The cloud service ecosystem for FedRAMP authorization has been growing year over year, as has the demand for the reuse of cloud products across agencies. To facilitate cloud product adoption across different agencies without compromising security and usability, FedRAMP provides a quick process to help reuse these services.
What Is the Europrivacy Hybrid Certification Model?
GDPR has needed a centralized assessment and certification model for some time now. Still, with the plethora of certifications and standards covering different business contexts, there has yet to be a single approach that has risen to the top of the heap. However, the governing bodies of GDPR have authorized the new Europrivacy standard to… Read More
Do GDPR Regulations Apply to Businesses in the U.S.?
With the growth of the EU as an economic power, businesses in the United States are working to make headway into this lucrative commercial market. However, they are rapidly learning that the IT and data-driven practices standard in the U.S. will not stand in the GDPR-regulated European Union. There are some basic preparations that any… Read More
FedRAMP and FIPS-Defined Impact Levels
One of the foundational pieces of information that a cloud provider needs to know when preparing for their FedRAMP Authorization is the required Impact Level. These levels aren’t generic labels applied by agencies to highlight the importance of their data–they are clearly-defined categories laid out by the National Institute of Standards and Technology (NIST) to… Read More
GDPR Requirements for Data Disclosure and Rights of Access
There’s no doubt GDPR is shaking up the business landscape. Companies that spent time handling personal data relatively laxly are now faced with strict and comprehensive laws governing digital marketing and data use in the EU. Nowhere is this more apparent than in business disclosure and data access laws.
NVLAP and Cryptographic Testing
The National Voluntary Laboratory Accreditation Program (NVLAP) handles lab and testing requirements for several categories of products and services, several within cybersecurity. One of the most important categories is cryptographic testing and validation.
What is Europrivacy?
Companies inside and outside the European Union are feeling the impact of GDPR–and if you’ve noticed the glut of complex and long-winded cookie notifications, you can see why. Businesses looking to operate data processing infrastructure or collect data in the EU must comply with GDPR. To streamline the process, the EU recently approved a central… Read More
ISO 17025 and Requirements for Security Labs and Testing
When we discuss cybersecurity, it’s most often done in the context of audits, assessments, or certifications. However, specific systems and components require more stringent testing standards, ensuring that the technology functions correctly and securely after construction or during ongoing operational use. To support the testing and assurance of these components, the National Institutes of Standards… Read More
StateRAMP and Authentication: What You Need to Know
Providers looking into StateRAMP authentication standards may find themselves staring into a stack of requirements documents across multiple security frameworks and government contexts. Not only is this unhelpful for these providers, but it also makes the process sound much more intimidating than it needs to be. In this article, we’ll take a high-level view of… Read More
FedRAMP and Penetration Testing Requirements in 2023
Penetration tests sometimes seem like an extreme measure that ultra-secure companies take to fend off the most formidable threats. However, any company wanting to get serious about cybersecurity and compliance will sometimes run against the practice. This is similar to when working with the federal government. Here, we’ll discuss FedRAMP and penetration testing requirements.
FedRAMP and Risk Management
FedRAMP Authorization is a complicated undertaking due in no small part to the layers of requirements that cloud offerings must meet throughout the process. As part of the government’s turn to more comprehensive security, FedRAMP requirements include significant risk management standards that all providers must meet.
What Is the StateRAMP Security Snapshot?
Regarding cybersecurity and compliance, there is a massive benefit in having a deep field of providers and offerings that can serve large federal customers alongside smaller offerings that can serve the state, local, and municipal customers. It’s essential, however, to ensure that maintaining a competitive marketplace doesn’t compromise security. This means helping small or young… Read More
What Is FedRAMP Connect?
There are two clear paths through FedRAMP Authorization–the agency path and the much less-common Joint Authorization Board (JAB) path. While much more rigorous, this second course opens up several critical doors for cloud offerings that provide real and significant value to various federal agencies. However, the JAB path is exclusive and requires that cloud service… Read More
What Is the Authorization Boundary in FedRAMP?
When it comes to managing FedRAMP-compliant systems, it helps to understand the entirety of the system that will fall under this jurisdiction. Unfortunately, with the complexity of cloud systems being what they are, mapping out IT systems with the right granularity can provide a challenge. This is why FedRAMP guides determining an organization’s authorization boundary.
What Is FedRAMP JAB Provisional Authorization?
Last week, we discussed the process for Agency Authorization under FedRAMP guidelines. This route is, by far, the most common form of Authorization and one that most cloud providers will engage with. However, there are several use cases where a provider may seek more rigorous assessment to better open doors to serve with agencies across… Read More
Cloud Architecture and FedRAMP Authorization Boundaries
Cloud computing and modern service models of software or infrastructure distribution present a problem to providers and customers alike–namely, how to properly assess and certify components in a way that considers the relationship between different modules, platforms, and apps. FedRAMP requirements define how assessors and Authorization approach different cloud offering service models to mitigate the… Read More
What Is the FedRAMP Agency Authorization Process?
As cloud service providers pursue their FedRAMP authorization process, they face a significant choice stemming from their ultimate goals in the federal space. This decision is based on how they are pursuing their working relationships with federal agencies and how well the provider is prepared for the rigorous FedRAMP assessment process. When a provider enters… Read More
What Is A Vulnerability Deviation Request in StateRAMP Authorization?
When we talk about scans, tests, and authorization in the context of StateRAMP assessment, we tend to think that the process (and all its moving parts) are relatively stable and predictable. And, for the most part, this thinking is correct. However, it’s normal, and in some ways expected, to run into issues where scans and… Read More
Plagiarism, Authority, and Trust on the Internet
Plagiarism isn’t new, and the proliferation of shady websites and questionable decisions from search engine giant Google has led to sinister and sometimes silly evolutions in what fraudsters can do with the theft of someone’s intellectual property. According to Plagiarism Daily, we’re seeing a new outgrowth of plagiarism creep up on us. Gone are the… Read More
ISO 17065 and the Standard for Certification Bodies
There is no substitute for a competent and impartial auditor in terms of compliance, security, and correct operations. Organizations that can assess and certify technologies and organizations are essential for ensuring accountability and standards of excellence in place, applying to systems that store sensitive data. To modify a common saying, “who watches the auditors?” That’s… Read More
Timeline for PCI DSS 4.0: The Twelfth Requirement, Policies, and Programs
So, after a long journey, we’ve arrived at the twelfth and final requirement for PCI DSS 4.0. Last but certainly not least, this requirement emphasizes the need for creating, documenting, and implementing organization-wide security and compliance policies.
What Is the StateRAMP Security Assessment Framework?
StateRAMP is now nearly two years old, and the small project is quickly becoming a mainstay in the security industry. State and local governments are looking for a solid cybersecurity framework that they can use to vet and certify cloud providers that they may work with. In this article, we’ll talk about the basics of… Read More
Timeline for PCI DSS 4.0: The Tenth Requirement and System Monitoring
As we move through the requirements for PCI DSS 4.0, we’re coming up to the double digits, which means some more advanced expectations. Namely, the tenth requirement focuses on system logging and monitoring for systems containing cardholder data. The maintenance of audit logs is about more than automatically recording data about system events. Your system… Read More
Timeline for PCI DSS 4.0: The Ninth Requirement and Physical Access Security
When thinking about cybersecurity, many stakeholders outside the industry will rarely consider the physical systems supporting digital information. And yet, almost any security framework worth its salt will have some provision for securing physical systems and environments. PCI DSS 4.0 is no different, and the ninth requirement is dedicated to just this topic. This article… Read More