Because communications is often siloed from the rest of IT, many government agencies and Federal system integrators (FSIs) haven’t yet taken advantage of the range of services available from unified communications (UC) platforms beyond video conferencing. MeriTalk sat down with Meredith Krar, director of Federal systems integrators for Zoom, to discuss how UC capabilities can benefit agencies and FSIs and explore how FSIs can meet the requirements of the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0.
MeriTalk: We’re talking today over ZoomGov, and probably thousands of Federal employees are doing the same thing right now. Online collaboration has become a core capability in government and in the private sector. People need to be able to work remotely and in hybrid arrangements, and so they need voice, video, chat, and information sharing capabilities wherever they are. How close are Federal agencies to realizing this vision today?
Meredith Krar: They’re close, but they still have a ways to go. The pandemic forced remote work upon us, and for many agencies it was a Band-Aid – and understandably so. Fast-forward to today, and many agencies haven’t realized the full benefits of a UC platform like Zoom for Government. One big reason is because communications has historically been a siloed, on-premises capability. Apart from a typical video conference, there was a fair amount of work necessary to transition from an on-prem solution where you have gear sitting in facilities.
But now, folks are starting to realize they can consume voice or UC as a service just as they could any other software application in the stack. They’re realizing we don’t have to do elaborate network adjustments and poke holes in firewalls anymore. All of that can be replaced with a user ID and login.
MeriTalk: What special considerations or requirements should agencies think about as they work to expand and improve communications capabilities for their employees and also for constituents or others using agency services?
Meredith Krar: One thing I’d recommend is having a diverse redundant connection within your communications network architecture. When the internet first hit, many Federal agencies had a single connection, but if a fiber optic cable was cut, your internet when down. Agencies realized they should have at least two internet service providers. So that became a best practice. The same thing has happened with cloud providers – every agency has more than one.
Similarly, it doesn’t make sense to be 100 percent reliant on a single comms platform. If that platform has an outage – and you are dependent on that infrastructure for voice, video, collaboration, email, chat, and a range of other applications – you’re frozen.
When you have a diverse redundant connection, you can leverage the strengths of each communications solution. Because Zoom integrates with Microsoft Teams and all other UC platforms, Zoom can be that redundant diverse player that alleviates the risk of having a single point of failure on a comms platform.
MeriTalk: Zoom works with the FSI community to meet the UC needs of Federal agencies. Can you share some successes?
Meredith Krar: Federal Aviation Administration (FAA) Administrative Voice Enterprise Services (FAVES) is a large contract run by General Dynamics Information Technology (GDIT) that uses Zoom to provide voice and video for hundreds of FAA commercial sites. They’re leveraging hundreds of applications within the FAVES program, and GDIT has shared that Zoom has the lowest number of help desk tickets on the FAVES network. It’s super intuitive. A recent survey of government employees that we commissioned also shows that 87 percent felt favorable to Zoom.
Another success story is Customs and Border Patrol (CBP), which recognized the need to process folks who are traversing the U.S. border at legal border crossings that aren’t airports or other checkpoints where a CBP officer can look at your passport or visa in person. There are hundreds of thousands border crossings outside of these checkpoints each year, and CBP needed a way to apply the same verification process to all border crossings.
An example would be a hunter who is moving back and forth in between the United States and Canada. CBP used our application programming interface and software development kits to build an application around Zoom with telemetry technologies built in. As long as the hunter has connectivity, he could have a face-to-face conversation with a CBP agent in the middle of the woods just as he would at a major checkpoint. The passport or visa is uploaded within the application, and CBP can verify the hunter’s identity during a live Zoom conversation. It’s a pretty powerful use case for Zoom.
MeriTalk: Obviously, security is a huge concern and a big requirement. Zoom for Government has earned FedRAMP Moderate authorization, which means that agencies can use the cloud service for controlled, unclassified information. Tell us a bit about some of the other government security requirements that Zoom has met.
Meredith Krar: We’re the only ones in the industry with true multi-point end-to-end encryption, which is very valuable because most meetings have more than two people in them. It doesn’t matter how many people you add to the meeting. Everything is going to be in that encrypted tunnel.
In addition to FedRAMP Moderate authorization, Zoom for Government has received Provisional Authorization from the Defense Information Systems Agency for the Department of Defense at Impact Level 4 (IL4) and an Authorization to Operate with Conditions for DoD IL4 for Zoom Meetings with the Department of the Air Force.
MeriTalk: Another security requirement is looming large – CMMC 2.0, a set of security standards for defense contractors that is designed to protect controlled classified information and Federal contract information. The DoD has indicated that the final rule for implementing CMMC 2.0 could be complete as early March, which means CMMC requirements could appear in RFIs by May.
The DoD has said that it will provide CMMC reciprocity for FedRAMP audits. In practice, what does this mean for FSIs that are using or implementing Zoom for Government or other FedRAMP Moderate cloud solutions?
Meredith Krar: At its simplest level, in order for an FSI to be compliant from a CMMC perspective, they need to make sure that their software-as-a-service solution is FedRAMP authorized. Zoom has FedRAMP and DoD IL4 certifications – and authority to operate (ATOs) from many agencies. That’s an enormous compliance checkmark that FSIs can put in their overall CMMC planning and strategy. They don’t have to worry about the complexities of designing a whole security posture for our application, because it’s already done.
MeriTalk: Based upon your work with the FSIs, what challenges may they be experiencing as they work through security and compliance requirements such as CMMC 2.0? And what advice could you offer?
Meredith Krar: The new guidelines in CMMC 2.0 require that you state your intentions for your plans of actions and milestones for reaching full compliance. Then they give you 180 days to realize them in your environment. The statements are connected to the senior levels at the FSIs. Any breach within your instance when you’ve made these intentions known could make you liable for the False Claims Act. So, there are some serious legal implications and monetary risk there if you do not enact your plan on time.
This is where Zoom is an advantage. You don’t have to worry Zoom won’t meet the criteria. And our solution isn’t a terrible burden on the infrastructure because it’s operated in the AWS GovCloud. Bandwidth requirements are significantly less than for other vendors, especially on-prem vendors, and you can stand up a Zoom instance fairly quickly. Also, we are a U.S.-owned and operated company, which is important to Federal agencies and their contractors.
MeriTalk: We know that security requirements sometimes can cause friction for end users. How can Federal agencies ensure seamless performance and security for employees no matter where they are working?
Meredith Krar: Platform architecture is very important to the scalability and performance of a UC solution. Zoom, for example, uses an architecture that distributes meetings across our data center network. The result is a reliable video experience and the ability to expand the user base seamlessly. We don’t have to have a specific Army instance or a specific Air Force instance.
Our system is completely federated with any other customer on our platform. If you are an Army Zoom IL4 user, for example, you can freely communicate with someone from the Air Force or the National Security Agency. Some other platforms have allowed security to limit collaboration, so users in different organizations can’t communicate with each other, even though they use the same platform. Zoom doesn’t have these limitations because of the steps we’ve taken with federation and encryption.