SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Blog

The Schellman Blog

Stay up to date with the latest compliance news from the Schellman blog.

MATT WILGUS

Matt Wilgus is a Principal at Schellman, where he heads the delivery of Schellman’s penetration testing services related to FedRAMP and PCI assessments, as well as other regulatory and compliance programs. Matt has over 20 years’ experience in information security, with a focus on identifying, exploiting and remediating vulnerabilities. In addition, he has vast experience enhancing client security programs while effectively meeting compliance requirements. Matt has a strong background in network and application penetration testing, although over the past 10 years most of his focus has been on the application side, with extensive experience testing some of the most well-known IaaS, PaaS and SaaS providers.

Blog Feature

Cybersecurity Assessments | Penetration Testing

By: MATT WILGUS
June 17th, 2021

During a penetration test, the Schellman team often works with development teams, administrators, risk and compliance professionals and information security personnel; however, the initial point of contact for a penetration test may be an individual that isn’t any of those. More and more, someone from the product or procurement team may have the responsibility—or shared responsibility—of having a penetration test performed. While these individuals may understand a timeline for a specific task, they likely do not have full visibility into the entire project. Such circumstances, among others, can trigger one of the biggest challenges frequently seen in planning pen tests—timing.

Blog Feature

FedRAMP | Federal Assessments

By: MATT WILGUS
March 14th, 2018

Though vulnerability scanning is only one of the control requirements in FedRAMP, it is actually one of the most frequent pitfalls in terms of impact to an authorization to operate (ATO), as FedRAMP requirements expect cloud service providers (CSPs) to have a mature vulnerability management program. A CSP needs to have the right people, processes and technologies in place, and must successfully demonstrate maturity for all three. CSPs that have an easier time with the vulnerability scanning requirements follow a similar approach, which can be best articulated by breaking down the expectations into three stages.

Blog Feature

Cloud Computing | FedRAMP | Federal Assessments

By: MATT WILGUS
May 25th, 2016

Many cloud service providers (CSPs) are not fully addressing the database scanning requirements for FedRAMP and have questions related to database security and FedRAMP. This article details the issues associated with not meeting the database scanning requirement, the most common reasons why this occurs, what can be done to improve this and what to consider with database security beyond scanning.

Blog Feature

FedRAMP | Payment Card Assessments | Federal Assessments

By: MATT WILGUS
July 9th, 2015

Overview In the last 30 days, the FedRAMP Program Management Office (PMO) has published guidance for both vulnerability scanning and penetration testing. The updated guidance comes on the heels of PCI mandating the enhanced penetration testing requirements within its requirement 11.3 as part of the 3.0, now 3.1, version of the DSS. These augmented PCI requirements, introduced in the fall of 2013, took effect on June 30th. For many cloud service providers this means the requirements for vulnerability scanning and penetration testing are more thorough and will require additional resources for planning, executing and remediating findings. This article will walk through the updates and discuss the differentiation between FedRAMP and the PCI Data Security Standard (DSS).

{