Private sector firms and organizations doing business with the US Department of Defense are increasingly required to comply with new cybersecurity requirements. Under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, contractors with information systems that contain or transmit covered defense information are required to meet security standards outlined in NIST Special Publication 800-171. NIST SP 800-171 contains 110 security requirements which must be met to be eligible to receive DOD contracts or sub-contracts. Recently, the Pentagon’s leadership made it known to the defense industrial base that they expect the products and services DOD buys to come secure, just like the department expects them to be of the best quality.
stackArmor’s team of cloud solutions architects and NIST SP 800-53 compliance experts have developed a simple solution blueprint for DOD and Government contractors to meet their DFARS obligations using the AWS cloud service. The infographic below provides an overview of the packaged Digital workplace with FedRAMP Moderate accredited services.
Challenges for Defense and Government Contractors
Meeting compliance and security standards can be challenging given that IT and IT Systems may not be their core competency. Leading industry experts like Bob Metzger, Partner with Rogers Joseph O’Donnell, have done extensive work with the Defense Industrial Base and have created rich content to help organizations understand and mitigate challenges surrounding DFARS and NIST SP 800-171 compliance. In part V of the six part series, Bob Metzger highlights the need to look at cloud-based services that meet specific guidance thresholds as means to help reduce the cost and burden associated with compliance especially since DOD is adoption cloud solutions in a big way using the JEDI procurement.
The DoD DFARS guidance provides for use of cloud services. Specifically the guidance states, “If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.”
Amazon Web Services (AWS) recently announced the FedRAMP accreditation of a number of services that are assessed at the FedRAMP Moderate level and can help DOD and Government contractors rapidly and cost-effectively meet their compliance mandates.
FedRAMP Accredited Digital Workplace on AWS for DOD Contractors
stackArmor is an Advanced AWS Partner with a leadership team that has nearly a decade of experience in migrating Federal systems to commercial cloud services while meeting the NIST SP 800-53 security requirements and obtaining a Authority-To-Operate. Key to protecting CUI and CDI is the ability to implement and follow security best practices as codified in the NIST SP 800-171 guidance. There are a number of out of the box tools available for encrypting data, monitoring and auditing access, sharing and collaborating and establishing a strong system boundary that reduces the cost of implementation. Key services and their function are described below.
AWS Directory Services, Amazon Cognito and RADIUS
A key tenet to security management is the ability to centralize user management, permissions and access policies including implementing 2-factor authentication. Depending on the services being consumed, these capabilities can be provided by AWS Directory Services, Amazon Cognito and a RADIUS service. AWS Directory Services is a fully-managed and FedRAMP Moderate accredited Microsoft Active Directory service for managing users. Amazon Cognito offers powerful and easy integration with Directory Services and provides the ability to provide 2-factor authentication for a web application or the AWS console. A RADIUS server is required for implementing MFA with AWS WorkSpaces and WorkDocs. There are a number of RADIUS services like DUO or FreeRADIUS.
Amazon WorkDocs and WorkSpaces
The ability receive, send and process documents and data that is marked at CUI or CDI is a critical and constant requirement. AWS offers WorkDocs has a document and file sharing service with strong security features including encryption, restricting downloads, logging & auditing and expiring document links. Given the need to implement a strong and defensible system boundary for NIST SP 800-171 and DFARS compliance, it is important to ensure that data and documents should not be processed on a non-FedRAMP Moderate accredited environment. Amazon WorkSpaces provides the ability to rapidly create hardened and secure digital desktops loaded with common word processing software like Microsoft Office. Both of these services are fully integrated with the AWS security system and offer integrated solutions to configure and manage access.
Continuous Monitoring and Compliance
AWS offers a strong suite of services including Cloudtrail, Cloudwatch, Guardduty, Config and VPCFlow logs to keep track of the environment and meet continuous monitoring requirements. However, implementing and consuming such information can be challenging and to make it easier, stackArmor has developed an out of the box solution called the stackArmor Cybersecurity Platform. The stackArmor Cybersecurity Platform offers three component services specifically designed for DOD and Government contractors meet their NIST SP 800-171 and DFARS requirements.
Clearly, securing the DOD and Government supply chain is a big priority and using FedRAMP Moderate accredited cloud services can help reduce the cost of compliance by using ready-made solution components. If you are interested in learning more about our solution please contact us at solutions @ stackArmor dot com