Surprise, surprise… public healthcare and its supply chain face just as many challenges as the commercial sector. While different, there is no denying that both sectors have always been under an immense amount of pressure, regardless of whether COVID-19 has applied more pressure. But the question is: Are the challenges of government supply chain that distinct, or can commercial sector solutions adapt to meet public sector needs?
After evaluation and some firsthand experience, the pressures that public and commercial health systems are under appear strikingly similar:
- Become more user-friendly
- Create responsive protocols and technologies
- Respond efficiently
- Provide visibility
These needs have been seen before, and they have found solutions. In 2017, Prodigo Solutions examined its success in the commercial healthcare industry and quickly concluded that its supply chain solutions and services could be advantageous to government healthcare organizations – federal, state, and local. This article highlights how swiftly a company can become Federal Risk and Authorization Management Program (FedRAMP)-certified, obtain an Agency Sponsored Authority to Operate (ATO), and deploy a FedRAMP-authorized vendor solution with the proper planning, execution, and discipline.
This journey would require a major transformation from commercial sector processes and procedures. According to FedRAMP, “If you have a Cloud Service Offering (CSO) that is in use by the federal government, you should be thinking about obtaining a FedRAMP authorization. Per an OMB memorandum, any cloud services that hold federal data must be FedRAMP-authorized.” Formed 10 years ago, FedRAMP states that, “FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” To date, there are more than 200 FedRAMP-authorized cloud products and more than 1,500 participating federal agencies.
Any organization looking to become FedRAMP-certified must first select an authorization type: ATO, which is granted by a host agency that will utilize the solution or service; Joint Authorization Board (JAB); or Tailored for Low-Impact Software-as-a-Service (LI-SaaS). FedRAMP suggests choosing based on the “system’s impact level, deployment model, stack, and market demand.” Prodigo began its assessment process with the FedRAMP ATO security requirements in the hope of understanding the current cybersecurity environment and taking the necessary steps to meet and exceed industry standards and guidelines. The goal was to programmatically and operationally meet the security controls and guidance outlined in the National Institute of Standards and Technology (NIST) documentation to secure the application code and functionality as well as the customer data stored in the Prodigo system. A part of the U.S. Department of Commerce, NIST seeks “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” Obtaining and maintaining a government ATO shows a commitment to securing this data and reduces the risk of a malicious cybersecurity incident that could compromise the information system and result in loss of confidential data.
The Prodigo security team started the process by putting together a plan to address the requirements in the NIST guidelines. Many of the NIST requirements involved were a new and innovative adaptation to Prodigo’s platform and added support to current government clients, such as Veterans Affairs, and would capture the interest of future healthcare agencies. Prodigo enlisted the help of one of our partners with extensive expertise in FedRAMP requirements to advise in the nuances of documentation and specific technical requirements and to help guide the team through a swift execution. As the plan developed, Prodigo moved the focus to specific documents, processes, and procedures that aligned to the FedRAMP security requirements.
Throughout the latter part of 2017 and 2018, Prodigo completed necessary documentation, updated policies, and implemented new operational, security, and technical procedures to meet the FedRAMP requirements, but realized Prodigo needed to address hosting solutions in a FedRAMP-authorized Cloud Service Providers (CSP). Years of experience in commercial cloud hosting significantly helped the team navigate this new, complex environment. This expertise prepared the team to properly plan and research potential hurdles needed to mitigate any risks or barriers in the deployment process of a new data center. Planning and preparation are critical to success, but to be successful in the public sector – particularly in the cybersecurity space – detailed planning is essential to reduce the time it will take to get to a certification or an ATO.
In 2019, Prodigo partnered in its first government contract with Veterans Affairs. Under the agreement, Marketplace, Prodigo’s supply and purchased services management platform, was implemented as Software as a Service (SaaS). Prodigo was well-positioned to deploy the solution in a FedRAMP CSP, and after the initial ATO was granted Prodigo was able to move forward with the project deliverables ahead of schedule, which provided the government agency with access to its data using our solution much earlier than expected.
The FedRAMP authorization process started after securing the ATO and, shortly thereafter, Prodigo received its FedRAMP authorization. As a result of detailed and diligent planning and preparation, the initial ATO was secured eight months after the project kick-off date – a project that often takes more than a year to obtain. Prodigo’s Marketplace now has a three-year FedRAMP authorization and Prodigo is a FedRAMP authorized vendor, meaning Prodigo is the first, and currently only, healthcare supply chain solution to be granted FedRAMP authorization. The Prodigo technical team now has the training, resources, and experience to detect and prevent a malicious cyber-attack through continuous monitoring, robust security practices, and incident handling processes that ensure the system will meet and exceed its standard Service Level Agreement.
With great success in this government partnership, and the ability to provide government agencies with a secure, cloud-based supply chain management solution, the goal shifted to replicating this process for the next agency in need. While most of the requirements are standard across government in terms of security, processes, and procedures related to hosting an enterprise solution, it was imperative to ensure that Prodigo could replicate the authorization and approval process without starting from the beginning. With this in mind, the processing time was taken to document lessons learned and ensure that artifacts were categorized and stored securely, so future deployment teams could reference them as a template for our next government contract.
Successful businesses understand that planning and preparation are critical to success, but in the government environment it is even more important to be ready at all times. Prior understanding of requirements helps prevent delays in projects. Establishing a solid team ensures the right technical, functional, and administrative personnel are included, so each resource can focus on their deliverables. Using documentation and guidelines available helps to smooth processes. By carefully evaluating hurdles within the industry and providing swift solutions, Prodigo is now well-positioned to help government agencies move from reactive to modern, proactive supply chain management.
Learn more about Prodigo Solutions and what it can offer to the public sector.