Why choose bladestack.io as your advisory partner?
bladestack.io is a team of the most absurdly technical cloud experts.
Our team of Cyber Samurais have decades of experience designing, deploying and continuously securing global infrastructure. Our cyber-samurais cybersecurity engineering and compliance expertise spans US and international cloud security standards. Equally as comfortable in the boardroom as out on the data center floor, our cyber-samurai’s are elite cloud security experts trusted by the world’s most demanding organizations.
We are proud of the work we do and we stand by all of our claims.
We have been in the FedRAMP space since the programs initial inception and have first-hand experience with hundreds of advisory firms in the space. Our biggest problem, pet-peeve, or whatever you want to call it was the lack of technical mastery and all the mediocre work performed by other competing advisory/consulting firms.
Documentation was sub-par, just enough to get by. Resources assigned to projects were just DIACAP/RMF/NIST “experts” with no actual domain knowledge and could not speak to engineers or would shy away if presented to a command line interface (CLI).
They were not technologists with a burning passion for technology and security. They were not up at odd hours of the night learning the latest tech trend or spinning up their own sandbox environments, running exploits or developing code. They were either standard copy-cats of the goliaths in the industry, who had become safe and boring. As a result, customers were left with a multitude of firms which did practically the same thing. Assessments and advisories, choose your pick!
The reality is that by spreading focus across both assessments and advisory work results in subpar advisory experiences for customers. When customers chose a firm to perform advisory work, 100% of the time, the firm also happens to perform assessments. As a result, customers receive simple checkbox drones and not actual technical experts, engineers, or architects with the burning desire to ensure your business not only exceeds, but excels from a technical implementation standpoint.
Engineers’ heartbeat raises when a problem presents itself. Engineers get excited. Engineers’ problem solve and think out-side of the box. However, customers were not receiving engineers, or outside the box problem solvers. Instead, customers received desk jockies droning on about “that doesn’t meet the requirement”, “the requirement is the organization must define….” Oh great, another compliance drone and not actual actionable or valuable feedback.
Let us be clear – we do not mean disrespect to anyone or any other firm out there – we are simply stating problems we’ve encountered.
Which is what ultimately birthed bladestack.io. We are just absurdly in love (some may even say borderline obsessed) with technology. Truthfully, sometimes it even frightens us and our loved ones. We are always wanting to learn. We understand that we may not know everything – and that’s absolutely thrilling. If we come across a new customer with a complex technology stack, we marvel in awe and our neurons start firing as we take everything in.
We could keep going on and on – but for everyone’s sake (including ours) we decided to answer the question of “Why bladestack.io?” with the table below.
| Legend | Description |
|---|---|
| Feature/requirement is met and you can be confident the organization can stand behind their claim. | |
| Feature/requirements may partially be met but with exceptions, caveats or mediocre/sub-par experience. | |
| Feature/requirements are not met or simply not provided as part the service. |
People make the difference.
| Feature | Description | bladestack.io | Competing Advisory/Consulting Firms | Compliance Forge & Similar Templatized Documentation |
|---|---|---|---|---|
| Only hires engineers, architects, SRE's, Technologists | There isn’t an engineering or development team anywhere on earth that gets excited about an outside compliance team telling them how to build. Neither do we. Instead, our cyber-samurai's embed with your engineering and development teams. We understand why they work the way they do. And we help them appreciate the technical security reasons that underpin the more stringent compliance requirements. Eventually, even the most compliance-weary technical teams quickly learn to trust and respect our guidance as, working together, we chart a course towards a compliant, secure cyber-future. | |||
| Advisory-Only Firm | Our bread and butter is technical advisory, to be clear, absurdly technical advisory. We do not perform assessments outside of Gap Assessments which are done as part of an overall roadmap activity which ultimately leads to an advisory. We have no desire to perform assessments. If you are looking for a assessment firm, we are more than happy to refer you to one of our many partners. | |||
| Customer-Obsessed | Akin to Amazon, we start with the customer and work backwards. We work vigorously to earn and keep our customers trust. Although leaders pay attention to competitors, we obsess over customers. | |||
| Industry Certified SME's | Feel at ease with the cyber-samurai's at BSIO. The average # of certs per employee exceed any other advisory firm out there. Our samurais are also active item writers for all the latest technology certifications, from AWS Professional level exams, Azure, Google Cloud Platform Professionals to compliance exams such as ISC2, ISACA, CompTIA and more. Not that certifications are the only thing that matter - our samurai's know the certification itself is not the achievement -- the self-knowledge validation is. | |||
| Experience supporting and advising government, commercial products and services | One of the greatest complaints customers typically have against any type of advisory/consulting firm is that resources don't have experience with product management, design, marketing, business' to understand how to sew security requirements into the overall product. Most advisory and consulting firms shy away from sitting in on product design discussions, engineering calls and the likes -- because it's simply "not in scope". Whereas, BSIO recognizes the importance of embedding ourselves with the service/product and ensuring business requirements meet compliance requirements. We have experience with product development from Robotic Process Automation (RPA), Artificial Intelligence (AI), Machine Learning (ML) and more -- simply because we've lived and breathed those worlds. |
Artistic, aesthetically pleasing, intuitive and clever Documentation developed and written by technical experts, architects, and engineers.
