Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA)·requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

While guidance can be found in the various NIST Special Publications, such as 800-53, DoDI 8510.01, and FedRAMP, the journey between registering a system and obtaining an agency Authority to Operate is a long one and not for the faint of heart. This is especially true if you are are planning on using a commercial cloud provider such as Amazon Web Services (AWS).

IASS has successfully implemented cloud migration and security authorization using AWS for a DoD MAC III Sensitive System (analogous to a NIST Moderate). In fact, we were the first!

Cloud computing has become one of the most discussed IT paradigms of recent years. It builds on many of the advances in the IT industry over the past decade. With cloud computing, organizations can consume shared computing and storage resources rather than building, operating, and improving infrastructure on their own. Cloud computing is a style of computing where scalable and elastic IT enabled capabilities are delivered as a service to external customers using Internet technologies.

Cloud computing enables organizations to obtain a flexible, secure, and cost-effective IT infrastructure, in much the same way that national electric grids enable homes and organizations to plug into a centrally managed, efficient, and cost-effective energy source.

Amazon has a long history of using a decentralized IT infrastructure. By 2005, Amazon had spent over a decade and millions of dollars building and managing the large-scale, reliable, and efficient IT infrastructure that powered one of the world’s largest online retail platforms. Amazon launched Amazon Web Services (AWS) so that other organizations could benefit from Amazon’s experience and investment in running a large-scale distributed, transactional IT infrastructure.

AWS is readily distinguished from other vendors in the traditional IT computing landscape because it is:

• Flexible
• Cost-effective
• Scaleable and elastic
• Secure
• Experienced

IASS partners with AWS to provide their premiere cloud services. With IASS you get personalized service and experienced solutions architects. IASS also has access to AWS solutions architects and technical professionals to help you design a highly available, fault tolerant, cost-effective cloud solution.

An unfortunate reality is that no matter how well prepared one might be, disasters do happen, most often due to forces out of one’s control. Think Hurricane Sandy, tornadoes in the midwest, or earthquakes on the west coast.

The traditional means of planning is to develop policies for Continuity of Operations (COOP) and Disaster Recovery (DR) which spell out how to react, what systems to bring up first and how long the system should be down. Common sense, best practices and for the federal sector, NIST SP 800-53, requires a secondary site. This DR site should be geographically separated from the main data center so that, hopefully, any disaster affecting the primary site, would not impact the DR site.

For some businesses this simply isn't practical. First the cost to replicate a data center, "just in case" is enormous; second, either someone has to travel to the secondary site to start up operations, or you have to rely on a third party to get you back online.

The solution? AWS. Whether seeking a DR solution for your collocated data center or for a complete cloud migration, AWS provides cost effective DR solutions that are easy, rapid and highly fault tolerant. Options range from back-up and recovery using S3 storage with 11 9's of durability, to warm stand-by, to the "pilot light." Depending on which DR solution you choose, you could be up and running in as little as 30 minutes.

If your DR plan needs an overhaul, or you need to implement one, contact us to see how we can solve your DR requirements.

Artifacts. The bane of any Assessment and Authorization effort. But you have to do them...

The problem is in development. Let's face it, with the possible exception of FedRAMP, templates and useful guides are few and far between. The DoD's DIACAP Knowledge Service which is supposedly the authoritative source for information is woefully inadequate.

We recognized this problem, and tossed all the samples, examples and templates aside and built from scratch. We designed each artifact with a common look and a logical flow. The result was a set of artifacts that obviously complimented each other and were easy to read and search. It made sense to us, and apparently made sense to the certification authority. A sister application was in the certification process at the same time and contracted with a major defense contractor. After over 18 months of work developing a package for a collocated data center on a DoD installation, this the CA returned the package with twenty-six (yes, 26)_pages of issue.

Our "issues/questions" document came from the same CA. With a little over six months invested, and while attempting to accredit the first DoD information system on the cloud, the CA had barely one and half pages of questions.

It's not just putting the information in the artifact; its' putting the information in a clear and logical flow so the CA, and ultimately the Authorizing Official understands your system and what steps you have taken to mitigate any weaknesses.