Circuit

Blog archive

Nothing wussy about moderate security

There's nothing wussy about moderate level security.

Moderate level security is kind of wussy -- or wimpy -- sounding.

However, “there is nothing wussy about moderate,” Robert Williams, president of Clear Government Solutions said at a recent briefing on cloud computing in the government in Washington, D.C.

When the government says “moderate,” that means the average person need not waste his time trying to break into a computer system in compliance with security at that level. However, there are sophisticated folks with the ability to compromise systems, so industry and government have to remain vigilant, Williams said.

Under The Federal Information Security Management Act (FISMA), moderate level security means vendors and service providers are cleared for sensitive data, but not classified data. Sensitive data and lower classifications make up 80 percent of government data.

Williams described the process his company underwent to achieve security accreditation as a member of a team awarded a contract to provide agencies with cloud-based virtual machine, storage and Web hosting services through the General Services Administration’s infrastructure-as-a service contract awarded to 12 vendors in October 2010.

Clear Government Solutions' team had to first file 60 to 70 documents --- some of them 600 to 800 pages long --- with detailed information about the company’s security plan. “I kid you not,” Williams said. The government assigned an assessor who came to the company’s facility to watch everything Williams’ team did as they filed the documents -- so it is not merely a documentation process, he noted.

You think you are ready? No. Somebody has to assess and test what you have done to make sure that you really conform with government standards. In some cases, an independent organization does an assessment of the first assessment to ensure complete integrity with the process.

At this stage, “if you’re blessed, you get an authority to operate,” Williams said. It means that agencies are obliged to accept that you have gone through an official government certification and accreditation process, now know as assessment and authorization.

You think you’re finished? Not yet.

As part of the Federal Risk Authorization and Management Program (FedRAMP) companies have to go through continuous monitoring of their security posture. FedRAMP, a governmentwide security program to vet cloud products and providers, is undergoing revision and is expected to be completed by the end of the summer. Plus, every six months an inspector general or other auditors will pay you a visit to ensure that your company is doing what is needed on a regular basis to meet government security guidelines.

The best way to keep up-to-date is to adhere to standards – FISMA and National Institute of Standards and Technology security guidelines both those that are final and those in draft form. "If you know standards are coming why be like an ostrich with your head in the sand?," Williams asked.

Posted by Rutrell Yasin on Mar 31, 2011 at 7:21 PM


Reader Comments

Thu, Mar 31, 2011

Great article. The only thing I would caution is the following: "At this stage, “if you’re blessed, you get an authority to operate,” Williams said. It means that agencies are obliged to accept that you have gone through an official government certification and accreditation process, now know as assessment and authorization." Agencies are not obligated or obliged to accept the authorization. Only the authorizing official for an organization can make that determination, however; having an existing authorization in place can make that process MUCH easier!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here
close

Trending

  • Dive into our Contract Award database

    In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet. Our databases track awards back to 2013. Read More

  • Navigating the trends and issues of 2016 Nick Wakeman

    In our latest WT Insider Report, we pull together our best advice, insights and reporting on the trends and issues that will shape the market in 2016 and beyond. Read More

contracts DB

Washington Technology Daily

Sign up for our newsletter.

I agree to this site's Privacy Policy.