Blog archive

Nothing wussy about moderate security

There's nothing wussy about moderate level security.

Moderate level security is kind of wussy -- or wimpy -- sounding.

However, “there is nothing wussy about moderate,” Robert Williams, president of Clear Government Solutions said at a recent briefing on cloud computing in the government in Washington, D.C.

When the government says “moderate,” that means the average person need not waste his time trying to break into a computer system in compliance with security at that level. However, there are sophisticated folks with the ability to compromise systems, so industry and government have to remain vigilant, Williams said.

Under The Federal Information Security Management Act (FISMA), moderate level security means vendors and service providers are cleared for sensitive data, but not classified data. Sensitive data and lower classifications make up 80 percent of government data.

Williams described the process his company underwent to achieve security accreditation as a member of a team awarded a contract to provide agencies with cloud-based virtual machine, storage and Web hosting services through the General Services Administration’s infrastructure-as-a service contract awarded to 12 vendors in October 2010.

Clear Government Solutions' team had to first file 60 to 70 documents --- some of them 600 to 800 pages long --- with detailed information about the company’s security plan. “I kid you not,” Williams said. The government assigned an assessor who came to the company’s facility to watch everything Williams’ team did as they filed the documents -- so it is not merely a documentation process, he noted.

You think you are ready? No. Somebody has to assess and test what you have done to make sure that you really conform with government standards. In some cases, an independent organization does an assessment of the first assessment to ensure complete integrity with the process.

At this stage, “if you’re blessed, you get an authority to operate,” Williams said. It means that agencies are obliged to accept that you have gone through an official government certification and accreditation process, now know as assessment and authorization.

You think you’re finished? Not yet.

As part of the Federal Risk Authorization and Management Program (FedRAMP) companies have to go through continuous monitoring of their security posture. FedRAMP, a governmentwide security program to vet cloud products and providers, is undergoing revision and is expected to be completed by the end of the summer. Plus, every six months an inspector general or other auditors will pay you a visit to ensure that your company is doing what is needed on a regular basis to meet government security guidelines.

The best way to keep up-to-date is to adhere to standards – FISMA and National Institute of Standards and Technology security guidelines both those that are final and those in draft form. "If you know standards are coming why be like an ostrich with your head in the sand?," Williams asked.

Posted by Rutrell Yasin on Mar 31, 2011 at 12:11 PM


    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.