Cisco Umbrella is navigating the rigorous #FedRAMP process to ensure secure cloud services for federal agencies. Currently "In-Process", Umbrella is preparing for stringent 3PAO audits. This milestone underlines Cisco's commitment to helping the government innovate securely for the future. #CloudSecurity #CiscoUmbrella #GovernmentInnovation

https://blogs.cisco.com/government/understanding-fedramp-how-cisco-umbrella-is-getting-certified

The draft SAR (Security Assessment Report) I got from our #3PAO is solid. Can't believe we paid for subpar work the last few years. #fedramp

HIRING: Senior Manager - Security Operations | Remote US / United States https://infosec-jobs.com/J25205/ #InfoSec #InfoSecJobs #Cybersecurity #jobsearch #hiringnow #CyberCareers #UnitedStates #Ansible #Automation #AWS #Azure #C #CISA #CISM #CISSP #Cloud #Encryption #FedRAMP #GCP

How do I deliver a secure and reliable k8s platform with guardrails?

It's challenging and the topic arises often with my customers. My awesome teammate Poonam unveils an essential tool.

#GKE, #k8s #Security, #PolicyController, #Anthos, #Fedramp, #FIPS

https://buff.ly/3wqvjK0

Shoutout to the guy in this coffee shop writing something about the importance of #FedRAMP, while also leaving his laptop unlocked while he took 30s to get his coffee.

The lack of basic security knowledge and behavior in #Seattle consistently astonishes me.

Slept for a while after I got home from the doctor's office. Feeling like crap and now my sleep schedule is kind of jacked. So, now I am up and reading NIST SP 800-190 and associated FedRAMP container security documentation, as well as trying to dig a bit more into container vulnerability scanning.

#NIST #fedramp #security #infosec #containers #kubernetes #docker #podman #linux #vulnerability

If you are a startup, please think hard before you decide to try #fedramp. There are many reasons to do it, but don't listen to anyone that tells you that it will be easy and quick. FedRAMP is a lifestyle change, not a side project for a small company.

All in for adopting post-quantum cryptography, but requiring an inventory of quantum-vulnerable systems has ZERO value when _everything_ is #CRQC-vulnerable #omb #fedramp

(CRQC: cryptographically relevant quantum computer)

Can any of my #Microsoft #infosec people familiar with #Microsoft365 can tell me why GCC High shows that it is not FedRAMP'd in the FedRAMP marketplace?

All sorts of Microsoft docs say that it is FedRAMP High compliant, but the Marketplace seems to disagree.

https://marketplace.fedramp.gov/#!/product/microsoft-office-365-gcc-high?sort=productName&productNameSearch=gcc%20high

#o365 #m365 #Office #fedramp #azure

If you are into #FedRAMP, the AWS GovCloud team has a program called ATO on AWS that will give you some free consulting on how to configure AWS services to be FedRAMP compliant. Now, the issue is that they don't advertise this well, so you could be like me and only learn about this way too late.

#FedRAMP #NDAA

As the National Defense Authorization Act (NDAA) has passed both the Senate and the House it is now expected to be signed by President Biden. It has language that changes FedRAMP.

From Fedscoop:

• It establishes a board & cloud advisory comm.
• Includes a "presumption of adequacy" which seems to mean "cloud service offering has met baseline security standards established by the program and should be considered approved for use across the federal government." source
• establishes some expectation of assessment metrics and annual report.

The bill H.R.7776 can be tracked at Congress.gov, specific language in case you are incredibly bored is Sec.5921 FedRAMP Authorization Act text
#HR7776

👍🏻 #FedRAMP reform legislation appended to National Defense Authorization Act - One of the most consequential aspects of the FedRAMP reform bill is a “presumption of adequacy” clause, which would allow FedRAMP-authorized tools to be used in an agency without additional oversight or verification. It will also create a separate cloud advisory committee consisting of five representatives from #cloud services companies https://www.fedscoop.com/fedramp-reform-legislation-appended-to-ndaa/ #infosec

Giving #FedRAMP authorizations the “presumption of adequacy” would be... a BFD (in Biden-speak) https://www.fedscoop.com/fedramp-reform-legislation-appended-to-ndaa/

🤔 Announcing data protection in Amazon CloudWatch Logs, helping you detect, and protect sensitive data-in-transit - Data protection in CloudWatch Logs enables customers to define and apply data protection policies that scan log data-in-transit for sensitive data and mask sensitive data that is detected. log data protection can help with regulations such as #HIPAA #GDPR Payment Card Industry Data Security Standard #PCI-DSS) and #FedRAMP https://aws.amazon.com/about-aws/whats-new/2022/11/data-protection-amazon-cloudwatch-logs-detect-protect-sensitive-data-in-transit/ #infosec

I was able to put together a quick case study of our use of @sigstore at Autodesk. Check it out if you have a few mins and are interested in #fedramp container provenance and #supplychainsecurity ! Big thanks to Tracy Miranda and the Chainguard team for all the help! https://blog.sigstore.dev/using-sigstore-to-meet-fedramp-compliance-at-autodesk-6f645a920abc

It would be a great accelerator for #sbom adoption if there was a way to leverage them to accelerate #NIAP / #FIPS / #FedRAMP

If one was able to digitally attest to known approved versions of software libraries in their SBOM, you would think it could reduce their certification burden.

The current NIAP/CC/FedRAMP process is endlessly broken and this could be a great way to start to modernize it.

Never did an #introduction, apparently.

My name is Matthew Lorimor. I have most often just gone by "Lorimor" since I have been on too many teams with too many Matts.

I've been at this InfoSec thing for a decade or so, now. I came by way of being a software engineer and having persistent security friends (let's be honest, it's mostly the fault of @matthewsullivan).

I currently work as a cloud security engineer for a company called Benchling. We do cool science software stuff.

Previously, I was at Workiva helping secure all sorts of Fortune 500 financial and reporting data with @matthewsullivan, @Trickster88, @ojensen, @benmontour, and @stuckshut. Most notably, I got to wade through the land of #FedRAMP Moderate. What a joy that was.

I thought I had an acute problem of helping companies put on their enterprise security pants, but my move to Benchling a year ago seems to have proven that it's a chronic one instead.

I like AWS, Docker, and scanning tools of all kinds. I hate AWS, Docker, and scanning tools of all kinds.

Never did an #introduction, apparently.

My name is Matthew Lorimor. I have most often just gone by "Lorimor" since I have been on too many teams with too many Matts.

I've been at this InfoSec thing for a decade or so, now. I came by way of being a software engineer and having persistent security friends (let's be honest, it's mostly the fault of @matthewsullivan).

I currently work as a cloud security engineer for a company called Benchling. We do cool science software stuff.

Previously, I was at Workiva helping secure all sorts of Fortune 500 financial and reporting data with @matthewsullivan, @Trickster88, @ojensen, @benmontour, and @stuckshut. Most notably, I got to wade through the land of #FedRAMP Moderate. What a joy that was.

I thought I had an acute problem of helping companies put on their enterprise security pants, but my move to Benchling a year ago seems to have proven that it's a chronic one instead.

I like AWS, Docker, and scanning tools of all kinds. I hate AWS, Docker, and scanning tools of all kinds.

Brain: let’s think about #FedRAMP / #fisma and #fips140 !
Me: its 4:48 it can wait let’s sleep
Brain: 🖕

They say civil servants are risk averse, but I'm like:

> We will not adopt #FIPS140
in contexts where we determine it would undermine our security stance. If this stance will costs
us our #FedRAMP authorization, then we will proceed to wind down our CSP and tell our customers to
move their workloads.