Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA)·requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

While guidance can be found in the various NIST Special Publications, such as 800-53, DoDI 8510.01, and FedRAMP, the journey between registering a system and obtaining an agency Authority to Operate is a long one and not for the faint of heart. This is especially true if you are are planning on using a commercial cloud provider such as Amazon Web Services (AWS).

IASS has successfully implemented cloud migration and security authorization using AWS for a DoD MAC III Sensitive System (analogous to a NIST Moderate). In fact, we were the first!

An unfortunate reality is that no matter how well prepared one might be, disasters do happen, most often due to forces out of one’s control. Think Hurricane Sandy, tornadoes in the midwest, or earthquakes on the west coast.

The traditional means of planning is to develop policies for Continuity of Operations (COOP) and Disaster Recovery (DR) which spell out how to react, what systems to bring up first and how long the system should be down. Common sense, best practices and for the federal sector, NIST SP 800-53, requires a secondary site. This DR site should be geographically separated from the main data center so that, hopefully, any disaster affecting the primary site, would not impact the DR site.

For some businesses this simply isn't practical. First the cost to replicate a data center, "just in case" is enormous; second, either someone has to travel to the secondary site to start up operations, or you have to rely on a third party to get you back online.

The solution? AWS. Whether seeking a DR solution for your collocated data center or for a complete cloud migration, AWS provides cost effective DR solutions that are easy, rapid and highly fault tolerant. Options range from back-up and recovery using S3 storage with 11 9's of durability, to warm stand-by, to the "pilot light." Depending on which DR solution you choose, you could be up and running in as little as 30 minutes.

If your DR plan needs an overhaul, or you need to implement one, contact us to see how we can solve your DR requirements.

Artifacts. The bane of any Assessment and Authorization effort. But you have to do them...

The problem is in development. Let's face it, with the possible exception of FedRAMP, templates and useful guides are few and far between. The DoD's DIACAP Knowledge Service which is supposedly the authoritative source for information is woefully inadequate.

We recognized this problem, and tossed all the samples, examples and templates aside and built from scratch. We designed each artifact with a common look and a logical flow. The result was a set of artifacts that obviously complimented each other and were easy to read and search. It made sense to us, and apparently made sense to the certification authority. A sister application was in the certification process at the same time and contracted with a major defense contractor. After over 18 months of work developing a package for a collocated data center on a DoD installation, this the CA returned the package with twenty-six (yes, 26)_pages of issue.

Our "issues/questions" document came from the same CA. With a little over six months invested, and while attempting to accredit the first DoD information system on the cloud, the CA had barely one and half pages of questions.

It's not just putting the information in the artifact; its' putting the information in a clear and logical flow so the CA, and ultimately the Authorizing Official understands your system and what steps you have taken to mitigate any weaknesses.