-
Crypto vulnerability management
Karl Steinkamp, Director, PCI Product and Quality Assurance
In this blog series, we’ve discussed in detail how crypto assets and currencies are no longer passing fads. Even if your C-suite remains skeptical, security leaders and teams can’t afford to keep watching, waiting, and speculating about what’s going to happen or when your organization will be directly affected. The time for action has come, and it’s now your responsibility to get development and security programs attuned to decentralized architecture before crypto adoption. Read more
-
Thinking about data privacy strategically: four key questions
Paul Sonntag, Director, Privacy
It wasn’t that long ago when the concept of data privacy was mostly a legal question. Privacy obligations arose almost exclusively from regulations, so most organizations delegated the problem to legal counsel, who then tackled the problem through policy and contract language. At best, it was a cost of doing business. More often, the problem was simply ignored. Read more
-
DoD Cloud Computing Impact Levels 4-5
Max Post, Senior Manager, FedRAMP Advisory
Moving past DoD Impact Level 2 (IL2), the logical next step should be IL3; however, IL3 is no longer used by the Department of Defense (DoD) and has been consolidated into IL4. DoD IL4 is designed to store, process, and transmit up to controlled unclassified information (CUI) related to military or contingency operations. Classified information (i.e., secret or top secret) is not permitted within either an IL4 or IL5 Cloud Service Offering (CSO). DoD Mission Owners must appropriately categorize their information to include only CUI suitable for an IL4 or IL5 hosting environment. CUI types are defined within the CUI Registry, which is hosted by the U.S. National Archives and Records Administration (NARA). Read more
-
Requirements for DoD Impact Level 2
Max Post, Senior Manager, FedRAMP Advisory
As discussed in the previous blog post on FedRAMP+, there are four authorization levels defined in the Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG). In this post we will give a brief rundown of the lowest authorization level, DoD Impact Level (IL) 2, and the security requirements and key takeaways for Cloud Service Providers (CSPs) looking to receive a DoD IL2 Provisional Authorization (PA).
Read more
-
What is FedRAMP+?
Keith Kidd, Director, FedRAMP Assessment, Coalfire
The Department of Defense (DoD) Cloud Computing (CC) Security Requirements Guide (SRG) Version 1, Release 3 defines FedRAMP Plus (FedRAMP+) as:
“… the concept of leveraging the work done as part of the FedRAMP assessment and adding specific security controls and requirements necessary to meet and assure DoD’s critical mission requirements. A CSP’s CSO can be assessed in accordance with the criteria outlined in this SRG, with the results used as the basis for awarding a DoD provisional authorization.”
Read more