As a government chief information officer (CIO), you are responsible for vetting your agency’s technology purchases.
In most cases, you are not the agency’s stakeholder actively looking for a policymaking platform to add to the tech stack. Neither will you be the end-user creating, managing and publishing policies on a daily basis. But if your agency is going to procure policy and procedure software, you need to be brought in.
We know you might have reservations:
- Why can’t the staff use the tools the agency already has?
- How will this new software integrate with the existing tech stack?
- Is this platform secure? Won’t it make the agency susceptible to breaches?
Cybersecurity is the number 1 priority for state CIOs in 2023, per the National Association of State Chief Information Officers (NASCIO). You don’t want your agency to make headlines for being hacked. Neither do we.
In this article, we explain why Esper’s policy and procedure software is a safe option for your government technology stack. We go over our comprehensive system security plan, compliance certifications and robust platform safeguards.
To learn why governments need to modernize their policymaking system, read our guide.
Bringing the CIO’s office on board
In technology procurement, the vetting process refers to the comprehensive evaluation and assessment of a potential solution or vendor before making a purchasing decision. Aspects examined might include functionality, compatibility, reliability, scalability, cost-effectiveness and alignment with the organization’s goals and requirements.
Security is also a key component of this vetting process. Due to the type of data they store, governments are a prime target for attackers, especially nation-state threat actors. In fact, a cyberware report from Armis indicates that 39% of government respondents experienced more threat activity on their networks in the previous six months.
As part of its technical assessment, the IT department will try to determine if the solution has the appropriate controls in place to protect sensitive information from unauthorized access, misuses or disclosure.
Check our blog post for an in-depth look at how government software procurement works.
Empowering IT with a comprehensive system security plan
During the IT vetting for new government technology, it’s common for agencies to have their own questionnaire they would like to have filled out. The paperwork would include questions about system requirements, security features etc. But there are also agencies that ask vendors to provide their own documentation, such as their system security plan and compliance assessments.
For both cases, Esper has you covered. But we can also meet with your team face-to-face. In fact, during the IT vetting process with the New York Police Department (NYPD), we completed an architecture review board presentation. Different stakeholders were able to vet our infrastructure and security collectively during the meeting. Since then, the NYPD—the largest police department in the U.S.—moved all of its policy activities into the cloud with Esper.
Guiding agencies through FedRAMP and StateRAMP processes
Esper is ready for the Federal Risk and Authorization Management Program (FedRAMP). Not only do we have rigorous controls in place, but also we can provide extensive documentation—network diagrams, system descriptions etc.—to help you understand our security posture. And we are also StateRAMP ready.
While FedRAMP applies to federal agencies, StateRAMP is designed for state and local governments. Both programs provide a standardized approach to security assessment, authorization and continuous monitoring of cloud products and services.
Since we are familiar with and prepared for these assessments, we can help our agency partners navigate these requirements. In other words, your team benefits from our government cloud security know-how. Even if your agency doesn’t require FedRAMP or StateRAMP compliance, partnering with SaaS vendors that are ready for those programs gives you the confidence that you are making a safe GovTech choice.
As part of our continuous commitment to industry standards, regulatory regulations and security best practices, we are now pursuing SOC 2 certification, too. This standard is designed to assess and report on the effectiveness of a service organization’s internal controls related to security, availability, processing integrity, confidentiality and privacy. We will have our SOC2 report available in October.
Keeping your data safe in the government cloud
One of the key concerns of government agencies is to ensure that their data is securely handled. Esper’s policy management platform uses industry-standard protocols to ensure data is encrypted at rest and in transit. Backups are maintained in multiple geographic locations offering redundancy.
As a cloud-based SaaS platform, Esper leverages Amazon Web Services (AWS) to host its data. For users, a cloud solution means the convenience to access the platform from any connected device. For IT and agency leaders, SaaS provides the scalability and agility needed to streamline operations. No wonder Gartner forecasts that, by 2025, service solutions will account for 95% of new IT investments made by government agencies.
Working with AWS also means that Esper benefits from a resilient infrastructure. AWS already comes with standard security features under zero trust principles, in addition to a comprehensive set of security compliance programs and certifications, including SOC and FedRAMP.
To learn more about our partnership with the world’s leading cloud platform, read our interview with Brian Galloway, Solutions Architecture Security Leader for U.S. Education, State and Local Government at AWS.
Offering strong security controls for government agencies
Esper supports role-based access control (RBAC), so our customers can configure fine-grained permissions. Based on their roles, users have different privileges—and can take different actions in our policy and procedure software.
Thanks to System for Cross-domain Identity Management (SCIM) provisioning, you can configure mappings between security groups and Esper roles, enabling you to automatically deactivate or activate users when they offboard or onboard, respectively. As a result, IT can manage Esper accounts without having to enter the platform.
Other security safeguards in Esper include:
- Single sign-on (SSO), which enables users to authenticate once and gain access to multiple resources without the need to re-enter their credentials.
- Multifactor authentication (MFA), so users can provide two or more different types of authentication factors to verify their identity.
- Activity logs, making it easier to track users and their actions in the platform. Logs are available within the application and over SFTP.
Empowering your team with Esper
With Esper’s 100% cloud approach, we make the entire launch process lightweight and flexible to your agency’s needs. No downloads, installations or other heavy-duty implementations are required.
Even though the adoption of a new GovTech solution might require a learning curve, it doesn’t need to be a burden for the IT department. As part of Esper’s implementation process, our Professional Services team trains your end-users on how to use the platform and administrators on how to configure roles.
We are more than a software vendor. Think of us as your partner in driving your agency’s digital modernization. Get in touch with our team and let’s chat more about why Esper is a safe choice for your agency’s policy and procedure software needs.