Yesterday, on May 12th, President Biden issued the “Executive Order (EO) on Improving the Nation’s Cybersecurity.” Given that the Order features 11 sections that include both policy and general provisions among others, its 8,080 words is arguably the equivalent of multiple EOs. Such an effort is, no doubt, purposeful by the President—this is significant, and will certainly impact the security worlds of both the government itself and those companies that provide it with software and services.
Over the last few years, there has been a push to obtain cloud computing solutions at almost every turn. A plethora of companies continue to provide cloud services to their existing clientele; however, much of the federal clientele remains untouched. The Federal Risk and Authorization Management Program (FedRAMP) provides the ability for companies to follow a standardized approach in terms of security assessments, authorizations, and continuous monitoring of cloud products and services offered to the federal government.
Even if you aren’t selling to a government agency, it’s important to understand government regulations. The government is the largest single creator, collector, consumer and circulator of information in the country. If its policies change, there’s a good chance those changes will trickle down to the commercial sector. Add to that the alphabet soup of acronyms that come with it, FISMA, FedRAMP, NIST, FIPS, etc.
Many cloud service providers (CSPs) are not fully addressing the database scanning requirements for FedRAMP and have questions related to database security and FedRAMP. This article details the issues associated with not meeting the database scanning requirement, the most common reasons why this occurs, what can be done to improve this and what to consider with database security beyond scanning.
Originally published on www.meritalk.com The Federal government is the leading creator, collector, consumer, and communicator of information in the United States. If there are changes to its regulatory requirements, it is entirely possible those changes will eventually spread into the commercial sector. Such is the case with two related risk management programs developed by the Federal government that now enforce commercial organizations working contractually with the Federal government to employ Federal security standards.
Originally published on www.fedrampfastforward.com BrightLine works with many cloud service providers (CSPs) which have built successful business by providing services to the private sector. With the growth, not to mention CloudFirst mandate, many of these CSPs are taking a much closer look at the potential to work with the Federal government. Today, part of the price of entry is compliance with the Federal Risk and Authorization Management Program (FedRAMP).
Overview In the last 30 days, the FedRAMP Program Management Office (PMO) has published guidance for both vulnerability scanning and penetration testing. The updated guidance comes on the heels of PCI mandating the enhanced penetration testing requirements within its requirement 11.3 as part of the 3.0, now 3.1, version of the DSS. These augmented PCI requirements, introduced in the fall of 2013, took effect on June 30th. For many cloud service providers this means the requirements for vulnerability scanning and penetration testing are more thorough and will require additional resources for planning, executing and remediating findings. This article will walk through the updates and discuss the differentiation between FedRAMP and the PCI Data Security Standard (DSS).