manage a core set of processes to ensure effective, repeatable cloud security for the government. With the extensive U.S. Federal use of BlackBerry UEM on-premises solutions, the BGMS project was initiated to ensure existing and new customers would have a FedRAMP authorized commercial cloud solution to transition to.
The BGMS project was formally initiated in early 2018 and key initial phases included a detailed gap assessment to compare the BlackBerry UEM commercial cloud product against core FedRAMP requirements. Numerous members of the EBU and GTS teams participated in a multi-month gap assessment which was led by Coalfire, our FedRAMP consultant, to identify any areas where our UEM solution or core business processes did not meet baseline FedRAMP requirements.
Numerous technical requirements were identified in the areas of cryptography, the need for supported Open Source Software, and changes needed for compatibility with the Microsoft Azure Government Cloud that would host the BGMS solution. While EBU initiated development of the needed product upgrades, GTS and the U.S. Cyber Security Operation Center team started development of the hundreds of pages of documentation that detailed how BGMS and our BlackBerry cybersecurity and business processes met the 300+ controls required for a FedRAMP Moderate authorization.
Achieving the FedRAMP Goal
After over a year of significant effort by EBU, GTS, and the CSOC team, BGMS underwent a FedRAMP Ready assessment by Kratos, our 3rd Party Assessment Organization (3PAO), to demonstrate that the core BGMS solution was well on its way for the full FedRAMP assessment. BGMS attained FedRAMP ready status in June of 2019. Along the way, the BGMS overcame numerous challenges including new FedRAMP requirements such as DNSSEC and the need to conduct penetration testing on the UEM mobile client.
The full FedRAMP assessment was completed by Kratos in the fall of 2019 and the 600+ page package was submitted to ICE and then the FedRAMP Program Management Office (PMO). Several additional requirements were identified during the formal reviews by ICE and the FedRAMP PMO which were immediately addressed by the BGMS team.
After two years of development and extensive documentation, BGMS achieved the full FedRAMP Moderate authorization in early May 2020. A broad range of marketing materials have been developed and released by the EBU Product Introduction team and our corporate communications staff. The U.S. Federal sales team is already fielding inquiries on BGMS from existing and new Federal customers.
BlackBerry: Intelligent Security. Everywhere.
BlackBerry is committed to serving our federal government customers with FedRAMP certification, so we established the BlackBerry U.S. Cybersecurity Operations Center (CSOC) in Washington, D.C. The CSOC, staffed with U.S. citizens, is focused on providing the best level of service for BlackBerry government customers and will oversee all FedRAMP security functions, required monthly reporting, and annual reassessments.
The BGMS effort was truly a whole company effort. EBU and GTS has delivered an exceptional FedRAMP product which forms the baseline for other BlackBerry Spark® Suites elements to be introduced into the BGMS environment and offered to our Federal customers.