Blog archive

Nothing wussy about moderate security

There's nothing wussy about moderate level security.

Moderate level security is kind of wussy -- or wimpy -- sounding.

However, “there is nothing wussy about moderate,” Robert Williams, president of Clear Government Solutions said at a recent briefing on cloud computing in the government in Washington, D.C.

When the government says “moderate,” that means the average person need not waste his time trying to break into a computer system in compliance with security at that level. However, there are sophisticated folks with the ability to compromise systems, so industry and government have to remain vigilant, Williams said.

Under The Federal Information Security Management Act (FISMA), moderate level security means vendors and service providers are cleared for sensitive data, but not classified data. Sensitive data and lower classifications make up 80 percent of government data.

Williams described the process his company underwent to achieve security accreditation as a member of a team awarded a contract to provide agencies with cloud-based virtual machine, storage and Web hosting services through the General Services Administration’s infrastructure-as-a service contract awarded to 12 vendors in October 2010.

Clear Government Solutions' team had to first file 60 to 70 documents --- some of them 600 to 800 pages long --- with detailed information about the company’s security plan. “I kid you not,” Williams said. The government assigned an assessor who came to the company’s facility to watch everything Williams’ team did as they filed the documents -- so it is not merely a documentation process, he noted.

You think you are ready? No. Somebody has to assess and test what you have done to make sure that you really conform with government standards. In some cases, an independent organization does an assessment of the first assessment to ensure complete integrity with the process.

At this stage, “if you’re blessed, you get an authority to operate,” Williams said. It means that agencies are obliged to accept that you have gone through an official government certification and accreditation process, now know as assessment and authorization.

You think you’re finished? Not yet.

As part of the Federal Risk Authorization and Management Program (FedRAMP) companies have to go through continuous monitoring of their security posture. FedRAMP, a governmentwide security program to vet cloud products and providers, is undergoing revision and is expected to be completed by the end of the summer. Plus, every six months an inspector general or other auditors will pay you a visit to ensure that your company is doing what is needed on a regular basis to meet government security guidelines.

The best way to keep up-to-date is to adhere to standards – FISMA and National Institute of Standards and Technology security guidelines both those that are final and those in draft form. "If you know standards are coming why be like an ostrich with your head in the sand?," Williams asked.

Posted by Rutrell Yasin on Mar 31, 2011 at 12:11 PM


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected