FedRAMP and its importance for Procurement
In the world of procurement, the Federal Risk and Authorization Management Program (FedRAMP) is becoming more important and relevant with each passing year. Recently, John Wookey, President of Intelligent Spend and Business Network at SAP, announced that SAP NS2 has accelerated the plan to offer SAP Ariba solutions to government and regulated industries customers. While deploying business applications hosted in a cyber secure data center, managed by US citizens on US soil is a necessary condition, it may not be a sufficient one to meet all requirements.
FedRAMP and other regulatory requirements
FedRAMP authorizations can help companies meet, to varying degrees, the requirements required by a plethora of legislation such as DFARS, ITAR, CMMC, etc. Depending on the user industry, customer base, and products, different regulatory and compliance requirements will be in play, some of which may be overlapping. As businesses migrate from on-premises solutions to the cloud, it is particularly important to take a look at how each unique segment of the business process in the end-to-end value chain complies with the various regulatory requirements. In a networked digital economy, where buyers can be held accountable for the compliance aspects of their suppliers, it is extremely crucial that data be protected as an asset.
Capabilities required for compliance
In procurement, transactions between the buyer and supplier straddle multiple systems. Inviting a new supplier to transact involves developing capabilities in multiple areas such as identifying, credentialing, and access management. Multifactor authentication is crucial where interoperability across different systems is involved. Capabilities in secure collaboration, involving secure email, secure file sharing and content collaboration, need to be in place. Sensitive document management between the buyer and supplier is an integral part of compliant procurement systems. Risk management across the end-to-end supply chain is required for a secure Source-to-Pay platform. Such capabilities are achieved via multiple mechanisms, such as leveraging certified infrastructure providers along with appropriate internal organizational processes and structures, and leveraging partnerships with certified cloud service providers for extensions.
Procurement processes in the organization involve goods and materials, as well as collaboration information. Some common use cases and scenarios that need to be vetted for cybersecurity and compliance include: when a supplier, as a foreign entity, is providing goods to the buyer for an international destination, export and import occurrences, and exchange of sensitive design documents or details in the Purchase Order to the supplier, etc.. Supplier users logging into a portal to perform necessary activities for order management or buyers conducting transactions on a network requires appropriate and consistent user management and access control. Such use cases not only require continuous monitoring of security authorization, but also incident response and contingency planning. Best practices and standards in procurement system auditing and accountability need to be observed. Documents such as invoices, shipment notifications, inventory reports, purchase orders, etc. need to have appropriate encryption and security, both in transit and at rest.
Journey to achieve compliance
For organizations that have decided to proceed with compliance, it is crucial to comprehend that this involves massive implications with respect to people, process, and technology. The journey may be long and arduous, but the rewards are definitely worth it.