Are DocuSign products authorized by FedRAMP?

When federal government agencies make a decision to purchase cloud computing tools, they need more rigorous security and access controls than other types of organizations. To help federal buyers, the Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services. 

FedRAMP scrutinizes cloud products and awards authorizations for technology that passes a certain set of security standards. This standardized approach saves agencies the time and hassle of having to conduct their own security investigations everytime they want to purchase a cloud product. 

Not all FedRAMP authorizations are created equal. There are four different impact levels that correspond to the type of data that needs to be protected: Lite, Low, Moderate and High. Each level contains all of the security standards of the previous ones plus additional controls. FedRAMP Moderate is deemed appropriate for around 80 percent of agencies’ needs and can handle controlled unclassified data, personal identifiable information (PII), and protected health information (PHI).

Which DocuSign products are FedRAMP authorized?

Two DocuSign products have been awarded the FedRAMP Agency authorization and are listed on the U.S. federal government’s FedRAMP marketplace: DocuSign eSignature and SpringCM (acquired by DocuSign and now called DocuSign CLM). Both are authorized at the Moderate impact level (more on that below). 

In general, electronic signature is extremely safe. In fact, it’s even safer than an ink-and-paper signature because of the extra layers of authorization that make electronic signatures more difficult to forge. The FedRAMP authorization of DocuSign provides even further proof of the high security standards of DocuSign eSignature.

Federal government customers who use DocuSign eSignature also receive an extra benefit: access to a secure government cloud. This exclusive cloud environment runs on special servers that only house government data, including access keys, agreement envelopes and more. This high-security environment is meant to minimize security risks by segregating government data from private sector and consumer data. For Federal agencies with data on this government cloud, DocuSign follows the strictest guidelines for security incident reporting, which are set by the United States Computer Emergency Readiness Team (US-CERT). 

Which security standards are part of FedRAMP authorization?

To reach and maintain the Moderate level, there are 325 different controls that DocuSign meets. After satisfying each of those controls and earning the Moderate rating, the products are continually audited for the same list of security controls to maintain that standard.

Products with lower security standards offer less protection to prospective buyers and are limited in regards to the types of information that can be stored.

Optimizing agreements with an end-to-end agreement process

For federal agencies concerned with efficiency and security, it’s important to minimize the number of different tools in a technology stack while still offering a high level of functionality. With FedRAMP authorizations for both DocuSign and SpringCM, an agency can create an end-to-end platform for managing all their agreement processes, including contracts, grants, and other paperwork. Because both tools have achieved the Moderate impact rating, any organization needing that level of security can use both products together without worrying about security drop-off.

To date, more than 1,300 federal, state and local agencies are using DocuSign to handle their agreement needs. There are endless options, but common use cases are procurement, HR, licensing and permitting. We help organizations solve paperwork issues by providing a defined process that manages paperwork from end to end. Our technology enables a streamlined workflow to manage every step of agreement work.

Check out the Federal Industry Brief to learn more about our security standards, FedRAMP authorization and how federal agencies are using DocuSign to improve agreements.

Published
Related Topics