By David Trout In a recent report published by the GAO, it was found that “from June 2017 to July 2019, the number of authorizations granted through FedRAMP by the 24 agencies increased from 390 to 926, a 137 percent increase.” Although it was found that some agencies did not consistently use FedRAMP-authorized cloud services, the data [...]
Compliance with the Cybersecurity Maturity Model Certification (CMMC) program requires DoD contractors to undergo cybersecurity audit and certification, beginning mid 2020. CMMC will be a single standard for all DoD contracts that considers the security control and the institutionalization of cyber processes across a contractor's enterprise assets including development environments for mission systems. Previous regulations [...]
SecureIT has been awarded a five-year U.S. General Services Administration (GSA) IT Schedule 70 contract (47QTCA19D00FE). This contract, with potential of three (5) year options to follow, enables SecureIT to partner with federal, state, and local governments and provide cybersecurity advisory, risk, and compliance expertise through Special Item Number (SIN) 132-51. IT Schedule 70 provides [...]
By Tobias McCurry As part of our penetration testing and vulnerability assessment services, SecureIT uses an application security testing (AST) tool called Burp by PortSwigger. (No, I don’t know why they’ve selected that name!.) We regularly use Burp to scan web applications, identify vulnerabilities and misconfigurations, and actively exploit to penetrate and escalate privileges. Burp’s [...]
By Corey Clements Protecting the Country’s Data Ask what data can do for you but also ask what is required to protect your organization’s data. Data is only valuable when it provides insight for better actions. Stats and facts collecting database dust yields no benefits. But in order to analyze and share data, it must [...]
By Corey Clements “The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” FedRAMP could be described as an assessment. Therefore, a pre-assessment before the assessment might be considered redundant and unnecessary. But the reality [...]
By Corey Clements In my recent post, “Look before You Leap: The Value of FedRAMP Pre-Assessment,” I compared earning FedRAMP authorization to climbing Mt. Everest. Both require the assistance of an experienced guide, in addition to independent preparation. While I enjoy hiking, I’ve never attempted to summit Mt. Everest. (The 2015 film by Icelandic director [...]
By Jamie Graf What is a RAR? A FedRAMP Readiness Assessment Report (RAR) demonstrates a cloud service provider’s (CSP) capability to meet FedRAMP security requirements, and that they are ready to begin the FedRAMP authorization process. The RAR describes the CSP’s security and organizational processes, focusing on key capabilities rather than documentation. It is designed [...]
By Corey Clements In order to be useful, data must be analyzed and shared, while also being adequately protected to ensure security, compliance, and privacy. And that is the purpose of Executive Order 13556, which established the Controlled Unclassified Information (CUI) Program. Our earlier blog addressed how this EO standardized the way the executive branch [...]
By Corey Clements Cybersecurity concerns are driving a tougher stance from DoD on contractors and their implementation of security controls to protect controlled unclassified information (CUI). The Department of Defense has released new guidance and memos for contractors complying with NIST 800-171. Defense and procurement experts are characterizing the latest policies as more rigorous enforcement [...]
