Question 1

What is FERPA?

Accepted Answer

FERPA (Family Educational Rights and Privacy Act) is the United States federal law that protects the privacy of student education records. It applies to all educational agencies and institutions that receive federal funding. For higher education web platforms, FERPA constrains what information can be published, how access to student records is controlled, and how integrations with the SIS handle student data. Educational institutions document FERPA compliance as part of their institutional information security program.

Question 2

What is HIPAA?

Accepted Answer

HIPAA (Health Insurance Portability and Accountability Act) is the United States federal law that establishes privacy and security requirements for protected health information (PHI). It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. Web platforms that handle PHI must implement HIPAA's technical, administrative, and physical safeguards, and the operating partner typically signs a Business Associate Agreement (BAA) before processing PHI on the platform.

Question 3

What is BAA (Business Associate Agreement)?

Accepted Answer

A BAA is a legally binding contract between a HIPAA covered entity and a business associate that establishes the business associate's responsibility for protecting PHI. AWS, Microsoft Azure, and managed services partners that operate platforms handling PHI sign BAAs as a prerequisite to processing the data. The BAA is the contractual mechanism that extends HIPAA's compliance perimeter to the operating partner.

Question 4

What is FedRAMP?

Accepted Answer

FedRAMP (Federal Risk and Authorization Management Program) is the United States federal program that standardizes the security assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. FedRAMP authorization comes in three impact levels: Low, Moderate, and High. AWS GovCloud and Azure Government carry FedRAMP authorizations across their service portfolios. Federal agency Drupal and WordPress workloads that handle controlled unclassified information typically require FedRAMP Moderate or High.

Question 5

What is FedRAMP Authorized vs FedRAMP Aligned?

Accepted Answer

FedRAMP Authorized means a cloud service provider has completed the formal FedRAMP authorization process and holds an Authorization to Operate (ATO) at Low, Moderate, or High impact level. FedRAMP Aligned means the provider implements the same NIST 800-53 controls but has not undergone formal authorization. Some federal agencies require Authorized; others accept Aligned. The distinction matters in procurement language and should be clarified during agency requirements gathering.

Question 6

What is NIST 800-53?

Accepted Answer

NIST Special Publication 800-53 is the United States National Institute of Standards and Technology security and privacy controls catalog for federal information systems. It defines control families covering access control, audit and accountability, configuration management, incident response, system and communications protection, and others. NIST 800-53 is the foundation of FedRAMP and FISMA control implementations. Government Drupal and WordPress workloads document control implementations against the relevant 800-53 baseline.

Question 7

What is NIST Cybersecurity Framework?

Accepted Answer

The NIST Cybersecurity Framework (CSF) is a voluntary framework that helps organizations manage cybersecurity risk. It is organized around five core functions: Identify, Protect, Detect, Respond, and Recover. NIST CSF is widely adopted by state government agencies, higher education institutions, and nonprofit organizations as a baseline cybersecurity posture framework. It is broader and less prescriptive than NIST 800-53, which is the federal-agency control baseline.

Question 8

What is StateRAMP?

Accepted Answer

StateRAMP is the state government equivalent of FedRAMP. It standardizes the security assessment and authorization of cloud products used by state and local government agencies. StateRAMP authorization at Low, Moderate, or High impact levels signals that a cloud service provider has been independently assessed against NIST-based controls. Some state agencies require StateRAMP authorization; others accept FedRAMP authorization or NIST 800-53 alignment as equivalent.

Question 9

What is SOC 2?

Accepted Answer

SOC 2 is an audit framework that evaluates a service organization's controls against the AICPA's Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II audits assess control effectiveness over a period of months. SOC 2 Type II is the institutional baseline for managed services partners. SOC 2 reports are typically shared under NDA with prospective customers during procurement evaluation.

Question 10

What is HECVAT?

Accepted Answer

HECVAT (Higher Education Community Vendor Assessment Toolkit) is a standardized questionnaire used by higher-education institutions to assess vendor information security and privacy practices before procurement. The toolkit includes Full, Lite, and On-Premise versions for different vendor profiles. HECVAT responses are typically required during institutional vendor risk assessment for any vendor that processes student, faculty, or research data. EDUCAUSE maintains the HECVAT registry.

