Box brings milspec security to its entire platform

Shutterstock image (by bestfoto77): cloud network security lock. 

The cloud-based content management company Box announced on April 26 that it now meets the Department of Defense's cloud security requirements for Impact Level 4. That Provisional Authority to Operate from the Defense Information Systems Agency means Box can now be used for all but the most sensitive types of unclassified information. 

The company also said it has begun working with the Federal Risk Authorization and Management Program on FedRAMP High authorization. Much like DOD's Impact Level 4, FedRAMP's high-impact baseline covers use cases that involve health records, financial data and other sensitive but unclassified information. The FedRAMP program office piloted the new high-impact baseline with three cloud service providers; Box is one of several firms working through the now-formalized framework.

Sonny Hashmi, Box's managing director of global public sector, told GCN these moves are part of a larger effort to help DOD and other government agencies "take advantage of the scale of the cloud while maintaining their security compliance." 

DOD "was and still is our sponsor for the initial FedRAMP assessment," he said. "They were the agency sponsor for the FedRAMP Moderate assessment and [DISA's] Level 2. Now they've upped it to Level 4, and we're working with them on a long-term strategy to get to Level 5 and even more interesting enclave-based solutions."

And while DOD is a very important customer in it's own right, Hashmi said that partnership also serves a broader strategic purpose.

DOD is the largest organization in the world," he said. "It's distributed in its workforce ... and they are massively moving toward an era where mobile is going to be a primary delivery factor for mission applications."

The mission information "is of a much higher sensitivity than most other organizations have to deal with," he added. DOD "presents in many ways the highest complexity challenge, but also allows us as a company to grow. If we can solve for the architectures and the problems that the Department of Defense has, we can certain solve for pretty much any other use case."

Other agencies at all levels of government can benefit immediately from that DOD-driven work. Hashmi said Box has made a strategic decision not to segment its offerings based on different security levels -- so the protections required for DOD Level 4 authorization are now in place for all Box customers. 

"It’s a lot more work up front for us," he said, "But our customers don’t have to worry about “which enclave am I sitting in? … They can get the security and benefits of the entire cloud."

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN, as well as General Manager of Public Sector 360.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of, Schneider also helped launch the political site in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times,, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected