SFTP for FedRAMP: Compliance and Authorization Solutions

by Bob Ertl on June 17, 2021

Finding an SFTP server that’s FedRAMP authorized doesn’t have to be hard. We’re going to cover SFTP solutions that comply with FedRAMP requirements and maintain FedRAMP authorization.

Is SFTP FedRAMP compliant? SFTP is an SSH (secure shell) file transfer protocol that encrypts data being transferred. However, it is not necessarily FedRAMP compliant: organizations must take additional steps to ensure compliance.

What Is FedRAMP and How Does SFTP Fit into Compliance?

FedRAMP is a compliance framework that cloud service providers (CSPs) must adhere to when they partner with federal agencies. Any CSP, including those that offer storage, file transfer, email for FedRAMP, or SaaS services must comply with FedRAMP to respond to federal RFPs.

With that in mind, it’s critical that any file transfer solution, including SFTP solutions meet FedRAMP standards for users with federal agencies. SFTP isn’t necessarily compliant out of the box, however. That’s why you want to work with SFTP providers that can attest to their FedRAMP Authorization to Operate (ATO).

Sponsorships Available

Think about it this way: FedRAMP is broken into several security control families, as outlined in NIST SP 800-53. These families include controls that guarantee the physical security of a data system, appropriate authentication and access controls for those systems, or clearly defined processes for audit logs and documentation. Additionally, FIPS-140-2 dictates acceptable cryptographic standards needed to secure data stored in servers or transmitted over digital technology.

Alongside these security controls, NIST SP 800-53B also defines specific Impact Levels (Low, Moderate, or High) that outline exactly which controls a provider must adhere to, depending on the sensitivity of the data they will hold or manage.

So, for example, if you’re working with an SFTP or Managed File Transfer (MFT) provider, then they will have to meet the minimum FedRAMP requirements for handling data as called for by your federal partnership. If a federal agency calls for Moderate Impact baseline or higher, then it’s necessary for your SFTP provider to also meet that level at minimum.

With these requirements in mind, it’s important to set a baseline with these control families so that you know the bare minimum security you need just for compliance. Note that you’ll most likely want to have additional security measures in place depending on your operations and industry.

How Does SFTP Benefit Your Business?

In terms of compliance and general security, SFTP is a critical and important part of any company’s security posture. Some of the major benefits include:

Secure file transmission: SFTP encrypts data during transmission. This protocol utilizes Secure Shell cryptography to encrypt data during transmission to facilitate the transfer of large files while maintaining privacy.
Efficiency and speed: Even though encryption is part of the process, SFTP is still able to support the rapid transfer of large files or a large volume of files through bulk transfers. SFTP, however, provides the bare minimum in security, whereas FedRAMP often requires much more. The Kiteworks® Platform provides hardened SFTP configured to support your FedRAMP security.
Hardware-agnostic: SFTP is an open protocol with high-level encryption, which means that it can integrate with almost any platform, and can serve as the backbone for many different technical configurations. This means that a provider can offer SFTP either as a standalone product or as part of a more comprehensive MFT solution.

Is SFTP FedRAMP Compliant?

Out of the box, not necessarily. Secured SFTP servers must be configured with FIPS-compliant algorithms, ciphers, and certificates.

Additionally, FedRAMP authorization has several requirements for security that go beyond encryption. These include:

Physical security: All data centers, servers, devices, and workstations must have physical access controls in place to protect data, including security cameras and authorization standards to keep unauthorized people away from sensitive information.
Administrative controls: Companies must have training and management procedures in place to ensure compliance and security within a FedRAMP-compliant system.
Documentation and audit logs: All levels of FedRAMP compliance have some sort of reporting and audit logging for FedRAMP. SFTP on its own does not include this kind of logging, even though some configurations come with logging built-in.

This being said, while SFTP isn’t compliant as-is, it is an important part of many compliant solutions.

A properly configured SFTP server with logging and audit trails, proper encryption, and the correct physical and administrative safety measures in place can help you be compliant–but it costs a lot of time and effort to get that way. Your SFTP provider will have undergone extensive auditing, remediation and continuous monitoring and maintenance to receive their ATO. For that effort, you get a solution that can support your contracting work in the federal agency market.

When you are looking for a compliant solution, you have to take into account that there is an additional infrastructure that surrounds the SFTP tool to make it compliant. Additionally, many out-of-the-box solutions are not enterprise-ready. That is, they don’t have useful or necessary aspects like GUI interfaces or easy integration with existing file management systems.

FedRAMP SFTP Solutions with the Kiteworks® Content Firewall

Accellion offers SFTP server as part of the Kiteworkes platform, alongside secure email, secured shared folders and Teams attachments and several options for data management and analytics.

Both solutions provide more than just SFTP capabilities: both are compliant with FedRAMP Low and Moderate Impact Level security, which means that you can use them if you are a federal agency or contract with a federal agency and handle sensitive but unclassified information.

With the Kiteworks platform, you additionally enjoy access to enterprise-grade managed file transfer technology, including advanced logging capabilities, log analytics and a CISO dashboard for all file transfer, administrative tasks and system activities.

Across both these solutions, Accellion commits three major priorities to partners and clients using SFTP server or Kiteworks:

Compliance: Accellion SFTP and kiteworks are FedRAMP compliant, from servers to personnel and encryption. That means that agencies and contractors handling data that fits into Low and Moderate Impact levels are well served by our platform.
Security: True security isn’t just about checking compliance boxes. We provide real security above and beyond compliance to guarantee that your data remains secure on the server and during transit.
Data Visibility: SFTP is fast, available, and accessible. With Accellion, you can easily get started with a secure and compliant transfer solution that meets requirements while integrating with your compliance needs, specifically around auditing and documentation, to help you better understand where your data is going and who is accessing it.
Dedicated Cloud Servers: We provide dedicated servers for private or hybrid cloud environments. This means more security due to not sharing server tenancy with other users.

With the Kiteworks platform, you’re getting more than just a secured file transfer and management tool. You’re getting a compliant and accessible data solution that can bring enterprise-level file sharing to your agency or government-adjacent business.

Additionally, you get a tool that your entire organization can use. From the back end to an employee in an office in front of a workstation, they can interface with the Accellion system to easily and securely transfer files.

If you need a cloud file transfer and data management platform for your federal contract work, learn more about Kiteworks and file transfer with our eBook, Modernizing Enterprise SFTP.