Box brings milspec security to its entire platform

Shutterstock image (by bestfoto77): cloud network security lock. 

The cloud-based content management company Box announced on April 26 that it now meets the Department of Defense's cloud security requirements for Impact Level 4. That Provisional Authority to Operate from the Defense Information Systems Agency means Box can now be used for all but the most sensitive types of unclassified information. 

The company also said it has begun working with the Federal Risk Authorization and Management Program on FedRAMP High authorization. Much like DOD's Impact Level 4, FedRAMP's high-impact baseline covers use cases that involve health records, financial data and other sensitive but unclassified information. The FedRAMP program office piloted the new high-impact baseline with three cloud service providers; Box is one of several firms working through the now-formalized framework.

Sonny Hashmi, Box's managing director of global public sector, told GCN these moves are part of a larger effort to help DOD and other government agencies "take advantage of the scale of the cloud while maintaining their security compliance." 

DOD "was and still is our sponsor for the initial FedRAMP assessment," he said. "They were the agency sponsor for the FedRAMP Moderate assessment and [DISA's] Level 2. Now they've upped it to Level 4, and we're working with them on a long-term strategy to get to Level 5 and even more interesting enclave-based solutions."

And while DOD is a very important customer in it's own right, Hashmi said that partnership also serves a broader strategic purpose.

DOD is the largest organization in the world," he said. "It's distributed in its workforce ... and they are massively moving toward an era where mobile is going to be a primary delivery factor for mission applications."

The mission information "is of a much higher sensitivity than most other organizations have to deal with," he added. DOD "presents in many ways the highest complexity challenge, but also allows us as a company to grow. If we can solve for the architectures and the problems that the Department of Defense has, we can certain solve for pretty much any other use case."

Other agencies at all levels of government can benefit immediately from that DOD-driven work. Hashmi said Box has made a strategic decision not to segment its offerings based on different security levels -- so the protections required for DOD Level 4 authorization are now in place for all Box customers. 

"It’s a lot more work up front for us," he said, "But our customers don’t have to worry about “which enclave am I sitting in? … They can get the security and benefits of the entire cloud."

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN, as well as General Manager of Public Sector 360.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of, Schneider also helped launch the political site in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times,, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected