Battle-hardened Cyber-Samurais Built for the Cutting-Edge Battlespace
“In the midst of chaos, there is also opportunity .” – Sun Tzu
What makes selling to DoD different than selling to the Civilian sector? What is this FedRAMP+ that people are talking about?
Leverage our Cyber-Samurai’s to navigate the waters of DoD so that you can obtain a provisional authorization (PA) to sell to all of DoD. bladestack.io team members have supported numerous DoD assessments and will help guide your team to success.
Our cyber-samurais are equipped and credentialed with the top industry recognized certifications. We are prepared to cut, slice and dice through the cyber fog of war to ensure you come out on top.
Decades of Experience Cultivating the Civilian to DoD Transition
Secure cloud computing is critical to the Department of Defense (DoD)’s plans to dominate the digital battlefield. However, the DoD’s continuously changing and complex security requirements hamper DoD support organizations ability to rapidly field modern cloud capabilities.
bladestack.io’s Cyber-Samurai’s help private sector organizations meet DoD security requirements and deliver compelling solutions to modern defense challenges.
Our Cyber-Samurai’s help private sector organizations interpret DoD guidance, speak DoD security language , design and architect systems that meet both civilian and DoD standards.
A critical step to any engagement is to understand your current state by conducting an gap analysis against the FedRAMP+ C/CEs, targeting your desired Impact Level (IL) and FIPS-199 system categorization. We then work with you to align existing practices and security controls to DoD’s requirements. We develop security documentation to address DoD-specific requirements, deconflict between technical requirements, such as DISA STIGs and CIS Benchmarks, and implement the security architecture that DoD expects to see prior to interconnecting with their critical infrastructure.
Gap analyses help CSPs, whether FedRAMP-authorized or not, determine their readiness against DoD’s FedRAMP+ controls, up to and including IL6.
Our DoD cloud security gap analysis will educate you on the DoD security process, explain the various cloud security guides and evaluate your cloud solutions for readiness to support the DoD mission.
bladestack.io's gap analysis results in a prioritized roadmap of actions that will help you meet DoD requirements. We also help you estimate the cost to undergo an independent assessment to DoD’s standards.
bladestack.io’s experienced Cyber-Samurai's can develop all required DoD documentation, or update existing documentation to address DoD’s specific requirements.
- Preparation activities to identify gaps and implement remediation actions
- Develop the entire DoD SRG security package
- Additional boundary review and validation throughout the package development process
- Turn-key program development to ensure cloud service offering is ready for assessment
- We also help deconflict between civilian and DoD technical requirements while implementing security approaches that will facilitate interconnection with the Defense Information System Network (DISN).
If you’re preparing for your first DoD security assessment at the IL4/IL5/IL6 level but need some assistance, we can help translate between civilian CSP teams and DoD assessors.
We are well-versed with the quirks of the DoD Provisional Authorization (PA) process and can expeditiously resolve findings and streamline the authorization. We also have relationships across the DoD security community and at the Defense Information Systems Agency (DISA) to help resolve misunderstandings and facilitate a smooth assessment.
Achieving FedRAMP accreditation is tricky. But holding on to that accreditation is even harder.
- Process for maintaining the authorization once the authorization has been granted
- Includes various weekly, monthly, quarterly, and annual checkpoints
- Control assessments and penetration tests to be performed annually or more frequently if introducing a significant change request
- Vulnerability scans to be performed monthly, with reporting provided to the DoD CISA each month based on the results of those scans
- Requires meticulous oversight and proper staffing levels to ensure the security posture of the offering is not negatively impacted over time
DoD Cyber Cloud Security
DoD layers a challenging array of additional requirements on top of the already challenging US Government’s existing FedRAMP control framework. DoD’s FedRAMP+ Control/Control Enhancements (C/CEs), described in the Security Requirements Guide, are obviously critical but often overlooked due to the nuanced nature of the requirements. But additional documents, including DoDI 8510.1, guidance from the Joint Enterprise Standards Committee (JESC), the Cloud Connection Process Guide and the Secure Cloud Computing Architecture (SCCA) must also be addressed throughout the system design and deployment process. Even for FedRAMP-authorized Cloud Service Providers (CSPs), these unique DoD-specific requirements can be jarring for CSPs transitioning from the civilian world. As an example, DoD mandates technical hardening to the DISA Security Technical Implementation Guides (STIGs), whereas FedRAMP defaults to the Center for Internet Security (CIS) Benchmarks. DoD also requires adherence to DoDI 8551.01 for approved ports, protocols and services, and introduces additional incident response tracking and reporting requirements.
