Box brings milspec security to its entire platform
DOD's authorization for Impact Level 4 means controls for sensitive unclassified information are now in place for all customers. FedRAMP High authorization is in the works, and will also be platform-wide.
The cloud-based content management company Box announced on April 26 that it now meets the Department of Defense's cloud security requirements for Impact Level 4. That Provisional Authority to Operate from the Defense Information Systems Agency means Box can now be used for all but the most sensitive types of unclassified information.
The company also said it has begun working with the Federal Risk Authorization and Management Program on FedRAMP High authorization. Much like DOD's Impact Level 4, FedRAMP's high-impact baseline covers use cases that involve health records, financial data and other sensitive but unclassified information. The FedRAMP program office piloted the new high-impact baseline with three cloud service providers; Box is one of several firms working through the now-formalized framework.
Sonny Hashmi, Box's managing director of global public sector, told GCN these moves are part of a larger effort to help DOD and other government agencies "take advantage of the scale of the cloud while maintaining their security compliance."
DOD "was and still is our sponsor for the initial FedRAMP assessment," he said. "They were the agency sponsor for the FedRAMP Moderate assessment and [DISA's] Level 2. Now they've upped it to Level 4, and we're working with them on a long-term strategy to get to Level 5 and even more interesting enclave-based solutions."
And while DOD is a very important customer in it's own right, Hashmi said that partnership also serves a broader strategic purpose.
DOD is the largest organization in the world," he said. "It's distributed in its workforce ... and they are massively moving toward an era where mobile is going to be a primary delivery factor for mission applications."
The mission information "is of a much higher sensitivity than most other organizations have to deal with," he added. DOD "presents in many ways the highest complexity challenge, but also allows us as a company to grow. If we can solve for the architectures and the problems that the Department of Defense has, we can certain solve for pretty much any other use case."
Other agencies at all levels of government can benefit immediately from that DOD-driven work. Hashmi said Box has made a strategic decision not to segment its offerings based on different security levels -- so the protections required for DOD Level 4 authorization are now in place for all Box customers.
"It’s a lot more work up front for us," he said, "But our customers don’t have to worry about “which enclave am I sitting in? … They can get the security and benefits of the entire cloud."