• Thinking about data privacy strategically: four key questions

    Paul Sonntag, Director, Privacy

    It wasn’t that long ago when the concept of data privacy was mostly a legal question. Privacy obligations arose almost exclusively from regulations, so most organizations delegated the problem to legal counsel, who then tackled the problem through policy and contract language. At best, it was a cost of doing business. More often, the problem was simply ignored. Read more
  • DoD Cloud Computing Impact Levels 4-5

    Max Post, Senior Manager, FedRAMP Advisory

    Moving past DoD Impact Level 2 (IL2), the logical next step should be IL3; however, IL3 is no longer used by the Department of Defense (DoD) and has been consolidated into IL4. DoD IL4 is designed to store, process, and transmit up to controlled unclassified information (CUI) related to military or contingency operations. Classified information (i.e., secret or top secret) is not permitted within either an IL4 or IL5 Cloud Service Offering (CSO). DoD Mission Owners must appropriately categorize their information to include only CUI suitable for an IL4 or IL5 hosting environment. CUI types are defined within the CUI Registry, which is hosted by the U.S. National Archives and Records Administration (NARA). Read more
  • Requirements for DoD Impact Level 2

    Max Post, Senior Manager, FedRAMP Advisory

    As discussed in the previous blog post on FedRAMP+, there are four authorization levels defined in the Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG). In this post we will give a brief rundown of the lowest authorization level, DoD Impact Level (IL) 2, and the security requirements and key takeaways for Cloud Service Providers (CSPs) looking to receive a DoD IL2 Provisional Authorization (PA).

    Read more