Building security into the System Development Life Cycle (SDLC) is a basic security principle, but one not always well followed. When it is, the result speaks for itself: a more secure system. For CGI, following this “security first” principle enabled us to become the first certified Cloud Service Provider (CSP) to deliver secure cloud services under GSA’s Blanket Purchase Agreement (BPA) for Infrastructure as a Service (IaaS). Our approach also makes it easier to comply with new forthcoming FedRAMP requirements.

An important lesson learned in getting our Authority to Operate (ATO) is that information security and privacy protections must be included at every stage of the SDLC and from the outset. This contrasts with other approaches to correct vulnerabilities and deficiencies after the fact, resulting in schedule delays, higher costs and delayed return on investment.

From the start, CGI committed to following NIST guidelines and GSA policy and procedures explicitly to meet federal requirements for our federal cloud IaaS offering. Security is a core ingredient along with technology, processes and people. It permeates our entire operation and helps guide technology selection, development of ITIL service processes, and training so everyone understands its importance in their roles.

Both GSA and the recent FedRAMP policy memo (PDF) point to the need for transparency into a CSP’s security implementation. Since CGI owns all aspects of our cloud, it was much easier for us to build security and privacy into the fabric of the operation and provide the level of security transparency demanded by government clients. We also provide extensive dashboards and reporting for performance, usage and billing transparency and automated service management to give agencies critical control mechanisms.

With the goal of setting an early example ahead of FedRAMP, GSA put CGI through the same ATO scrutiny required for its own systems. The assessment process reveals how well a CSP implements NIST 800-53 security controls and how well it performs continuous monitoring. It had to be thorough enough for agencies to conclude CGI’s federal cloud does not represent any greater risk compared to their own data center operations. Assessors pored through our documentation, interviewed our members operating the cloud, and conducted rigorous penetration and vulnerability testing—a much larger part of the accreditation process today.

The result: the first award under the BPA, and a solid security foundation for meeting the new FedRAMP requirements.

ITIL® is a registered trade mark of the Cabinet Office