Acquia Cloud Next Achieves FedRAMP Authorized Status

FedRAMP is one of those squashed-together government acronyms that most laypeople will never be privy to. It stands for the Federal Risk and Authorization Management Program, which empowers agencies to use modern cloud technologies to securely handle federal information – which, as you can imagine, is some of the most sensitive data in the world. 

FedRAMP has been somewhat of an enigma for CMS and DXP software solutions and how they’re hosted. Don’t get me wrong, there are a plethora of compliance requirements platforms already wrestle with satisfying (think about the rise of CCPA or HIPAA). However, as more federal agencies are requiring FedRAMP for specific applications, platforms are having to weigh the challenges of attaining this benchmark against the potential rewards of serving federal customers. 

Speaking of rewards, it’s worth noting that the U.S. federal government is the world's largest single purchaser of goods and services, clocking in at almost $700 billion. IT represents a big piece of that pie, almost $80 billion (not including the DoD). And it’s growing rapidly, particularly as more agencies modernize and digitize their legacy systems with cloud-based technologies. 

Earning FedRAMP status is an exceedingly arduous process, requiring meticulous documentation, third-party audits and assessments, and continuous monitoring once achieved. From an investment perspective, the cost of compliance can range from tens of thousands to millions of dollars – and take up to a year or more to complete. 

Ugh. Not for the faint of heart.

So what’s driving this drift to FedRAMP? It’s simple: federal agencies want the same best-of-breed solutions and access to cutting-edge services. Sure, the goals might differ from commercial entities; the public sector’s motive is to support critical functions for constituents like emergency response in the aftermath of a hurricane. But the opportunity is huge, particularly as federal agencies build applications that leverage open source technologies like Docker, Kubernetes, and other scalable frameworks.

Here's a quick primer on FedRAMP, and you can find a library of resources from the agency on its YouTube channel:

FedRAMP’s requirements might seem draconian to some, but there’s a lot at stake. Just ask the Department of Defense about its security clearance protocols. It’s a perilous world with lots of bad actors, so cloud solutions trusted by the federal government have to be put through the wringer – things like 3PAO readiness and FIPS 199 assessments that govern how data is stored and transmitted. 

It’s not very glamorous stuff, but nonetheless crucial to safeguarding government data and maintaining operations.

With such high expectations – and potentially high costs – it’s no wonder that enterprise vendors are typically the platforms to achieve FedRAMP status. There are certainly a few methods for fast-tracking the journey, but larger DXPs are in a class that enables them to attain these standards. Consequently, it creates a smaller pool of available options, making it a key differentiator for winning long-term contracts that can be, in a word, lucrative. 

To meet these opportunities head-on, Acquia just announced that its Acquia Cloud Next has achieved FedRAMP Authorized status. With this benchmark, the open digital experience platform has reinforced its commitment to serve the public sector as the only commercial Drupal hosting company to meet U.S. federal government security standards.

“Acquia is fully committed to delivering the industry’s strongest assurances around Drupal security, scalability, and performance for our federal customers,” said Robert Former, Chief Information Security Officer at Acquia. “At the same time, upholding the industry’s most stringent information security and reliability standards benefits all organizations who operate on Acquia technologies, whether in the public or private sector, that require the highest levels of security.”

Enterprise-grade, Kubernetes-native Drupal hosting

Acquia Cloud Next is an enhanced, Kubernetes-powered version of Acquia Cloud Platform, a market-leading Drupal hosting platform. It synthesizes Acquia’s innovation with key technologies powered by Amazon Web Services (AWS). Built for speed, security, and resilience, Acquia Cloud Next sports a self-healing infrastructure that continuously and automatically monitors application uptime and performance. 

No matter the size or breadth of an enterprise's demands, Acquia Cloud Next provides a number of key benefits, including fast dynamic auto-scaling to handle traffic spikes. It also detects failures, reroutes traffic, and dynamically scales experiences to deliver optimal application performance – with no need for human intervention.

With Kubernetes in the mix, Acquia Cloud Next leverages container orchestration that enables maximum scalability, security, and resilience to mitigate unexpected risks. By partnering with AWS security experts, the Cloud Next infrastructure is automatically patched and routinely scanned to maintain the highest levels of protection for applications – a key requirement for FedRAMP. 

Now available in the FedRAMP Marketplace

One of the benefits of achieving FedRAMP status is being listed on the exclusive FedRAMP Marketplace, a browsable repository of approved cloud services available for federal government use. FedRAMP Marketplace supports the operational resilience needs of dozens of federal agencies, giving buyers a portal to confidence when evaluating software solutions. You can now find Acquia Cloud Next in the Marketplace, joining a fraternity of authorized solutions. 

Since its founding in 2011, an adage has emerged within the FedRAMP lexicon: “Do once, use many times.” In the spirit of this axiom, the FedRAMP framework strives to provide a standardized approach to security assessment – meaning that once an organization has been authorized, other federal agencies can use the same assessment results for rapid and cost-effective procurement of information systems and services.

Acquia has long invested in the concerns of modern security practices, working diligently to stay ahead of threats and give content ops teams greater confidence in their technology. In addition to FedRAMP, Acquia’s information security program also helps customers operate in a cloud environment that complies with a wide array of industry standards and regulations. This includes ISO 27001, HIPAA, SSAE18/SOC 1/ISAE-3402, SOC 2, and PCI-DSS.

Why it matters

Government agencies are notorious for implementing regulatory and compliance hurdles, often in reaction to a crisis (vis-à-vis Sarbanes Oxley). These hurdles create headaches for vendors but also opportunities. As security and data privacy continue to be weak links in the chain for technologies of every kind – including content management and DXP platforms – reinforcing standards and best practices is critical.

While WordPress certainly has a footprint within the U.S. public sector, Drupal is more widely used among federal agencies. There are several reasons for this, like an abundance of highly performant modules or security designed to protect personally identifiable information. Above all, it’s open source, meaning the licensing is free and flexible. These have all made it an attractive go-to for websites and applications. 

Of course, it needs to be hosted somewhere reliable, and using highly scalable solutions is a basic tenet in a world where traffic can spike on a dime during a crisis. This is where Acquia has excelled, partnering with a trusted cloud provider like AWS – which has invested heavily in federal compliance around its own services – to provide an innovative hosting environment to meet this mission-critical benchmark.

And by embracing a container-based framework powered by Kubernetes, Acquia is meeting the needs of agencies like the U.S. Navy, which has been hyper-focused on leveraging cloud solutions with an open source stack built on Kubernetes, Docker, and other highly scalable services. In fact, they're using this mix to power other exotic initiatives like DevSecOps on F-16s and battleships. I'd say that's as mission-critical as you can get.   

Government data can be just as vulnerable as commercial, and solutions with a FedRAMP status bring peace of mind to the evaluation and purchasing process for agencies. In a competitive field, offering FedRAMP solutions has also become a key differentiator, one where a DXP like Acquia can establish a stronger case for hosting Drupal workloads and accessing its services. 

At the end of the day, it also reinforces the core federal policy foundation of achieving efficiency, transparency, and innovation through reusable and open source software.

To learn more about Acquia’s solutions for government agencies, click here.

CMS Kickoff 2025

January 14-15, 2025 – Tampa Bay Area, Florida

Join us next January in the Tampa Bay area of Florida for the third annual CMS Kickoff – the industry's premier global event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, so secure your tickets today.