| Feature | Description | bladestack.io | Competing Advisory/Consulting Firms | Compliance Forge & Similar Templatized Documentation |
|---|---|---|---|---|
| Standard FedRAMP Documentation | Addresses all standard FedRAMP Documentation and templates. Policies, Procedures, Plans, and the SSP. | |||
| Cloud-Native Documentation | No more legacy Information System Contingency Plan or Configuration Management Plan. Fresh new plans developed to take into consideration of the most modern cloud-native approaches, along with CI/CD pipeline approaches addressing configuration management and contingency planning. | |||
code blocks for code, security control parameters
|
Gone are the days of trying to parse through hundreds of documentation to find a frequency, a specific FedRAMP requirement/parameter, or any other defined parameter. All parameters have been properly code-blocked for ease of recognition. | |||
| All FedRAMP Assessment Procedures Addressed | Assessor Friendly Documentation - All documentation is written to completely address each FedRAMP Assessment Test Case Procedure Objective. Includes All Policies, Procedures, Plans and SSPs. | |||
| All FedRAMP Assessment Procedures Mapped | Assessor Friendly Documentation - All documentation written is also mapped to address each FedRAMP Assessment Test Case Procedure Objective. Including tables, figures, equations, diagrams, photos etc. If it's in the document, it has a purpose and is mapped back to a Security Test Case Procedure. Includes All Policies, Procedures, Plans and SSPs. | |||
| NIST Compliance Language | Documentation which includes language which only addresses NIST compliance and doesn't get too technical. Includes standard "Risk Management Framework / RMF" type of language. | |||
| NIST Compliance Interwoven with Technical Mastery | All documentation is written to be usable and adaptable. No ambiguous template language. Easy to consume as a technical SME, adapt and implement. NIST Compliance language interwoven with technical level implementation statements which provide actual value to the organization as opposed to "checking a box". | |||
| Documentation Quickparts | Easily replace frequently used terms such as the Documentation Title, Company Name, Cloud Service Offering (CSO) Name, CSO Acronym, Cloud Model, Framework, FIPS-199 Categorization, Author, Approver and more -- quickly and easily through Microsoft Word Documentation Property / Quick parts | |||
| Markdown Versions Available | Microsoft Word not so much your speed? No worries, our cyber-samurai's have you covered. All policies and procedures can be made available in comprehensive .md format for your viewing pleasure. Just please take into consideration that the FedRAMP PMO typically will not accept .md files as part of the authorization package. | |||
| Includes "Notes", "Tips" and other helpful call security and compliance outs |
Documentation includes pleasing information and reference call-outs to help guide reviewers and inexperienced auditors to learn, grow and understand the complex nuanced nature of the FedRAMP framework Examples include difference between a major change and significant change (as defined by NIST SP 800-128). Difference between a disaster recovery plan and information contingency plan (ISCP) as defined by NIST 800-34. Call-outs informing the reviewer how a cloud-native solutions CI/CD pipeline maps to the latest authorization boundary guidance and the Cloud Native Computing Foundation landscape, with links and reference directly to official FedRAMP PMO guidance & more! |
|||
| OSCAL Versions Available | Are you on the cutting-edge of OSCAL? Already have a OSCAL capabilities. Great, we're no slouches either. Need a OSCAL SSP? OSCAL Policies, Procedures and Plans? Sure thing -- we got you covered. Just a small reminder, current OSCAL policies and procedures are in Component Definition Model formats - so unless new guidance emergences on how policies, procedures, plans and the like indicate a new approach -- the current accepted approach is through the use of the OSCAL Component Model. |
Envy-inducing Diagrams
| Feature | Description | bladestack.io | Competing Advisory/Consulting Firms | Compliance Forge & Similar Templatized Documentation |
|---|---|---|---|---|
| Envy-inducing authorization boundary diagrams | You haven't seen an authorization boundary diagram until you've seen one developed by the cyber-samurais at bladestack.io. Multiple praises from the FedRAMP PMO, agencies, our customers and more. | |||
| Standard Dataflows | Beginning with the basics, our diagrams include fundamental flows such as standard HTTPS, SMTP, DNS, NTP etc. traffic call outs | |||