Question 11

What is ATO (Authorization to Operate)?

Accepted Answer

An Authorization to Operate is the formal approval for a federal information system to operate within a specific risk tolerance. ATOs are issued by an agency's Authorizing Official based on the system's security control implementation and risk assessment. FedRAMP Authorized cloud services hold ATOs at Low, Moderate, or High impact levels. The ATO is the regulatory artifact that documents acceptable risk for the system.

Question 12

What is Continuous Monitoring?

Accepted Answer

Continuous Monitoring is the ongoing assessment of an information system's security posture through automated tools and procedural reviews. For FedRAMP-authorized environments, continuous monitoring is a contractual requirement: monthly vulnerability scans, quarterly access reviews, ongoing log analysis, and annual security control assessments. Continuous monitoring distinguishes operationally mature managed services partners from project-style integrators that close out at cutover.

Question 13

What is WCAG 2.1 AA?

Accepted Answer

Web Content Accessibility Guidelines (WCAG) 2.1 Level AA is the international accessibility standard for web content. It defines criteria across four principles: perceivable, operable, understandable, and robust. WCAG 2.1 AA is the legally required accessibility level for many United States government websites under Title II of the ADA, federally-funded institutions under Section 504, and many state-level public-sector accessibility requirements.

Question 14

What is Section 508?

Accepted Answer

Section 508 of the Rehabilitation Act requires United States federal agencies to make their electronic and information technology accessible to people with disabilities. Section 508 standards are aligned with WCAG 2.0 AA and increasingly WCAG 2.1 AA in implementation. Federal agency websites, mobile applications, and procured technology are all covered by Section 508. Compliance is enforced through GSA and individual agency procurement processes.

Question 15

What is Title II ADA?

Accepted Answer

Title II of the Americans with Disabilities Act prohibits disability-based discrimination by state and local government entities. The Department of Justice's April 2024 Title II rule established WCAG 2.1 Level AA as the enforceable accessibility standard for state and local government websites and mobile applications. Compliance deadlines are April 24, 2026 for entities serving populations over 50,000 and April 26, 2027 for smaller entities.

Question 16

What is SBA 8(a)?

Accepted Answer

The Small Business Administration's 8(a) Business Development Program is a United States federal program that supports small businesses owned by socially and economically disadvantaged individuals. SBA 8(a) certified firms are eligible for sole-source and competitive set-aside contracts with federal agencies. For agencies that can direct-award to 8(a) firms, the procurement path significantly accelerates engagement timelines compared to full open competition.

Question 17

What is Carahsoft?

Accepted Answer

Carahsoft is a public-sector technology distributor that aggregates contract vehicles for government agencies including SEWP, GSA Multiple Award Schedule, ITES, and various state cooperative purchasing agreements. Many cloud and managed services partners are available through Carahsoft, which gives federal, state, and local agencies a familiar procurement path that bypasses the need to negotiate direct contracts with individual vendors.

Question 18

What is AWS Marketplace?

Accepted Answer

AWS Marketplace is a digital catalog where AWS customers can find, subscribe to, and provision third-party software and services. For federal, state, and local government agencies with existing AWS Enterprise Agreements, AWS Marketplace procurement is often a faster path than direct vendor contracts because the consumption flows through the existing AWS billing relationship. AWS Marketplace listings include managed services partners offering Drupal, WordPress, and other CMS operations.

Question 19

What is GSA Multiple Award Schedule?

Accepted Answer

The General Services Administration Multiple Award Schedule (MAS) is a long-term governmentwide contract that gives federal agencies access to commercial products, services, and solutions at pre-negotiated prices. State and local governments can also use MAS through cooperative purchasing. Many managed services partners hold MAS contracts that streamline procurement for agencies familiar with the vehicle.

Question 20

What is Cascade Website Hosting?

