Nothing wussy about moderate security

There's nothing wussy about moderate level security.

Moderate level security is kind of wussy -- or wimpy -- sounding.

However, “there is nothing wussy about moderate,” Robert Williams, president of Clear Government Solutions said at a recent briefing on cloud computing in the government in Washington, D.C.

When the government says “moderate,” that means the average person need not waste his time trying to break into a computer system in compliance with security at that level. However, there are sophisticated folks with the ability to compromise systems, so industry and government have to remain vigilant, Williams said.

Under The Federal Information Security Management Act (FISMA), moderate level security means vendors and service providers are cleared for sensitive data, but not classified data. Sensitive data and lower classifications make up 80 percent of government data.

Williams described the process his company underwent to achieve security accreditation as a member of a team awarded a contract to provide agencies with cloud-based virtual machine, storage and Web hosting services through the General Services Administration’s infrastructure-as-a service contract awarded to 12 vendors in October 2010.

Clear Government Solutions' team had to first file 60 to 70 documents --- some of them 600 to 800 pages long --- with detailed information about the company’s security plan. “I kid you not,” Williams said. The government assigned an assessor who came to the company’s facility to watch everything Williams’ team did as they filed the documents -- so it is not merely a documentation process, he noted.

You think you are ready? No. Somebody has to assess and test what you have done to make sure that you really conform with government standards. In some cases, an independent organization does an assessment of the first assessment to ensure complete integrity with the process.

At this stage, “if you’re blessed, you get an authority to operate,” Williams said. It means that agencies are obliged to accept that you have gone through an official government certification and accreditation process, now know as assessment and authorization.

You think you’re finished? Not yet.

As part of the Federal Risk Authorization and Management Program (FedRAMP) companies have to go through continuous monitoring of their security posture. FedRAMP, a governmentwide security program to vet cloud products and providers, is undergoing revision and is expected to be completed by the end of the summer. Plus, every six months an inspector general or other auditors will pay you a visit to ensure that your company is doing what is needed on a regular basis to meet government security guidelines.

The best way to keep up-to-date is to adhere to standards – FISMA and National Institute of Standards and Technology security guidelines both those that are final and those in draft form. "If you know standards are coming why be like an ostrich with your head in the sand?," Williams asked.