Blog archive

Nothing wussy about moderate security

There's nothing wussy about moderate level security.

Moderate level security is kind of wussy -- or wimpy -- sounding.

However, “there is nothing wussy about moderate,” Robert Williams, president of Clear Government Solutions said at a recent briefing on cloud computing in the government in Washington, D.C.

When the government says “moderate,” that means the average person need not waste his time trying to break into a computer system in compliance with security at that level. However, there are sophisticated folks with the ability to compromise systems, so industry and government have to remain vigilant, Williams said.

Under The Federal Information Security Management Act (FISMA), moderate level security means vendors and service providers are cleared for sensitive data, but not classified data. Sensitive data and lower classifications make up 80 percent of government data.

Williams described the process his company underwent to achieve security accreditation as a member of a team awarded a contract to provide agencies with cloud-based virtual machine, storage and Web hosting services through the General Services Administration’s infrastructure-as-a service contract awarded to 12 vendors in October 2010.

Clear Government Solutions' team had to first file 60 to 70 documents --- some of them 600 to 800 pages long --- with detailed information about the company’s security plan. “I kid you not,” Williams said. The government assigned an assessor who came to the company’s facility to watch everything Williams’ team did as they filed the documents -- so it is not merely a documentation process, he noted.

You think you are ready? No. Somebody has to assess and test what you have done to make sure that you really conform with government standards. In some cases, an independent organization does an assessment of the first assessment to ensure complete integrity with the process.

At this stage, “if you’re blessed, you get an authority to operate,” Williams said. It means that agencies are obliged to accept that you have gone through an official government certification and accreditation process, now know as assessment and authorization.

You think you’re finished? Not yet.

As part of the Federal Risk Authorization and Management Program (FedRAMP) companies have to go through continuous monitoring of their security posture. FedRAMP, a governmentwide security program to vet cloud products and providers, is undergoing revision and is expected to be completed by the end of the summer. Plus, every six months an inspector general or other auditors will pay you a visit to ensure that your company is doing what is needed on a regular basis to meet government security guidelines.

The best way to keep up-to-date is to adhere to standards – FISMA and National Institute of Standards and Technology security guidelines both those that are final and those in draft form. "If you know standards are coming why be like an ostrich with your head in the sand?," Williams asked.

Posted by Rutrell Yasin on Mar 31, 2011 at 12:11 PM


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.