a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment
goobster  ·  1700 days ago  ·  link  ·    ·  parent  ·  post: I'm helping with disease investigation in this pandemic. AMA!

As someone who bids on government contracts for a living, I can see through this opaque maze like it was made of glass.

What a shitshow.

Example from my biz: Our product is primarily web-based, and lives in the cloud. At first, that was in our own managed data center. But recently we have moved to the Google Cloud Platform.

People are naturally security-conscious, so they ask of we are "SOC2 Certified", which is a security standard that covers key physical and electronic security best-practices. (Like required password strength, and servers are in locked cages with restricted access.)

Google is SOC2 certified. But for BOTH of us to get SOC2 certification, Google and my company would have to launch a joint effort for about 6 months, to go through every detail of our installations and everywhere our systems touch, write up all the documentation, submit it, and receive our certification in 2-3 months. So around 9 months of work, if everything goes well. And we would have to re-do that exercise every year, or every time either one of us upgraded or changed any of the systems that had been examined.

So we say, "our software runs in SOC2-certified data centers" when people ask if we are "SOC2 certified". Because they have no idea what they are asking for; they just googled "good security standard" and came up with the buzzword "SOC2".

So I can TOTALLY see how an "EUA approved lab" is something that is absolutely necessary to have and at the same time, unclearly defined. A low-level functionary was protecting their hide one day and wrote an extra line of text somewhere, and now it's policy.