Why choose bladestack.io as your advisory partner?
bladestack.io is a team of the most absurdly technical cloud experts.
Our team of Cyber Samurais have decades of experience designing, deploying and continuously securing global infrastructure. Our cyber-samurais cybersecurity engineering and compliance expertise spans US and international cloud security standards. Equally as comfortable in the boardroom as out on the data center floor, our cyber-samurai’s are elite cloud security experts trusted by the world’s most demanding organizations.
We are proud of the work we do and we stand by all of our claims.
Since the birth of the FedRAMP program, we’ve been actively involved, gaining first-hand experience with numerous advisory firms in the sector. However, a recurring issue has been the widespread lack of technical proficiency, which is evident in the lackluster performance of many competing advisory and consulting firms.
Many firms seem to be content with producing just-passable documentation. The personnel assigned to projects, although labeled as DIACAP/RMF/NIST “experts,” often lack actual domain knowledge. They often stumble when communicating with engineers, especially when faced with a command-line interface (CLI).
These experts are not technophiles who are driven by a deep love for technology and security. They aren’t the ones staying awake at odd hours, exploring the latest tech trends, or setting up their sandbox environments to run exploits or code. Many have become mere replicas of the industry’s giants, sticking to the safe and mundane, leaving clients with a multitude of firms all offering the same generic services: assessments and advisories.
When a firm tries to cover both assessments and advisory services, the result is usually a mediocre experience for the client. Clients tend to select firms that offer both services, but unfortunately, they end up with firms that just tick off the compliance checkboxes. They aren’t receiving the expertise of passionate engineers and architects who are driven to ensure your business’s technical operations are not just efficient but exceptional.
Real engineers thrive on challenges. They get a rush from problem-solving, they think innovatively. Unfortunately, instead of such forward thinkers, clients often end up dealing with mere desk-jockeys, who only focus on compliance statements like “that doesn’t meet the requirement,” or “the organization must define…” What clients receive are not actionable insights but rather monotonous compliance jargon.
To be clear, we mean no disrespect to any individual or firm. We are simply highlighting the prevalent issues we’ve observed. This was the impetus behind the creation of bladestack.io. We are fiercely passionate about technology—some might even say we’re borderline obsessed. This fervor often startles us and even those close to us. Our thirst for knowledge is unquenchable, and we find the vast expanse of things we don’t yet know absolutely exhilarating. When faced with a client with a complex tech stack, we gaze in awe and our minds light up as we absorb everything.
We could continue talking about this, but for everyone’s sake, including ours, we decided to answer the question of “Why bladestack.io?” concisely in the table below.
| Legend | Description |
|---|---|
| Feature/requirement is met and you can be confident the organization can stand behind their claim. | |
| Feature/requirements may partially be met but with exceptions, caveats or mediocre/sub-par experience. | |
| Feature/requirements are not met or simply not provided as part the service. |
People make the difference.
| Feature | Description | bladestack.io | Competing Advisory/Consulting Firms | Compliance Forge & Similar Templatized Documentation |
|---|---|---|---|---|
| Only hires engineers, architects, SRE's, Technologists | There isn’t an engineering or development team anywhere on earth that gets excited about an outside compliance team telling them how to build. Neither do we. Instead, our cyber-samurai's embed with your engineering and development teams. We understand why they work the way they do. And we help them appreciate the technical security reasons that underpin the more stringent compliance requirements. Eventually, even the most compliance-weary technical teams quickly learn to trust and respect our guidance as, working together, we chart a course towards a compliant, secure cyber-future. | |||
| Advisory-Only Firm | Our bread and butter is technical advisory, to be clear, absurdly technical advisory. We do not perform assessments outside of Gap Assessments which are done as part of an overall roadmap activity which ultimately leads to an advisory. We have no desire to perform assessments. If you are looking for a assessment firm, we are more than happy to refer you to one of our many partners. | |||
| Customer-Obsessed | Akin to Amazon, we start with the customer and work backwards. We work vigorously to earn and keep our customers trust. Although leaders pay attention to competitors, we obsess over customers. | |||
| Industry Certified SME's | Feel at ease with the cyber-samurai's at BSIO. The average # of certs per employee exceed any other advisory firm out there. Our samurais are also active item writers for all the latest technology certifications, from AWS Professional level exams, Azure, Google Cloud Platform Professionals to compliance exams such as ISC2, ISACA, CompTIA and more. Not that certifications are the only thing that matter - our samurai's know the certification itself is not the achievement -- the self-knowledge validation is. | |||
| Experience supporting and advising government, commercial products and services | One of the greatest complaints customers typically have against any type of advisory/consulting firm is that resources don't have experience with product management, design, marketing, business' to understand how to sew security requirements into the overall product. Most advisory and consulting firms shy away from sitting in on product design discussions, engineering calls and the likes -- because it's simply "not in scope". Whereas, BSIO recognizes the importance of embedding ourselves with the service/product and ensuring business requirements meet compliance requirements. We have experience with product development from Robotic Process Automation (RPA), Artificial Intelligence (AI), Machine Learning (ML) and more -- simply because we've lived and breathed those worlds. |
Artistic, aesthetically pleasing, intuitive and clever Documentation developed and written by technical experts, architects, and engineers.
