The company announced June 7 that it’s achieved FedRAMP authorization, a strict federal security standard for cloud-based technology that many states and local governments use as well, and with it launched a product that will focus on internal government data.
For now, the product has a distinctly federal flavor — it’s called Socrata for Federal Government — but Socrata CEO Kevin Merritt told Government Technology that some states have already shown interest in using it. That’s because some state IT officials, in a bid to push agencies away from creating bespoke systems, require those agencies to meet the underlying controls and processes behind FedRAMP anyway.
“They’re gonna say, ‘Hey, Socrata did it. Why can’t you do it as well?” Merritt said.
The hurdles to meet those standards are high. Socrata’s open data platform is one of only 82 products to make it through FedRAMP certification, and the process took the company two years. During that time, they had to work with a third-party vendor to iteratively improve all sorts of things within the company — which employees had access to customer data, continuous monitoring of threats, etc.
“Our security assessment package ended up being about 700 pages of documentation,” he said.
The company was willing to throw its weight behind the certification, Merritt said, because it opens up multiple new markets to the company. More than 20 federal agencies already use Socrata for open data; now the company can sell its services to those agencies for internal non-classified data as well.
“We have one soon-to-be new [federal] customer that has been in a pilot with us for the last six or seven months. They got an exemption from their chief security officer to go into a pilot with us, but they weren’t allowed to go into production with us until we got the FedRAMP certification,” he said.
Then there are the state and local agencies. Merritt said state and local users are much like citizens that use Socrata’s open data portals: Their level of technical expertise varies. Some potential Socrata users working with the company’s internal product might know how to code, others will have no background in data at all.
“A great example would be a crime analyst in a police department,” Merritt said. “Maybe this is a former beat cop now working with the command staff trying to figure out how do we reduce crime, how do we increase trust with the community?”
For employees like that, he said, the internal data product could help guide decisions.
Even for those that simply stick with Socrata’s existing open data platform, the process of going through FedRAMP certification has changed the company’s cybersecurity practices.
“They don’t need to do anything for that," Merritt said, "but if they want to take advantage of this new FedRAMP environment, they can."