Box brings milspec security to its entire platform

Shutterstock image (by bestfoto77): cloud network security lock. 

The cloud-based content management company Box announced on April 26 that it now meets the Department of Defense's cloud security requirements for Impact Level 4. That Provisional Authority to Operate from the Defense Information Systems Agency means Box can now be used for all but the most sensitive types of unclassified information. 

The company also said it has begun working with the Federal Risk Authorization and Management Program on FedRAMP High authorization. Much like DOD's Impact Level 4, FedRAMP's high-impact baseline covers use cases that involve health records, financial data and other sensitive but unclassified information. The FedRAMP program office piloted the new high-impact baseline with three cloud service providers; Box is one of several firms working through the now-formalized framework.

Sonny Hashmi, Box's managing director of global public sector, told GCN these moves are part of a larger effort to help DOD and other government agencies "take advantage of the scale of the cloud while maintaining their security compliance." 

DOD "was and still is our sponsor for the initial FedRAMP assessment," he said. "They were the agency sponsor for the FedRAMP Moderate assessment and [DISA's] Level 2. Now they've upped it to Level 4, and we're working with them on a long-term strategy to get to Level 5 and even more interesting enclave-based solutions."

And while DOD is a very important customer in it's own right, Hashmi said that partnership also serves a broader strategic purpose.

DOD is the largest organization in the world," he said. "It's distributed in its workforce ... and they are massively moving toward an era where mobile is going to be a primary delivery factor for mission applications."

The mission information "is of a much higher sensitivity than most other organizations have to deal with," he added. DOD "presents in many ways the highest complexity challenge, but also allows us as a company to grow. If we can solve for the architectures and the problems that the Department of Defense has, we can certain solve for pretty much any other use case."

Other agencies at all levels of government can benefit immediately from that DOD-driven work. Hashmi said Box has made a strategic decision not to segment its offerings based on different security levels -- so the protections required for DOD Level 4 authorization are now in place for all Box customers. 

"It’s a lot more work up front for us," he said, "But our customers don’t have to worry about “which enclave am I sitting in? … They can get the security and benefits of the entire cloud."

About the Author

Troy K. Schneider is editor-in-chief of FCW and GCN.

Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of, Schneider also helped launch the political site in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times,, Slate, Politico, National Journal, Governing, and many of the other titles listed above.

Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.

Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.