| Federal Dataflows | Where the dataflows get fun. We make distinctions between transmission, processing, and storage of federal data flows. Each type of variation is addressed, including if the flow is FIPS-validated or not. A minimum of eight (8) types of addressable dataflows! | |||
| Even more types of Dataflows! | We could keep going, but the short version is, we are engineers, architects, developers and samurais with a passion for security and technology. We dive into authentication user flows, external connectivity flows, customer enclave connectivity, VPN, corporate connectivity, corporate metadata, update services, container orchestration, container pods, container side-cars, API services, node connectivity, controller services, scheduler services, proxies, and on and we can go. (hint: we do!) | |||
| Diagram Legends | All types of legends for all types of cloud service offerings. From types of MFA, Interconnection Service Agreements, call-outs for FedRAMP Agency Authorized services, FedRAMP JAB Authorized services, non-FedRAMP Authorized services, services with federal data with direct potential impact, federal data with indirect potential impact, Identity Provider services, and so on. | |||
| Boundary Legends | Technical cloud-native boundary legends to include IaaS specific legends, to include the standard Authorization Boundary, Service Boundary, Account boundaries, PaaS service(s) boundary, Subnet boundaries, virtual private clouds, security groups, container services, customer boundaries, corporate services, agent runtimes, system boundaries, boundaries with shared services and shared responsibilities, clustered resources, DMZ's, boundary legends tied to specific processes (CI/CD pipeline etc.) |
Innovative and pleasant Services - cookie cutter services not permitted.
| Feature | Description | bladestack.io | Competing Advisory/Consulting Firms | Compliance Forge & Similar Templatized Documentation |
|---|---|---|---|---|
| Gap Assessments |
Gap Assessments which are a mile wide and an inch deep aren't too helpful.
You don't need a outside firm telling you what you already know. You don't have a policy and procedure? You haven't performed a simulated contingency test in the past year? You don't do proper configuration management? Did you really need to pay someone to tell you those basic things? What you really need to know is how. Yes, you recognize that you are not performing configuration management. What you want to know is that how on earth do you do it when you currently have a CI/CD pipeline, with multiple environments, with your code repo residing outside the boundary, and how exactly should you (or can you!?) do canary deployments?!? in FedRAMP?!" Don't worry, we got you covered. |
|||
| Internal Audit Support |
Gap Assessments which are a mile wide and an inch deep aren't too helpful.
You don't need a outside firm telling you what you already know. You don't have a policy and procedure? You haven't performed a simulated contingency test in the past year? You don't do proper configuration management? Did you really need to pay someone to tell you those basic things? What you really need to know is how. Yes, you recognize that you are not performing configuration management. What you want to know is that how on earth do you do it when you currently have a CI/CD pipeline, with multiple environments, with your code repo residing outside the boundary, and how exactly should you (or can you!?) do canary deployments?!? in FedRAMP?!" Don't worry, we got you covered. |
|||
| ConMon Support | ConMon Support ranging from maintenance of documentation, vulnerability management, reporting, significant change, POA&M management, reporting, configuration and change management, incident response, contingency planning, agency sponsor reporting/management, and more. Oh, I believe we may have forgotten to mention that we embed right into your organization. Meaning, we are not your typical advisory firm which stands by the sidelines pointing and directing, we are active participants in your Change Management meetings, we discuss significant changes with your engineers and possible out of the box solutions. We are active respondents for vulnerability, training and contingency planning events and more. |
Sound too good to be true? Contact a Cyber-Samurai today and we'll be happy to provide you with a FREE consultation.
Contacting bladestack.io puts you in direct contact with our Lead Samurais to discuss your cybersecurity requirements. After an initial introductory call, we offer additional unbilled consulting time until you are comfortable to proceed to the next steps. Feel free to bring your engineering and security teams and let’s start solving your security and compliance challenges.