This is Matthew Metheny's Typepad Profile.
Join Typepad and start following Matthew Metheny's activity
Join Now!
Already a member? Sign In
Matthew Metheny
Recent Activity
The Cloud extends the scope of Risk Management when risk is considered an enterprise (organizational) activity which takes into consideration various aspects of the nature of the cloud adoption. The "25-Point Implementation Plan to Reform Federal IT" published by Vivek Kundra, U.S. Chief Information Officer (CIO) on December 9, 2010 gave clear direction that a shift to the cloud will be part of the Federal IT strategy. In the Implementation Plan, Vivek states "Within the next six months, the Federal CIO will publish a strategy to accelerate the safe and secure adoption of cloud computing across the government." Further, Vivek... Continue reading
Posted Dec 17, 2010 at (ISC)² Blog
The FedRAMP Security Requirements "describes the U.S. Government’s proposed Assessment and Authorization (A&A) for U.S. Government Cloud Computing." In chapter 1, the FedRAMP PMO defined the proposed requirements (security controls) for a Low- and Moderate-Impact Cloud Computing environment (although not specifically characterizing any specific applicability to the Cloud Delivery or Service Model). In addition, the FedRAMP (DRAFT) publication draws on the existing NIST standards and guidelines to support the authroization of Cloud Services for the Federal Government. However, the FedRAMP publication limits the scope and tailoring of the control requirements to specifying the control parameters [refer to Section 3.3 within... Continue reading
Posted Dec 8, 2010 at (ISC)² Blog
In an effort to understand the FedRAMP process for Assessment and Authorization (A&A), it is important to look at the basic security controls that will drive the process of designing, implementing and documenting security controls into the Cloud Service Providers solution prior to going through the FedRAMP A&A process (or attesting compliance with the FedRAMP security requirements). Proposed Security Assessment & Authorization for U.S. Government Cloud Computing Chapter 1: Cloud Computing Security Requirement Baseline Lines 83-85 83 These controls have been agreed to by a 84 Joint Approval Board made up of users from GSA, DHS & DOD for use... Continue reading
Posted Nov 16, 2010 at (ISC)² Blog
As a continuation of the series focusing on “Demystifying the Risk Management Framework” (, this posting will cover Risk Assessments, and how they play a role in the RMF (both as a tool for managing risk within individual information system and organization-wide). In the absence of a mature Risk Assessment methodology, Federal Agencies are struggling with balancing the implementation of the baseline controls outlined within NIST SP 800-53 Security Controls. As a routine function of the traditional Certification and Accreditation (C&A) activity, there is a heavy reliance on the Assessor as part of the Security Testing (e.g., ST&E) to perform... Continue reading
Posted Apr 7, 2010 at (ISC)² Blog
As a follow-on to a previous posting titled "Federal Agencies Lack Proper Security-Related Risk Management Practices" (, I am dedicating the next few posting referred to as "Demystify the Risk Management Framework" to clarify the RMF and the role Risk Management plays within the System Development Lifecycle (SDLC). In parallel, I have organized a series of presentations that will provide a more detailed examination of the Risk Management Framework (RMF) collectively drawn from multiple NIST publications with the intent of providing an end-to-end discussion of the RMF and how it can be used to manage organizational risk. Several publications are... Continue reading
Posted Mar 30, 2010 at (ISC)² Blog
FYI - NIST has released their version of the markup that reflects changes between NIST 800-53 Rev. 2 and Rev 3 -