FedRAMP not delivering on promise of standard authorization

Adoption of cloud computing services under FedRAMP has been hampered by many federal agencies’ unwillingness to accept FedRAMP authorization as sufficient or to accept ATOs granted by other agencies.

FDIC data breaches indicate systemic failures in security management and monitoring

More troubling than the poor incident response (including reporting) at FDIC is the apparently complete inability of the agency to prevent large-scale data exfiltration.

Newly arriving from DHS: binding operational directives

The Federal Information Security Modernization Act of 2014 introduces a new term to the federal security management lexicon: binding operational directive. The text of the law defines binding operational directive as “a compulsory direction to an…

FISMA 2014 codifies many current federal security practices

For the most part, the 2014 update to FISMA introduces little new to federal security management, but instead codifies roles, responsibilities, requirements, and practices already put in place through OMB memoranda and other official guidance to agencies.

NIST updates security control assessment procedures

On December 12, the National Institute of Standards and Technology (NIST) Computer Security Division announced the final release of Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations. This…

Update to FISMA signed into law

In December Congress passed, and the president signed into law the Federal Information Security Modernization Act of 2014, which provides the first comprehensive update to federal security legislation since 2002.

Two Amazon Web Services environments attain FedRAMP compliance

Last week, Amazon announced that it had received separate agency authorizations to operate (ATO) from the U.S. Department of Health and Human Services (HHS) for two of its Amazon Web Services cloud computing offerings, and that…