| Feature | Description | bladestack.io | Competing Advisory/Consulting Firms | Compliance Forge & Similar Templatized Documentation |
|---|---|---|---|---|
| Standard FedRAMP Documentation | Addresses all standard FedRAMP Documentation and templates. Policies, Procedures, Plans, and the SSP. | |||
| Cloud-Native Documentation | No more legacy Information System Contingency Plan or Configuration Management Plan. Fresh new plans developed to take into consideration of the most modern cloud-native approaches, along with CI/CD pipeline approaches addressing configuration management and contingency planning. | |||
code blocks for code, security control parameters
|
Gone are the days of trying to parse through hundreds of documentation to find a frequency, a specific FedRAMP requirement/parameter, or any other defined parameter. All parameters have been properly code-blocked for ease of recognition. | |||
| All FedRAMP Assessment Procedures Addressed | Assessor Friendly Documentation - All documentation is written to completely address each FedRAMP Assessment Test Case Procedure Objective. Includes All Policies, Procedures, Plans and SSPs. | |||
| All FedRAMP Assessment Procedures Mapped | Assessor Friendly Documentation - All documentation written is also mapped to address each FedRAMP Assessment Test Case Procedure Objective. Including tables, figures, equations, diagrams, photos etc. If it's in the document, it has a purpose and is mapped back to a Security Test Case Procedure. Includes All Policies, Procedures, Plans and SSPs. | |||
| NIST Compliance Language | Documentation which includes language which only addresses NIST compliance and doesn't get too technical. Includes standard "Risk Management Framework / RMF" type of language. | |||
| NIST Compliance Interwoven with Technical Mastery | All documentation is written to be usable and adaptable. No ambiguous template language. Easy to consume as a technical SME, adapt and implement. NIST Compliance language interwoven with technical level implementation statements which provide actual value to the organization as opposed to "checking a box". | |||
| Documentation Quickparts | Easily replace frequently used terms such as the Documentation Title, Company Name, Cloud Service Offering (CSO) Name, CSO Acronym, Cloud Model, Framework, FIPS-199 Categorization, Author, Approver and more -- quickly and easily through Microsoft Word Documentation Property / Quick parts | |||
| Markdown Versions Available | Microsoft Word not so much your speed? No worries, our cyber-samurai's have you covered. All policies and procedures can be made available in comprehensive .md format for your viewing pleasure. Just please take into consideration that the FedRAMP PMO typically will not accept .md files as part of the authorization package. | |||
| Includes "Notes", "Tips" and other helpful call security and compliance outs |
Documentation includes pleasing information and reference call-outs to help guide reviewers and inexperienced auditors to learn, grow and understand the complex nuanced nature of the FedRAMP framework Examples include difference between a major change and significant change (as defined by NIST SP 800-128). Difference between a disaster recovery plan and information contingency plan (ISCP) as defined by NIST 800-34. Call-outs informing the reviewer how a cloud-native solutions CI/CD pipeline maps to the latest authorization boundary guidance and the Cloud Native Computing Foundation landscape, with links and reference directly to official FedRAMP PMO guidance & more! |
|||
| OSCAL Versions Available | Are you on the cutting-edge of OSCAL? Already have a OSCAL capabilities. Great, we're no slouches either. Need a OSCAL SSP? OSCAL Policies, Procedures and Plans? Sure thing -- we got you covered. Just a small reminder, current OSCAL policies and procedures are in Component Definition Model formats - so unless new guidance emergences on how policies, procedures, plans and the like indicate a new approach -- the current accepted approach is through the use of the OSCAL Component Model. |
Envy-inducing Diagrams
| Feature | Description | bladestack.io | Competing Advisory/Consulting Firms | Compliance Forge & Similar Templatized Documentation |
|---|---|---|---|---|
| Envy-inducing authorization boundary diagrams | You haven't seen an authorization boundary diagram until you've seen one developed by the cyber-samurais at bladestack.io. Multiple praises from the FedRAMP PMO, agencies, our customers and more. | |||
| Standard Dataflows | Beginning with the basics, our diagrams include fundamental flows such as standard HTTPS, SMTP, DNS, NTP etc. traffic call outs | |||
