|
|
|
|
|
|
by Johnny555
2559 days ago
|
|
|
If Fedramp is like other security certifications, written policies can be used in lieu of actual enforcement. A policy could be something like: "Vendor shall not move sensitive data out of CBP's secure network" So it's pretty much on the honor system. And some new employee at the vendor may not even be aware of all of the policies they are supposed to be following. The vendor is still reponsible for that employees actions, but it can be discovered too late (as in this case, the breach was already made) But instead of just a written policy (among dozens or hundreds of others) that people are expected to abide by, this could be enforced by limiting the vendor's access to the network. For example, by counting how many records they access, how many bytes of data they download over their connection to the secure network, or not giving them direct access at all and exposing only an API controlled be CBP that gives them access to only the data they require).. |
|
|