Accepted Answer

Cascade Website Hosting is the managed infrastructure service that operates the production website environment receiving Cascade CMS published output. Hannon Hill operates the Cascade CMS authoring application as SaaS. The production servers, CDN, security, and performance tier that deliver published content to website visitors are a separate stack, and that stack is what a managed Cascade Website Hosting partner runs. eWay Corp operates this layer on AWS or Azure for higher-education institutions.

Question 21

What is Cascade publish job?

Accepted Answer

A Cascade publish job is a Cascade CMS operation that pushes content from the SaaS authoring environment to the production web server. Publish jobs vary in scope from single-page publishes to full site Publish All operations that push thousands of files at once. Production hosting infrastructure must handle publish job patterns that differ from typical web traffic, particularly during enrollment cycles when publish frequency increases.

Question 22

What is Hannon Hill?

Accepted Answer

Hannon Hill is the company that operates Cascade CMS as a SaaS application. Hannon Hill manages the Cascade authoring environment, the publishing engine, and the SaaS infrastructure on which the CMS runs. Hannon Hill does not operate the production website infrastructure that receives Cascade's published output. That production tier is the institutional or partner responsibility, separate from the Cascade CMS application itself.

Question 23

What is Managed WebOps?

Accepted Answer

Managed WebOps (Web Operations) is an operating model in which a single partner takes continuous operational responsibility for an institutional digital platform: cloud infrastructure, CMS application layer, application integrations, performance, security, and ongoing optimization. Unlike traditional hosting or development, managed WebOps does not end at launch. It is an ongoing engagement with defined SLAs and human accountability for outcomes.

Question 24

What is AWS Shared Responsibility Model?

Accepted Answer

The AWS Shared Responsibility Model defines the security responsibilities split between Amazon Web Services and the customer. AWS is responsible for security of the cloud (physical infrastructure, hypervisor, managed service operations). The customer is responsible for security in the cloud (operating system, network configuration, IAM, application security, data encryption, audit logging). The model is identical in concept on Azure Government and other major cloud providers.

Question 25

What is AWS GovCloud (US)?

Accepted Answer

AWS GovCloud (US) is a set of AWS regions physically and logically isolated from commercial AWS regions, accessible only to United States government entities and their authorized partners. Operations are performed by screened US persons. AWS GovCloud carries FedRAMP authorizations across its service portfolio and supports DoD impact levels for specific service subsets. Federal agency Drupal and WordPress workloads that handle CUI typically run in AWS GovCloud.

Question 26

What is Azure Government?

Accepted Answer

Microsoft Azure Government is a set of Azure regions physically and logically isolated from commercial Azure, accessible only to United States government entities and their authorized partners. Operations are performed by screened US citizens. Azure Government carries FedRAMP authorizations and DoD impact levels across its service portfolio. State and local government agencies handling sensitive data, criminal justice information, or federal tax information typically require Azure Government.

Question 27

What is Microsoft Cloud Solution Provider (CSP)?

Accepted Answer

Microsoft Cloud Solution Provider (CSP) is the Microsoft program through which partners provision Azure subscriptions and Microsoft product licenses on behalf of customers. Customers consuming Azure through a CSP partner have their Azure billing flow through the CSP rather than through a direct Microsoft Enterprise Agreement. CSP is the typical procurement path for government agencies and higher-education institutions that prefer consolidated vendor management.

Question 28

What is Microsoft Entra ID?

Accepted Answer

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity and access management service. It supports single sign-on, multi-factor authentication, conditional access, and integration with on-premises Active Directory through hybrid identity configuration. Entra ID Government is the equivalent service in Azure Government, providing the same identity capabilities within the FedRAMP-authorized environment for federal and state agencies.

Question 29

What is WAF (Web Application Firewall)?

Accepted Answer

A Web Application Firewall is a security control that filters and monitors HTTP traffic between a web application and the internet. WAFs protect against common application-layer attacks including SQL injection, cross-site scripting, and OWASP Top 10 vulnerabilities. AWS WAF, Azure Front Door WAF, and Cloudflare WAF are common implementations. WAF rule configuration and ongoing tuning are part of the institutional operational discipline.

Question 30

What is CDN (Content Delivery Network)?

