Case Study

Coalfire® Helps Innovest Accelerate FedRAMP® Compliance Using AWS

December 7, 2018
Amazon partner logo

Coalfire used AWS to help Innovest Systems build a FedRAMP-compliant platform in less than six months, attract a new government customer, and reduce costs. The company is an AWS partner that provides cybersecurity solutions and services to private- and public-sector organizations. Coalfire used AWS GovCloud (US) and its own security and automation methodology to help Innovest meet FedRAMP compliance requirements.

Helping a Customer Overcome Compliance Challenges

When enterprises begin working with federal government customers, they must often first comply with the Federal Risk and Authorization Management Program (FedRAMP)—a government program that provides a standardized approach to security. FedRAMP compliance, though, is a complex and time-consuming process.

“Many software or cloud providers aren’t thinking of compliance first—they’re thinking about their technology. FedRAMP certification can easily take 12 to 18 months, and it draws engineers away from improving the product because they’re trying to retrofit compliance into that product,” says Adam Kerns, managing principal for Coalfire, a cybersecurity advisory firm and Government Solutions Partner with Amazon Web Services (AWS).

Coalfire, a Premier Consulting Partner and Public Sector Partner in the AWS Partner Network (APN), helps organizations meet FedRAMP and other compliance requirements quickly and cost-effectively.

Coalfire uses an AWS security automation and orchestration (SAO) methodology to assess customer IT environments and build secure AWS architectures configured to meet common security requirements. The organization recently needed to put its approach into action quickly when Innovest Systems, a financial technology solution provider, approached Coalfire. Kerns says, “Innovest came to us because they had a potential new government customer and needed to become FedRAMP-compliant in under six months.”

Erick Lindley, the chief security officer of Innovest, adds, “A government entity wanted to use our Trust & Wealth Management software-as-a-service platform, but we knew we couldn’t become FedRAMP-compliant on our own. We were not experienced in FedRAMP compliance requirements, which is why we needed expertise from a partner like Coalfire.”

Using Automation to Prepare for a Move to the AWS GovCloud

Coalfire sent a team of technical consultants to the main Innovest office to implement an AWS SAO methodology. After an initial assessment, Coalfire recognized that the best solution would be to move the Innovest SaaS platform to AWS GovCloud (US), which holds FedRAMP Moderate and High accreditations. “We saw some gaps in the Innovest system, and we knew it would be best to build a brand-new environment for government customers in the AWS GovCloud,” says Kerns.

Coalfire engineering and advisory teams created comprehensive documentation and devised a systems security plan that contained all FedRAMP monitoring and policy generation requirements, so Innovest could prepare for a final FedRAMP Authority to Operate (ATO) audit.

Coalfire used AWS CloudFormation templates to speed the migration. “All our code is in AWS CloudFormation templates, so we deploy scripts and let them run to simplify the migration,” Kerns says. The Coalfire teams also provided a defined workload migration and modernization platform, based on a DevOps deployment model, to help Innovest remain FedRAMP-compliant once it passed the audit.

Audit-Ready in Less Than Six Months

Relying on its technical expertise and AWS SAO methodology, Coalfire helped Innovest quickly create a FedRAMPcompliant platform. “Working with Coalfire and using the AWS GovCloud, we had a FedRAMP-compliant platform and all FedRAMP required documentation in less than six months,” says Lindley. “Coalfire helped us fast-track our path to FedRAMP compliance and save between six and twelve months of work we would have had to do ourselves. Coalfire’s expertise and the AWS Cloud were critical in getting this done.”

Coalfire used automation and repeatable processes to accelerate the migration to AWS GovCloud. “In addition to our SAO process, a key is using prebuilt infrastructure as code that aligns to compliance and security reference architectures, so we can quickly stand up a compliant and secure infrastructure for our customers,” Kerns says. “Our SAO process enables customers to be agile and get their solutions to market faster.”

“Coalfire helped us fast-track our path to FedRAMP compliance and save between six and twelve months of work we would have had to do ourselves.”

ERICK LINDLEY, CHIEF SECURITY OFFICER, INNOVEST

Helping Innovest Expand Its Business

Once it had a FedRAMP-compliant platform, Innovest was able to pass its FedRAMP ATO audit—a critical part of the process of winning new business. Another third-party assessment organization conducted the audit. “By working with Coalfire and passing our FedRAMP ATO audit, we met the requirements of our new government customer, and they were able to begin using our Trust & Wealth platform to manage their own customers,” says Lindley.

By working with Coalfire, Innovest also eliminated the need to hire its own technical staff. “Many companies will spend more than $1 million to invest in technology and develop all the documentation for the FedRAMP program. Innovest spent a fraction of the cost,” says Kerns.

“Because of our methodology and the agility enabled by AWS, it didn’t have to put resources into hiring and managing the entire process.” Additionally, Innovest will benefit from Coalfire’s strong DevOps focus. “Through our SAO work, we provide reusable automation and DevOps orchestration for customers’ applications,” says Kerns. “As a result, Innovest can maintain the current platform and remain FedRAMP-compliant in the future.”

More on FedRAMP