What is FedRAMP+?
Keith Kidd, Director, FedRAMP Assessment, Coalfire
The Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG) Version 1, Release 3 defines FedRAMP Plus (FedRAMP+) as:
“… the concept of leveraging the work done as part of the FedRAMP assessment and adding specific security controls and requirements necessary to meet and assure DoD’s critical mission requirements. A CSP’s CSO can be assessed in accordance with the criteria outlined in this SRG, with the results used as the basis for awarding a DoD provisional authorization.”
Data privacy: What’s new in cross-border transfers? The Standard Contractual Clauses
Lisa Gumbs, Senior Consultant, Commercial Services, GDPR, Coalfire
The transfer of personal data between companies and countries is vital for smooth data processing operations. When transferring data out of the European Union, companies are required to comply with the General Data Protection Regulation (GDPR) which requires that any data that is transferred to a vendor in a third country for processing must receive the same level of protection as required by the EU. The GDPR specifically prohibits transfer of personal data to third countries that do not have an adequate level of data protection. To lawfully transfer data out of the EU to another country, the data controller must have a lawful mechanism in place to make the transfer. In the not-too-distant past, US companies primarily relied on Privacy Shield certification or the Standard Contractual Clauses in contracts with vendors to authorize that data transfer. Read more
Long-awaited changes to the nation’s cybersecurity infrastructure become reality
FedRAMP Advisory Directors, Coalfire
There is a lot of buzz in the biz about the ripple effects of President Biden’s “Executive Order (EO) on Improving the Nation’s Cybersecurity,” which comes on the heels of the Colonial Pipeline hack. The pipeline, which delivers about 45% of the fuel used on the Eastern Seaboard, was shut down after a ransomware attack by a group of alleged criminal hackers who call themselves “DarkSide.” Read more
Third party risk management and the cloud
Bob Post, Managing Principal, Strategy, Privacy, Risk
Risk is inevitable with third party vendors that have access to your company and client data. With expanding attack surfaces, dispersed supply chains, and IoT issues on the rise, TPRM (third party risk management) is becoming a more mission-critical security practice in the cloud. Let’s look at problems and solutions. Read more
The road to secure crypto: start getting risk management priorities on your threat modeling radar
Karl Steinkamp, Director, PCI Product and Quality Assurance
While attending the biggest event in crypto history earlier this month in Miami, it struck me that, although irrational over-exuberance was the mood, the reality is really sinking in: We are in a new payments industry paradigm shift. It’s not a fad anymore, and it’s not going away. An exclamation to the event was the notice that on June 9, 2021, El Salvador has officially adopted bitcoin as legal tender (currency) for the country.
What you need to know: Transitioning CSA STAR for Cloud Controls Matrix 4.0
Chase Kimberly, Principal of Standardization, Coalfire
In January of this year, the Cloud Security Alliance (CSA) released a major revision to its widely adopted Cloud Controls Matrix (CCM) in the form of version 4.0. This comes in the middle of a calendar year where several alternative information security frameworks are also expected to be refined, including the HITRUST CSF, ISO/IEC 27002, and PCI DSS.