Accepted Answer

A Content Delivery Network is a distributed system of servers that delivers web content from edge locations close to the requesting user. For institutional CMS workloads, CDNs absorb anonymous-page traffic, accelerate asset delivery for global audiences, and provide a layer of DDoS protection. AWS CloudFront, Azure Front Door, Cloudflare, and Fastly are common CDN providers used in institutional architecture.

Question 31

What is MFA (Multi-Factor Authentication)?

Accepted Answer

Multi-Factor Authentication requires users to present two or more verification factors to authenticate, typically combining something the user knows (password) with something the user has (security key or authenticator app). MFA is the institutional baseline for administrative access to CMS platforms, cloud consoles, and identity providers. MFA closes the most common attack vector against institutional accounts: credential theft.

Question 32

What is RBAC (Role-Based Access Control)?

Accepted Answer

Role-Based Access Control is an access management model in which permissions are assigned to roles, and users are assigned to roles, rather than permissions being assigned directly to users. For institutional CMS workloads with distributed editorial governance, RBAC enables department-level permissions without per-user permission management. RBAC is foundational to maintaining editorial governance through staff turnover.

Question 33

What is Core Web Vitals?

Accepted Answer

Core Web Vitals are Google's set of user experience metrics that measure web page loading performance, interactivity, and visual stability. The three current Core Web Vitals are Largest Contentful Paint (LCP), Interaction to Next Paint (INP), and Cumulative Layout Shift (CLS). Google uses Core Web Vitals as a confirmed search ranking signal. Institutional CMS workloads with strong Core Web Vitals scores rank above sites with weaker scores in comparable queries.

Question 34

What is LCP (Largest Contentful Paint)?

Accepted Answer

Largest Contentful Paint is the Core Web Vitals metric that measures when the largest content element in the viewport finishes rendering. LCP under 2.5 seconds is considered good; over 4 seconds is poor. For institutional CMS workloads, LCP is typically driven by hero image weight, render-blocking CSS or JavaScript, and time-to-first-byte from the origin or CDN.

Question 35

What is INP (Interaction to Next Paint)?

Accepted Answer

Interaction to Next Paint is the Core Web Vitals metric that measures responsiveness to user interactions. INP under 200 milliseconds is considered good; over 500 milliseconds is poor. INP replaced First Input Delay as the official Core Web Vitals interactivity metric in March 2024. For institutional CMS workloads, INP is influenced by JavaScript execution overhead and main-thread blocking.

Question 36

What is CLS (Cumulative Layout Shift)?

Accepted Answer

Cumulative Layout Shift is the Core Web Vitals metric that measures visual stability during page load. CLS under 0.1 is considered good; over 0.25 is poor. Layout shifts occur when page elements reposition unexpectedly during load, typically from images without explicit dimensions, ads, or late-loading content. CLS is a confirmed Google search ranking signal.

Definitions for the frameworks, vehicles, and operating concepts that shape institutional cloud and CMS work

What is a public-sector WebOps glossary?

Compliance and regulatory

FERPA

HIPAA

BAA (Business Associate Agreement)

FedRAMP

FedRAMP Authorized vs FedRAMP Aligned

NIST 800-53

NIST Cybersecurity Framework

StateRAMP

SOC 2

HECVAT

ATO (Authorization to Operate)

Continuous Monitoring

Accessibility

WCAG 2.1 AA

Section 508

Title II ADA

Government procurement

SBA 8(a)

Carahsoft

AWS Marketplace

GSA Multiple Award Schedule

CMS platforms and operating models

Cascade Website Hosting

Cascade publish job

Hannon Hill

Managed WebOps

Cloud infrastructure and security

AWS Shared Responsibility Model

AWS GovCloud (US)

Azure Government

Microsoft Cloud Solution Provider (CSP)

Microsoft Entra ID

WAF (Web Application Firewall)

CDN (Content Delivery Network)

MFA (Multi-Factor Authentication)

RBAC (Role-Based Access Control)

Performance and Core Web Vitals

Core Web Vitals

LCP (Largest Contentful Paint)

INP (Interaction to Next Paint)

CLS (Cumulative Layout Shift)

The terminology is just the start. The operational discipline is the engagement.