Battle-hardened Cyber-Samurais Built for the Cutting-Edge Battlespace
“In the midst of chaos, there is also opportunity .” – Sun Tzu
What makes selling to DoD different than selling to the Civilian sector? What is this FedRAMP+ that people are talking about?
Leverage our Cyber-Samurai’s to navigate the waters of DoD so that you can obtain a provisional authorization (PA) to sell to all of DoD. bladestack.io team members have supported numerous DoD assessments and will help guide your team to success.
Our cyber-samurais are equipped and credentialed with the top industry recognized certifications. We are prepared to cut, slice and dice through the cyber fog of war to ensure you come out on top.
Decades of Experience Cultivating the Civilian to DoD Transition
Secure cloud computing is critical to the Department of Defense (DoD)’s plans to dominate the digital battlefield. However, the DoD’s continuously changing and complex security requirements hamper DoD support organizations ability to rapidly field modern cloud capabilities.
bladestack.io’s Cyber-Samurai’s help private sector organizations meet DoD security requirements and deliver compelling solutions to modern defense challenges.
Our Cyber-Samurai’s help private sector organizations interpret DoD guidance, speak DoD security language , design and architect systems that meet both civilian and DoD standards.
A critical step to any engagement is to understand your current state by conducting an gap analysis against the FedRAMP+ C/CEs, targeting your desired Impact Level (IL) and FIPS-199 system categorization. We then work with you to align existing practices and security controls to DoD’s requirements. We develop security documentation to address DoD-specific requirements, deconflict between technical requirements, such as DISA STIGs and CIS Benchmarks, and implement the security architecture that DoD expects to see prior to interconnecting with their critical infrastructure.
DoD Cyber Cloud Security
DoD layers a challenging array of additional requirements on top of the already challenging US Government’s existing FedRAMP control framework. DoD’s FedRAMP+ Control/Control Enhancements (C/CEs), described in the Security Requirements Guide, are obviously critical but often overlooked due to the nuanced nature of the requirements. But additional documents, including DoDI 8510.1, guidance from the Joint Enterprise Standards Committee (JESC), the Cloud Connection Process Guide and the Secure Cloud Computing Architecture (SCCA) must also be addressed throughout the system design and deployment process. Even for FedRAMP-authorized Cloud Service Providers (CSPs), these unique DoD-specific requirements can be jarring for CSPs transitioning from the civilian world. As an example, DoD mandates technical hardening to the DISA Security Technical Implementation Guides (STIGs), whereas FedRAMP defaults to the Center for Internet Security (CIS) Benchmarks. DoD also requires adherence to DoDI 8551.01 for approved ports, protocols and services, and introduces additional incident response tracking and reporting requirements.
Compliance & Technical Blade Mastery
There isn’t an engineering or development team anywhere on earth that gets excited about an outside compliance team telling them how to build. Neither do we.
Instead, our cyber-samurai's embed with your engineering and development teams. We understand why they work the way they do. We help them appreciate the technical security reasons that underpin the more stringent compliance requirements.
Eventually, even the most compliance-weary technical teams quickly learn to trust and respect our guidance as, working together, we chart a course towards a compliant, secure cyber-future.
Our C-suite friendly Cyber-Samurai's combine technical expertise with decades of experience in complex business and government environments. Where possible, we help you efficiently shape existing processes and security programs to achieve compliance against multiple frameworks to reduce duplication of work. When not, we work with your team to build and present business cases, advise budgets, support go-to-market strategies and maximize your return on investment in FedRAMP compliance.
Similar to FedRAMP, if a cloud service provider wants to sell a cloud service offering to a Federal Agency, the specific offering must obtain a DoD Provisional Authorization (PA). This is above and beyond what is covered in FedRAMP and is defined within the DoD CC SRG. If there is no DoD PA in place, then the cloud service offering cannot be utilized by any DoD organization.
The requirements are outlined within the SRG and are above and beyond what is outlined in the FedRAMP-defined baseline. These additional requirements are quite extensive and oftentimes require the provider to think through how they will meet these prior to the 3PAO assessment.
FedRAMP+ is not the same as FedRAMP
FedRAMP+ is the overlay of DoD CC SRG requirements above FedRAMP’s baseline. FedRAMP is required for anyone selling to a federal agency; FedRAMP+ builds upon FedRAMP and is required for anyone selling to a defense agency. Thus, knowing who your end customer is up front will help ensure you have the proper requirements incorporated into your cloud service offering.
DISA Plays a Critical Role
The DISA Cloud Assessment Division serves as reviewers on the JAB, but when it comes to DoD sponsoring organizations, they provide additional support to DoD component sponsors and mission owners. Where applicable, DoD assigns a Joint Validation Team (JVT) to perform the review, which is also the same team that provides recommendations for authorization and briefs the authorizing official.
Provisional Authorization Takes Time
The DoD authorization process is quite lengthy as the reviewers want to ensure the package is comprehensive. DoD states that the estimated duration is 11-17 weeks (excluding the 3PAO assessment), however this will vary widely depending on the scope and complexity of the cloud service offering (excluding system package preparation activities).
Reciprocity Exists
FedRAMP and reciprocity has been a government and industry problem. To address this, DoD signed a DoD-wide provisional authorization in 2019 enabling DoD organizations to utilize FedRAMP Moderate authorizations for DoD SRG Impact Level 2 workloads. Quickly opening the door for the 200+ cloud service offerings to be adopted within the DoD community.
Why is DoD Cloud important?
Similar to FedRAMP, if a cloud service provider wants to sell a cloud service offering to a Federal Agency, the specific offering must obtain a DoD Provisional Authorization (PA). This is above and beyond what is covered in FedRAMP and is defined within the DoD SRG. If there is no DoD PA in place, then the cloud service offering cannot be utilized by any DoD organization. The requirements are outlined within the SRG and are above and beyond what is outlined in the FedRAMP-defined baseline. These additional requirements are quite extensive and oftentimes require the provider to think through how they will meet these prior to the 3PAO assessment.
Why should my organization care?
The use of cloud services continues to rise at statistically high rates. This continues to hold true for the US Government, including DoD organizations. And while DoD was slow to adopt the cloud in the early days of FedRAMP, DoD has exponentially increased the number of authorizations year over year. On top of that, more and more DoD organizations are sponsoring new authorizations through the process. This trend will continue as more cloud service offerings are brought into the DoD marketplace. In fact, the more niche of the product, the more likely that a DoD organization will be interested in procuring it if it aligns to their mission. bladestack.io recommends cloud service providers understand these points when approaching a potential DoD organization about sponsoring them through the program.
Unsheathe your BLADES.
Contact us to get started. The first step is a one hour introductory and readiness session, to understand your business landscape and gather technical details, while also making sure that we’re a mutual fit. We also offer unbilled follow up calls if you have any additional questions or need consulting advice as you gear up for the FedRAMP marathon.
Following our initial meetings, formal proposals and pricing are submitted within approximately one week. We can kick-off with a dedicated senior-level team within two to three weeks of contract signature.
