Because communications is often siloed from the rest of IT, many government agencies and Federal system integrators (FSIs) haven’t yet taken advantage of the range of services available from unified communications (UC) platforms beyond video conferencing. MeriTalk sat down with Meredith Krar, director of Federal systems integrators for Zoom, to discuss how UC capabilities can benefit agencies and FSIs and explore how FSIs can meet the requirements of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0.
MeriTalk: We’re talking today over Zoom for Government, a specialized platform designed for the Federal government, and probably thousands of Federal employees are doing the same thing right now. Online collaboration has become a core capability in both the government and private sector space. Employees need a hybrid work option that encompasses voice, video, chat, and information-sharing capabilities wherever they are. How close are Federal agencies to realizing this requirement today?
Krar: They’re close, but they still have a ways to go. The pandemic forced remote work upon us, and for many agencies it was a Band-Aid – and understandably so. Fast forward to today, and many agencies haven’t realized the full benefits of a UC platform like Zoom for Government. One big reason is because communications have historically been siloed and on premises. Apart from a typical video conference, there was a fair amount of work necessary to transition from an on-prem solution where you have gear sitting in facilities.
But now, folks are starting to realize they can consume UC as a service just as they could any other software application in the stack. They’re realizing we don’t have to do elaborate network adjustments and poke holes in firewalls anymore. All of that can be replaced with a user ID and login.
MeriTalk: What special considerations or requirements should agencies think about as they work to expand and improve communications capabilities for their employees and also for constituents or others using agency services?
Krar: One thing I’d recommend is having a diverse redundant connection within your communications network architecture. When the internet first hit, many Federal agencies had a single connection, but if a fiber optic cable was cut, your internet went down. Agencies realized they should have at least two internet service providers so that became a best practice. The same thing has happened with cloud providers – every agency has more than one.
Similarly, it doesn’t make sense to be 100 percent reliant on a single comms platform. If that platform has an outage – and you are dependent on that infrastructure for voice, video, collaboration, email, chat, and a range of other applications – you’re frozen.
When you have a diverse redundant connection, you can leverage the strengths of each communications solution. Because Zoom integrates with Microsoft Teams and many other UC platforms, Zoom can be that redundant diverse player that alleviates the risk of having a single point of failure on a comms platform.
MeriTalk: Zoom works with the FSI community to meet the UC needs of Federal agencies. Can you share some successes?
Krar: Federal Aviation Administration (FAA) Administrative Voice Enterprise Services (FAVES) is a large contract run by General Dynamics Information Technology (GDIT) that uses Zoom to provide voice and video for hundreds of FAA commercial sites. They’re leveraging hundreds of applications within the FAVES program, and GDIT has shared that Zoom has the lowest number of help desk tickets on the FAVES network. A recent survey of government employees that we commissioned also shows that 87 percent felt favorable to Zoom.
MeriTalk: Obviously, security is a huge concern and a big requirement. Zoom for Government has earned FedRAMP Moderate authorization, which means that agencies can use the cloud service for controlled, unclassified information. Tell us a bit about some of the other government security requirements that Zoom has met.
Krar: Zoom offers great security and privacy features, including 256-bit AES-GCM encryption and an optional end-to-end encryption (E2EE) feature. With E2EE enabled, communication between all meeting participants using Zoom for Government clients in a given meeting is encrypted using cryptographic keys known only to the devices of those participants. This helps ensure that no third party – including Zoom – has access to the meeting’s private keys.
In addition to FedRAMP Moderate authorization, Zoom for Government has received Provisional Authorization from the Defense Information Systems Agency for the Department of Defense at Impact Level 4 (IL4) and an Authorization to Operate for DoD IL4 for Zoom Meetings with the Department of the Air Force.
MeriTalk: Another security requirement is looming large – CMMC 2.0, a set of security standards for defense contractors that is designed to protect controlled classified information and Federal contract information. The DoD has indicated that the final rule for implementing CMMC 2.0 could be complete as early March, which means CMMC requirements could appear in RFIs by May.
The DoD has said that it will provide CMMC reciprocity for FedRAMP authorizations. In practice, what does this mean for FSIs that are using or implementing Zoom for Government or other FedRAMP Moderate cloud solutions?
Meredith Krar: As it relates to CMMC, Zoom is waiting for DoD to finalize the reciprocity between CMMC and FedRAMP Moderate and DoD IL/4. It is likely we will align to CMMC Level 2. If there is any gap after DoD provides that guidance, we will likely close that gap quickly.
MeriTalk: Based upon your work with the FSIs, what challenges may they be experiencing as they work through security and compliance requirements such as CMMC 2.0? And what advice could you offer?
Meredith Krar: The new guidelines in CMMC 2.0 require that you state your intentions for your plans of actions and milestones for reaching full compliance. Then they give you 180 days to realize them in your environment. The statements are connected to the senior levels at the FSIs, and there are some serious legal implications and monetary risk there if you do not enact your plan on time.
This is where Zoom for Government can be an advantage as you prepare for CMMC certifications. Our solution fits the infrastructure nicely because it’s operated in the AWS GovCloud and co-locations located in the continental United States. Bandwidth requirements are significantly less than for other vendors, especially on-prem vendors, and you can stand up a Zoom instance fairly quickly.
MeriTalk: We know that security requirements sometimes can cause friction for end users. How can Federal agencies ensure seamless performance and security for employees no matter where they are working?
Krar: Platform architecture is very important to the scalability and performance of a UC solution. Zoom, for example, uses an architecture that distributes meetings across our data center network. The result is a reliable video experience and the ability to expand the user base seamlessly. We don’t have to have a specific Army instance or a specific Air Force instance.
Our system is completely federated with any other customer on our platform. If you are in the Army and use Zoom for Government, for example, you can simply and securely communicate with someone from the Air Force or the Executive Office of the President. Some other platforms have allowed security to limit collaboration, so users in different organizations can’t communicate with each other, even though they use the same platform.