Written By:  Yong-Gon Chon, CTO of SecureInfo Corporation

I work for SecureInfo, an exclusive provider of cybersecurity services. We have served the Federal government for over 10 years and are involved in securing information assets used across the US Civilian Sector and the Department of Defense. We routinely conduct independent third-party assessments of systems used by these organizations in support of Federal Information Security Management Act (FISMA) compliance programs. In the thousands of FISMA related engagements we’ve performed over the years, we have been actively involved in assessing information systems that serve US citizens and enable warfighters, including complex, mission-critical, and highly classified systems. SecureInfo customers include the Department of Homeland Security, the United States Air Force and the United States Army, as well as private industry clients that must meet Federal security requirements. Most recently, we worked with Microsoft to perform an independent assessment of the Business Productivity Online Suite – Federal (BPOS-F) offering support and guidance to achieve an Authority to Operate (ATO).

The successful security authorization of Microsoft BPOS-F through the United  States Department of Agriculture (USDA) at a Moderate Impact level is a major accomplishment as it safely enables the consolidation of 21 different messaging platforms and provides Software as a Service (SaaS) to 120,000 end users in 5,000 offices within the US and over 100 countries world-wide. SecureInfo’s assessment was performed using the National Institute of Standards and Technology (NIST) Risk Management Framework.. We used the most recent version of the NIST SP 800-53A publication as the key procedural guidance in our assessment activities.

Our assessment was rigorous and required Microsoft to demonstrate effective  implementation of approximately 160 different management, operational and technical controls to a team of subject matter experts with a combined total of 99 years of industry experience. Our testing included an extensive review of their policies and procedures, interviews with their key personnel involved in delivering and supporting BPOS-F, examination of security related configuration settings, vulnerability scans of all components included within the environment (operating systems, databases, and web applications) and penetration testing. Additionally, SecureInfo assessed the physical and environmental controls of the Microsoft Global Foundation Services (GFS) domestic United States data centers where BPOS-F is hosted.

Based on our review, we’re confident Microsoft understands that operating and delivering a secure cloud computing solution is an ongoing process. As a result, SecureInfo will be supporting Microsoft’s continuous monitoring program consistent with the requirements outlined in the NIST continuous monitoring guidance (SP 800-137).