Modernizing federal DevOps: CircleCI becomes first continuous integration tool with FedRAMP authorization
Chief Executive Officer
CircleCI is now authorized by FedRAMP (the federal government’s program for assessing and authorizing technology vendors), making CircleCI the first CI/CD tool to meet the rigorous security and privacy standards required by government agencies.
Previously, government developers were forced to rely on cumbersome, legacy continuous integration (CI) options that, while free, required too much overhead, were costly to maintain, and diminished productivity. Now, the government’s developer community can gain the same competitive advantage long available to the private sector, assured of the security and privacy controls that federal agencies require.
“Federal managers need to start thinking about the total cost of ownership for their development tools. If your team is spending time troubleshooting a ‘free’ build tool, then it’s not free. We chose CircleCI after trying several different build tools, ranging from totally free open source tools to managed services. CircleCI just works, and that means our team only has to focus on building better government services. The total cost of ownership is much lower for a service like CircleCI.”
- Ryan Hillard, IT Specialist/Systems Developer, Small Business Administration
Federal agencies like the Small Business Administration, General Services Administration, and the Department of Veterans Affairs are already leveraging CircleCI to automatically build, test, and deploy software every day. With this new authorization, the entire federal developer community now has access to the CI/CD tool trusted to run more than 12 million builds a month for some of the world’s most innovative companies, like Docker, GoPro, and Zenefits.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is an official U.S. government program that simplifies the purchase of cloud technologies to government agencies. The White House Office of Management and Budget developed FedRAMP in early 2010 as a way to standardize the security vetting process for the shift to cloud-first initiatives. Prior to that, each agency had its own standards and guidelines which created difficult and long timelines for teams to get access to technology.
FedRAMP has streamlined the security controls as a way to measure a company’s security and privacy posture against a common set of base guidelines. Whereas certifications like ISO27001 and SOC 2 Type II are developed and assessed by private auditing firms, government officials developed FedRAMP using NIST security controls as the common baseline.
Government agencies can manage risk by using the FedRAMP marketplace to identify tools that have already passed strict security and privacy requirements.
“Traditional approaches to securing federal IT systems focus heavily on assessing and responding to security issues just before ‘go live’. This model is costly and burdensome because identified security issues can result in rework and do-overs. Using automated continuous integration and continuous deployment tools such as CircleCI, we’re able to move cybersecurity requirements ‘left’ in the process to achieve a true ‘build security in’ model.”
- Beau Houser, Chief Information Security Officer at U.S. Small Business Administration
What was involved?
FedRAMP’s assessment of CircleCI for the low-impact SaaS LI-SaaS category included a complete inventory audit and assessment from network diagrams, to tables of third-party integrations, a master inventory of all infrastructure, and written responses to strict controls. The controls encompass a wide range of security protocols and examined CircleCI’s authorization of users, vulnerability scanning processes, and incident response. In essence, everything a federal Chief Information Security Officer should assess a new cloud vendor on.
After successfully completing the initial vetting in June, FedRAMP officials hired a third-party auditor (a former federal employee with a top secret security clearance) to visit CircleCI’s San Francisco headquarters. The auditor spent four days in July with CircleCI employees and thoroughly reviewed how each control is handled. Their findings were reviewed by a federal security team for analysis, whereby CircleCI was granted authorization.
CircleCI is now available on the FedRAMP Marketplace https://marketplace.fedramp.gov, and federal software teams can download a copy of the third-party assessment.
To set up a demo or speak with our government team, please contact us at government@circleci.com. To learn more about CircleCI’s partnership with top security organizations, view the government security page.