Feds set new cybersecurity requirements for contractors

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.tennessean.com/story/money/tech/2015/08/03/feds-set-new-cybersecurity-requirements-contractors/31075065/

If you do business with the federal government and provide services
delivered through the cloud, you are now required to meet tough new
security standards designed to reduce the likelihood of a breach of
confidential government information similar to what was recently
experienced by the U.S. Office of Personnel Management.

This is a major development in cyber security for the U.S. government, and
many businesses are going through a new and lengthy process to certify they
are compliant, or improve their security to become compliant. The recent
massive breach of confidential federal personnel files has underscored the
importance of the move to raise the security bar for companies doing
cloud-based business with the government.

The Federal Risk and Authorization Management Program, better known as
FedRAMP, was put in place to create a consistent set of security standards
that companies are required to meet if their business with the government
involves cloud-based services. But while increased security for sensitive
government information certainly has major benefits, businesses are
discovering that there is most definitely a cost as well — in the form of a
rigorous process they must go through to be certified as FedRAMP compliant.

While the initial document alone describing a company’s security
environment can be several hundred pages long, the process can be even more
demanding if a company’s security plans and processes are not well
documented, or if they must be revised to meet standards. For companies
going through the process for the first time, thoroughly documenting the
cloud environment and its related controls is typically the most time
consuming portion of the certification process.

Fortunately, the government has put a mechanism in place to facilitate
certification by designating Third Party Assessment Organizations, or
3PAOs. These 3PAOs assess the security of businesses applying for FedRAMP
certification and play an ongoing role in ensuring they meet requirements.
3PAOs, which go through their own rigorous credentialing process, can also
take on a different role and recommend changes to a company’s cybersecurity
program to bring it up to FedRAMP standards. (Naturally they cannot act as
both assessor and consultant for the same company.)

While the FedRAMP process is arduous, when a company achieves certification
there is an added benefit. Not only will the company be compliant with
federal regulations, but it can also point to its FedRAMP status as
evidence of good cybersecurity practices when seeking business with
non-government customers.

Gaining certification can be difficult, so partnering with the right 3PAO
is essential to completing the process in a smooth and efficient manner.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!