Compliance & Technical Blade Mastery
There isn’t an engineering or development team anywhere on earth that gets excited about an outside compliance team telling them how to build. Neither do we.
Instead, our cyber-samurai's embed with your engineering and development teams. We understand why they work the way they do. We help them appreciate the technical security reasons that underpin the more stringent compliance requirements. Eventually, even the most compliance-weary technical teams quickly learn to trust and respect our guidance as, working together, we chart a course towards a compliant, secure cyber-future.
Our C-suite friendly Cyber-Samurai's combine technical expertise with decades of experience in complex business and government environments. Where possible, we help you efficiently shape existing processes and security programs to achieve compliance against multiple frameworks to reduce duplication of work. When not, we work with your team to build and present business cases, advise budgets, support go-to-market strategies and maximize your return on investment in FedRAMP compliance.
Similar to FedRAMP, if a cloud service provider wants to sell a cloud service offering to a Federal Agency, the specific offering must obtain a DoD Provisional Authorization (PA). This is above and beyond what is covered in FedRAMP and is defined within the DoD CC SRG. If there is no DoD PA in place, then the cloud service offering cannot be utilized by any DoD organization.
The requirements are outlined within the SRG and are above and beyond what is outlined in the FedRAMP-defined baseline. These additional requirements are quite extensive and oftentimes require the provider to think through how they will meet these prior to the 3PAO assessment.
FedRAMP+ is not the same as FedRAMP
FedRAMP+ is the overlay of DoD CC SRG requirements above FedRAMP’s baseline. FedRAMP is required for anyone selling to a federal agency; FedRAMP+ builds upon FedRAMP and is required for anyone selling to a defense agency. Thus, knowing who your end customer is up front will help ensure you have the proper requirements incorporated into your cloud service offering.
DISA Plays a Critical Role
The DISA Cloud Assessment Division serves as reviewers on the JAB, but when it comes to DoD sponsoring organizations, they provide additional support to DoD component sponsors and mission owners. Where applicable, DoD assigns a Joint Validation Team (JVT) to perform the review, which is also the same team that provides recommendations for authorization and briefs the authorizing official.
Provisional Authorization Takes Time
The DoD authorization process is quite lengthy as the reviewers want to ensure the package is comprehensive. DoD states that the estimated duration is 11-17 weeks (excluding the 3PAO assessment), however this will vary widely depending on the scope and complexity of the cloud service offering (excluding system package preparation activities).
FedRAMP and reciprocity has been a government and industry problem. To address this, DoD signed a DoD-wide provisional authorization in 2019 enabling DoD organizations to utilize FedRAMP Moderate authorizations for DoD SRG Impact Level 2 workloads. Quickly opening the door for the 200+ cloud service offerings to be adopted within the DoD community.
Unsheathe your BLADES.
Contact us to get started. The first step is a one hour introductory and readiness session, to understand your business landscape and gather technical details, while also making sure that we’re a mutual fit. We also offer unbilled follow up calls if you have any additional questions or need consulting advice as you gear up for the FedRAMP marathon.
Following our initial meetings, formal proposals and pricing are submitted within approximately one week. We can kick-off with a dedicated senior-level team within two to three weeks of contract signature.