Beyond the lingo: What does Red Hat Insights and FedRAMP mean for your workload?

Here at Red Hat, we’ve spent over a decade building up the power of Red Hat Insights, making it one of the most valuable pieces of technology included in your Red Hat subscription.  We’ve integrated with industry-leading technologies like IBM X-Force, we’ve grown invaluable data sets from our own support cases, and we’ve extended our reach to deliver Insights wherever you work. See What the Insights portfolio can do for you.

One thing that's been a blocker for US government customers and contractors has been FedRAMP. But that's a blocker no more! Through a long process of sponsorship, development, and assessment, Red Hat Insights is an approved service, with or without Red Hat OpenShift Service on AWS (ROSA). Red Hat Insights has received the FedRAMP High Agency authority to operate (ATO), and Red Hat is listed as Ready for the JAB  authorization process. 

So what does this mean, what does it bring you, and how can US government agencies get onboard?

What is FedRAMP?

FedRAMP is the authorization program for a cloud service provider (CSP) like Red Hat that shows it's approved for use by US government agencies and the contractors that serve them. And Red Hat Insights has been determined to be an environment that meets all the guidelines required for FedRAMP authorization.

A FedRAMP authorization ensures that a CSP is abiding by the government's NIST framework, and other government regulations, for operating secure environments.   Its guidelines provide US government agencies safe and reliable options for using cloud-based products. Instead of forcing every agency to individually go through an RFI (request for information) process for each provider it wants to use, FedRAMP assesses companies and grants approval to those that qualify.

Where do I start?

For departments that are looking for more information, a great place to start is the FedRAMP Marketplace.  The Marketplace lists all FedRAMP approved companies along with information about their cloud service offerings (CSO). On Red Hat's agency ATO (Authority to Operate) listing, you can download a package request form to be vetted by the FedRAMP Program Management Office (PMO) to gain access to Red Hat’s FedRAMP security package.  This package contains documentation about our architecture and processes, as well as our assessment results, showing how we satisfied each FedRAMP requirement. It also contains our Continuous Monitoring documentation to show how we continue to meet those requirements.

Red Hat initially pursued FedRAMP authorization for Red Hat OpenShift on AWS (ROSA). During that process, we added Red Hat Insights into that authorization as a  significant change request (SCR). Both are offered together or separately under the same ATO. 

What’s next?

Once you feel confident that all internal approvals are met, contact your account team for more details, or simply fill out the application to apply for entry into the FedRAMP environment.  Customers must apply for entry so that we can limit access to US government departments and agencies or contractors that have an active US government contract.  No other customers are permitted to use this environment. 

As a part of this application, we verify a few things:

1. You are a US government agency or department, or have an active contract
2. Your primary user is living in the US and is a US citizen (or has been granted permanent US residency)
3. You have an active Red Hat subscription

Once our stateside support team confirms these three pieces of information, we configure your account.

What should I expect from the FedRAMP environment?

It’s important to note that the FedRAMP instance of Insights is a completely separate environment from our commercial product.  You have a handful of different experiences. Here are some of the major ones:

1. Stateside support: As a requirement of FedRAMP, you communicate and troubleshoot with Red Hat’s stateside support team when you receive support for Insights. This means you’ll be asked to set up ServiceNow credentials to correspond with the proper team. This team has also been vetted according to government requirements, and consists of US citizens (or those who have been granted permanent US residency)
2. Boundary: Insights leverages Amazon Web Services GovCloud infrastructure to run the FedRAMP environment, and all aspects of that infrastructure need to remain "in boundary".  This means you’ll use a different login URL, a different authentication tool, and have some limited services to maintain the proper security stance of data flows
3. Connection: You can connect your hosts to the FedRAMP Insights environment through your Satellite servers.  To allow data flow from your Satellite into the restricted FedRAMP boundary, you need to provide your IP ranges and register your Satellite to send data to the FedRAMP environment.  Stateside support walks you through both of these processes. Note that “direct connecting” a host without a satellite is not supported at this time
4. Feature Delivery: Due to extra change controls within the FedRAMP environment, changes to the Insights applications slightly lag behind those made in the commercial environment. This doesn't impact any of the monitoring capabilities of Insights, like our Vulnerability service

One major consistency between these two environments is their cost.  Insights is included in your Red Hat subscription, at no extra cost, no matter the environment you choose. 

Get started

Once the approvals and setup are complete, you’re ready to onboard like normal Insights users. I recommend setting up inventory groups, configuring your RBAC, and digging into the portfolio of features available for you. Not sure where to start?  Insights Vulnerability and Content are some of our most popular services. 

We’re thrilled to bring the power of Insights to US federal use cases, and we're honored to have been approved for the FedRAMP program.  If you want more information on this offer, please reach out to your account team, visit our website, or email me directly at mmeza@redhat.com.