Helping a Customer Overcome Compliance Challenges
When enterprises begin working with federal government customers, they must often first comply with the Federal Risk and Authorization Management Program (FedRAMP)—a government program that provides a standardized approach to security. FedRAMP compliance, though, is a complex and time-consuming process.
“Many software or cloud providers aren’t thinking of compliance first—they’re thinking about their technology. FedRAMP certification can easily take 12 to 18 months, and it draws engineers away from improving the product because they’re trying to retrofit compliance into that product,” says Adam Kerns, managing principal for Coalfire, a cybersecurity advisory firm and Government Solutions Partner with Amazon Web Services (AWS).
Coalfire, a Premier Consulting Partner and Public Sector Partner in the AWS Partner Network (APN), helps organizations meet FedRAMP and other compliance requirements quickly and cost-effectively.
Coalfire uses an AWS security automation and orchestration (SAO) methodology to assess customer IT environments and build secure AWS architectures configured to meet common security requirements. The organization recently needed to put its approach into action quickly when Innovest Systems, a financial technology solution provider, approached Coalfire. Kerns says, “Innovest came to us because they had a potential new government customer and needed to become FedRAMP-compliant in under six months.”
Erick Lindley, the chief security officer of Innovest, adds, “A government entity wanted to use our Trust & Wealth Management software-as-a-service platform, but we knew we couldn’t become FedRAMP-compliant on our own. We were not experienced in FedRAMP compliance requirements, which is why we needed expertise from a partner like Coalfire.”
Using Automation to Prepare for a Move to the AWS GovCloud
Coalfire sent a team of technical consultants to the main Innovest office to implement an AWS SAO methodology. After an initial assessment, Coalfire recognized that the best solution would be to move the Innovest SaaS platform to AWS GovCloud (US), which holds FedRAMP Moderate and High accreditations. “We saw some gaps in the Innovest system and we knew it would be best to build a brand-new environment for government customers in the AWS GovCloud,” says Kerns.
Coalfire engineering and advisory teams created comprehensive documentation and devised a systems security plan that contained all FedRAMP monitoring and policy generation requirements, so Innovest could prepare for a final FedRAMP Authority to Operate (ATO) audit.
Coalfire used AWS CloudFormation templates to speed the migration. “All our code is in AWS CloudFormation templates, so we deploy scripts and let them run to simplify the migration,” Kerns says. The Coalfire teams also provided a defined workload migration and modernization platform, based on a DevOps deployment model, to help Innovest remain FedRAMP-compliant once it passed the audit.
Audit-Ready in Less Than Six Months
Relying on its technical expertise and AWS SAO methodology, Coalfire helped Innovest quickly create a FedRAMPcompliant platform. “Working with Coalfire and using the AWS GovCloud, we had a FedRAMP-compliant platform and all FedRAMP required documentation in less than six months,” says Lindley. “Coalfire helped us fast-track our path to FedRAMP compliance and save between six and twelve months of work we would have had to do ourselves. Coalfire’s expertise and the AWS Cloud were critical in getting this done.”
Coalfire used automation and repeatable processes to accelerate the migration to AWS GovCloud. “In addition to our SAO process, a key is using prebuilt infrastructure as code that aligns to compliance and security reference architectures, so we can quickly stand up a compliant and secure infrastructure for our customers,” Kerns says. “Our SAO process enables customers to be agile and get their solutions to market faster.”