make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

Feds set new cybersecurity requirements for contractors

08/04/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

If you do business with the federal government and provide services delivered through the cloud, you are now required to meet tough new security standards designed to reduce the likelihood of a breach of confidential government information similar to what was recently experienced by the U.S. Office of Personnel Management.

This is a major development in cyber security for the U.S. government, and many businesses are going through a new and lengthy process to certify they are compliant, or improve their security to become compliant. The recent massive breach of confidential federal personnel files has underscored the importance of the move to raise the security bar for companies doing cloud-based business with the government.

The Federal Risk and Authorization Management Program, better known as FedRAMP, was put in place to create a consistent set of security standards that companies are required to meet if their business with the government involves cloud-based services. But while increased security for sensitive government information certainly has major benefits, businesses are discovering that there is most definitely a cost as well — in the form of a rigorous process they must go through to be certified as FedRAMP compliant.

While the initial document alone describing a company’s security environment can be several hundred pages long, the process can be even more demanding if a company’s security plans and processes are not well documented, or if they must be revised to meet standards. For companies going through the process for the first time, thoroughly documenting the cloud environment and its related controls is typically the most time consuming portion of the certification process.

Fortunately, the government has put a mechanism in place to facilitate certification by designating Third Party Assessment Organizations, or 3PAOs. These 3PAOs assess the security of businesses applying for FedRAMP certification and play an ongoing role in ensuring they meet requirements. 3PAOs, which go through their own rigorous credentialing process, can also take on a different role and recommend changes to a company’s cybersecurity program to bring it up to FedRAMP standards. (Naturally they cannot act as both assessor and consultant for the same company.)

While the FedRAMP process is arduous, when a company achieves certification there is an added benefit. Not only will the company be compliant with federal regulations, but it can also point to its FedRAMP status as evidence of good cybersecurity practices when seeking business with non-government customers.

Gaining certification can be difficult, so partnering with the right 3PAO is essential to completing the process in a smooth and efficient manner.

LBMC_CTA