Blog

Webinar – Manage “Achieving DOD Impact Level 4 – Lessons Learned & Much More”

If you are an ISV or SaaS solutions provider looking to pursue US DOD and FedRAMP accreditations then please join our webinar discussion on DOD Impact Level 4 ATO and Lessons Learned. You can learn more by registering here. Date: Dec 7, 2022 02:00 PM in Eastern Time (US and Canada) The U.S. Department of Defense (DoD) has unique information protection requirements that extend beyond those established by the Federal Risk and Authorization Management Program (FedRAMP). Using the FedRAMP requirements as a foundation, the Defense Information Systems Agency (DISA) developed and maintains the DoD Cloud Computing Security Requirements Guide (CC SRG). The DoD CC SRG defines the standards for categorizing DoD information and information systems and breaks them into 4 Impact Levels (DoD ILs): • DoD IL 2 – Public or Non-Critical Mission Information • DoD IL 4 – Controlled Unclassified Information (CUI) or Non-CUI, Non-Critical Mission Information, Non-National Security Systems •

Read More »

How to Successfully Plan, Implement and Support DoD IL5 Customers

As DoD agencies continue their migration of sensitive workloads to the cloud, there is a greater need to ensure those workloads are deployed around the rigorous DoD Cloud Computing Security Requirements Guide (SRG) at Impact Levels 4 and 5. Systems categorized at Impact Level 5 (IL5) are allowed to host non-public, unclassified National Security System (NSS) system data (i.e., U-NSI) or non-public, unclassified data. The work to support the path to IL5 is made easier by both stackArmor’s proprietary ThreatAlert® Authority To Operate (ATO) Accelerator and the company’s experience supporting the technical and architectural implementation of IL5 controls. ThreatAlert® ATO Accelerator provides a proven, independently audited secure digital platform that includes (1) a landing zone, (2) an “in-boundary” cloud general support system (GSS) and (3) compliance controls for the DOD IL5 package/SSP (System Security Plan). stackArmor provides our clients a suite of implemented security controls, evidentiary support and artifacts, and

Read More »

NIST Rev 5 – What it Means for FedRAMP

This is an older blog which has been superseded by the latest blog based on the official release of the Rev 5 baselines by the FedRAMP PMO.  Since its inception, FedRAMP has used the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) procedures and guidelines as the foundation for providing standardized security requirements and control definitions for cloud service providers wanting to serve the federal market. In fact, FISMA, RMF, FedRAMP, OSCAL, and SCF all use NIST as a gold-standard foundation for standardized compliance guidelines. To align with the updates in NIST’s final release of Rev. 5 (which was drafted in 2020 and open to public comment through October 1 of 2021,) FedRAMP has re-established their control baselines accordingly. In December of 2021, FedRAMP released their new Rev 5 baselines, re-aligning with the NIST Rev. 5 update. The new baselines are a result of close collaboration between the FedRAMP

Read More »

Accelerating FedRAMP, DOD, and NIST ATOs with stackArmor ATO Machine (ATOM)

Large software vendors, global defense contractors and organizations operating in hyper regulated markets must meet very specific government cybersecurity requirements. These requirements include ensuring data sovereignty as well as compliance with specific standards like FedRAMP or ITSG-33 in the US and Canada respectively. The rapid emergence of data sovereignty requirements are driving the increased need for “in-region” deployments that provide the ability to contain the data within a pre-specified area. External connections to corporate services, other SaaS services, or other systems cause the assessors to take a real hard look at data flows. This scrutiny and extra due diligence can slow down the accreditation process. These unique constraints create challenges for large global organizations looking to meet complex regulatory requirements in a cost-effective manner. This problem can be solved by using an “in-boundary” security and compliance model that limits the number of external connections and delivers a “region-gapped” service. stackArmor’s

Read More »

FedRAMP Releases Updates to ATO Requirements based on NIST SP 800-53 Rev 5 for Public Review

The FedRAMP Program Management Office (PMO) at the General Services Administration (GSA) released the updated controls baselines based on NIST SP 800-53 Rev 5. The FedRAMP Security Assessment Framework (SAF) is based on the National Institute of Standards and Technology’s (NIST) Special Publication [SP] 800-53 Rev 4. FedRAMP is expected to migrate to NIST SP 800-53 Rev 5 after a period of review and comments. Proposed Updates to FedRAMP Controls based on NIST SP 800-53 Rev 5 There are several updates to the controls framework including the incorporation of threat risk scoring. FedRAMP is using a threat-based methodology as outlined in the MITRE ATT&CK Framework. FedRAMP published their intent to use threat-based scoring to provide additional prioritization of risks and need for the right types of controls. A cursory review of the DRAFT controls baselines shows the revised control counts for the various baselines: • Low baseline – 150 controls

Read More »