| Federal Dataflows | Where the dataflows get fun. We make distinctions between transmission, processing, and storage of federal data flows. Each type of variation is addressed, including if the flow is FIPS-validated or not. A minimum of eight (8) types of addressable dataflows! | |||
| Even more types of Dataflows! | We could keep going, but the short version is, we are engineers, architects, developers and samurais with a passion for security and technology. We dive into authentication user flows, external connectivity flows, customer enclave connectivity, VPN, corporate connectivity, corporate metadata, update services, container orchestration, container pods, container side-cars, API services, node connectivity, controller services, scheduler services, proxies, and on and we can go. (hint: we do!) | |||
| Diagram Legends | All types of legends for all types of cloud service offerings. From types of MFA, Interconnection Service Agreements, call-outs for FedRAMP Agency Authorized services, FedRAMP JAB Authorized services, non-FedRAMP Authorized services, services with federal data with direct potential impact, federal data with indirect potential impact, Identity Provider services, and so on. | |||
| Boundary Legends | Technical cloud-native boundary legends to include IaaS specific legends, to include the standard Authorization Boundary, Service Boundary, Account boundaries, PaaS service(s) boundary, Subnet boundaries, virtual private clouds, security groups, container services, customer boundaries, corporate services, agent runtimes, system boundaries, boundaries with shared services and shared responsibilities, clustered resources, DMZ's, boundary legends tied to specific processes (CI/CD pipeline etc.) |
Innovative and pleasant Services - cookie cutter services not permitted.
| Feature | Description | bladestack.io | Competing Advisory/Consulting Firms | Compliance Forge & Similar Templatized Documentation |
|---|---|---|---|---|
| Gap Assessments |
Gap Assessments which are a mile wide and an inch deep aren't too helpful.
You don't need a outside firm telling you what you already know. You don't have a policy and procedure? You haven't performed a simulated contingency test in the past year? You don't do proper configuration management? Did you really need to pay someone to tell you those basic things? What you really need to know is how. Yes, you recognize that you are not performing configuration management. What you want to know is that how on earth do you do it when you currently have a CI/CD pipeline, with multiple environments, with your code repo residing outside the boundary, and how exactly should you (or can you!?) do canary deployments?!? in FedRAMP?!" Don't worry, we got you covered. |
|||
| Internal Audit Support | BSIO offers a wide range of internal audit services, including penetration testing, to help organizations comply with the strict security standards set by FedRAMP. Our team of experts will conduct a thorough review of your organization's cloud environment, identify potential risks and vulnerabilities, and simulate attacks to test the effectiveness of your security controls. We provide actionable recommendations to improve your security posture, ensuring that your organization is in compliance with the program's requirements and reducing the risk of security breaches and data loss. With our FedRAMP audit services and penetration testing, you can be confident that your cloud environment is secure, and you are fully compliant with the requirements of the program. | |||
| ConMon Support | ConMon Support ranging from maintenance of documentation, vulnerability management, reporting, significant change, POA&M management, reporting, configuration and change management, incident response, contingency planning, agency sponsor reporting/management, and more. Oh, I believe we may have forgotten to mention that we embed right into your organization. Meaning, we are not your typical advisory firm which stands by the sidelines pointing and directing, we are active participants in your Change Management meetings, we discuss significant changes with your engineers and possible out of the box solutions. We are active respondents for vulnerability, training and contingency planning events and more. |
Sound too good to be true? Contact a Cyber-Samurai today and we'll be happy to provide you with a FREE consultation.
Contacting bladestack.io puts you in direct contact with our Lead Samurais to discuss your cybersecurity requirements. After an initial introductory call, we offer additional unbilled consulting time until you are comfortable to proceed to the next steps. Feel free to bring your engineering and security teams and let’s start solving your security and compliance challenges.