Cloud computing is more popular than ever. Benefits, including reduced costs, increased efficiency and flexibility are being realized by both commercial companies and government agencies. The federal government issued a "cloud first" policy as a part of the Office of Management and Budget's 25-Point Plan to Reform Federal Information Technology Management. The report stipulated that agencies will be expected to adopt cloud computing solutions where they represent the best value at an acceptable level of risk.
While the promise of cloud computing is compelling, agencies are rightfully concerned about how to determine and evaluate the cybersecurity risk associated with cloud computing solutions. Agency officials remain accountable for their information security posture as directed by the Federal Information Security Management Act (FISMA) - whether the information assets are delivered using traditional computing resources or cloud computing resources. In many cases these officials lack a clear picture of how they will comply with federal regulations and guidance, including FISMA, the Privacy Act and guidance published by the National Institute of Standards and Technology (NIST).
The fundamentals of a comprehensive information security program remain the same when considering cloud computing solutions. Authorizing Officials (AOs) and Designated Approving Authorities (DAAs) remain accountable for information assets whether delivered via traditional means or via the cloud and must be convinced that that data and systems are sufficiently protected and the risk is properly identified, documented and managed.
Service providers that offer infrastructure-as-a service, platform-as-a-service and/or software-as-a-service cloud computing solutions are typically well versed at applying commercial standards, including ISO 27001 and SAS 70. However, federal regulations and guidance are much more comprehensive, stringent, and rigorous - it's a higher bar to meet. Although service providers have an excellent track record of serving federal agencies, they are looking for a qualified, experienced partner to interpret and apply NIST 800-37, 800-53, 800-53A, DIACAP and other federal specific regulations and guidance to their operating environments.
SecureInfo combines deep domain expertise on relevant standards and guidance (e.g., NIST, DIACAP) with practical, hands-on experience when applying this knowledge to the most complex cloud computing environments in the world. We work with service providers and government agencies in interpreting and incorporating federal regulations and guidance to ensure cloud computing risk is identified, documented and managed up front and on an ongoing basis. Our sole focus is on cybersecurity and risk management, freeing you up to focus on your core competencies and other aspects of your cloud initiatives.
“SecureInfo provides us with the critical FISMA expertise to certify our federal Cloud Computing solution. Their objective and independent work enables us to obtain Authority To Operate on federal networks.”
Chief Security Advisor for MS Online,