What has twenty thumbs and received FedRAMP authorization in the last year? That’s right. It’s DevResults.
Our team has worked tirelessly over the last year to undergo rigorous security testing and receive authorization from the U.S. Federal Risk and Authorization Management Program. After many months of hard work — and with the support of our auditors, our agency colleagues, and the FedRAMP team — DevResults is officially FedRAMP authorized.
What did the process look like?
In short: a lot of paperwork.
We invested a huge portion of our time and resources. Our team spent a considerable part of that documenting our internal security processes and protocol, and when that internal process wasn’t robust enough, updating them to make sure they were in line with federal standards. Our engineering team focused on infrastructure updates and formalizing processes, as well as answering any number of questions from the auditors and our sponsoring agency as we moved through the process.
And then we did more paperwork based on those answers and updates.
So you chose to do all that paperwork? Why?
One of our main goals as a company is democratizing international development and humanitarian data. If you’ve worked with DevResults before, you’ve heard us talk about what this means, but you’ve probably heard about it in the context of our data structure. We’ve built our software to make sure that all indicator data is complete and comparable. But having complete and comparable data, especially in the contexts our clients work in, can be actively dangerous if it’s not also secure.
Investing our resources into making sure DevResults is as secure as possible — and then getting multiple external sources to verify that it is! — was a logical next step.
What does this mean for our clients?
For the most part: nothing is really changing for our users. We’ve always been transparent and tried to communicate clearly about everything we do, and we will continue to do so.
So what can you expect communication about?
- Every month, we hold an all-hands Security Day where everyone takes on security-related tasks, including fixing vulnerabilities found by our monthly external security scan, making sure all our software packages are up-to-date, manually spot-checking parts of the app for security issues that the scanner may have missed, and thinking through broader security questions that will help our users. We plan to host a webinar every month for anyone that’s interested in learning more about what we’ve done on that day.
- We’ll continue to update everyone on security fixes and upgrades we make via our release notes and blog. Here’s an example of a recent security-related fix.
- Once a year, we go through a rigorous penetration test (which assesses: whether DevResults can fall victim to known vulnerabilities, whether we have any internal misconfigurations based on common attack vectors, and whether we leak any sensitive information, amongst other things). If your team ever needs the results of this test, please email us at email@example.com.
- Once a year, we’ll be conducting a FedRAMP audit to make sure we’re continuously aware of and adhering to the FedRAMP standards.
FedRAMP authorization is just one of the many ways we’re striving to keep your data safe and secure. If you have any questions, or would like to know more about our security processes, please reach out to us at firstname.lastname@example.org. Please also keep an eye out for an invite to our webinars!