Box brings milspec security to its entire platform

Shutterstock image (by bestfoto77): cloud network security lock. 

The cloud-based content management company Box announced on April 26 that it now meets the Department of Defense's cloud security requirements for Impact Level 4. That Provisional Authority to Operate from the Defense Information Systems Agency means Box can now be used for all but the most sensitive types of unclassified information. 

The company also said it has begun working with the Federal Risk Authorization and Management Program on FedRAMP High authorization. Much like DOD's Impact Level 4, FedRAMP's high-impact baseline covers use cases that involve health records, financial data and other sensitive but unclassified information. The FedRAMP program office piloted the new high-impact baseline with three cloud service providers; Box is one of several firms working through the now-formalized framework.

Sonny Hashmi, Box's managing director of global public sector, told GCN these moves are part of a larger effort to help DOD and other government agencies "take advantage of the scale of the cloud while maintaining their security compliance." 

DOD "was and still is our sponsor for the initial FedRAMP assessment," he said. "They were the agency sponsor for the FedRAMP Moderate assessment and [DISA's] Level 2. Now they've upped it to Level 4, and we're working with them on a long-term strategy to get to Level 5 and even more interesting enclave-based solutions."

And while DOD is a very important customer in it's own right, Hashmi said that partnership also serves a broader strategic purpose.

DOD is the largest organization in the world," he said. "It's distributed in its workforce ... and they are massively moving toward an era where mobile is going to be a primary delivery factor for mission applications."

The mission information "is of a much higher sensitivity than most other organizations have to deal with," he added. DOD "presents in many ways the highest complexity challenge, but also allows us as a company to grow. If we can solve for the architectures and the problems that the Department of Defense has, we can certain solve for pretty much any other use case."

Other agencies at all levels of government can benefit immediately from that DOD-driven work. Hashmi said Box has made a strategic decision not to segment its offerings based on different security levels -- so the protections required for DOD Level 4 authorization are now in place for all Box customers. 

"It’s a lot more work up front for us," he said, "But our customers don’t have to worry about “which enclave am I sitting in? … They can get the security and benefits of the entire cloud."

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN, as well as General Manager of Public Sector 360.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of, Schneider also helped launch the political site in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times,, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


  • FCW Perspectives
    zero trust network

    Can government get to zero trust?

    Today's hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide. Too bad there are obstacles at almost every turn.

  • Cybersecurity
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    NDAA process is now loaded with Solarium cyber amendments

    Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.