CASE STUDY

Expediting the Journey to Authority to Operate (ATO)

Valley IT Solutions specializes in providing high-quality software solutions, DevOps, and IT managed services. Their offerings range from software development and hardware engineering to managed network services and cloud services.

The company provides services to a large federal agency within the United States government. However, the introduction of a software as a service (SaaS) application necessitated the launch of a FedRAMP assessment, demonstrating their compliance with the National Institute of Standards and Technology (NIST) 800-53.

Understanding that documentation is a foundational component of FedRAMP authorization, Valley IT needed to document its policies, procedures, and plans — which would subsequently support the procedural control implementation.

Due to the sensitivity of the data being maintained, the company also needed to ensure the technical solutions were able to be built and maintained on AWS exclusively. In doing so, they were able to avoid incurring additional fees associated with assessing SaaS application data outside of the AWS environment.

In addition, Valley IT needed to expedite the ATO or risk losing the agency’s business, as all cloud service offerings (CSO) used by the government must be FedRAMP authorized.

Understanding the critical importance of obtaining their FedRAMP authorization — and that time was of the essence — Valley IT commissioned Aquia to support them in their journey, leveraging support from Aquia’s security engineers to help architect solutions specific to their environment and advise on FedRAMP specifications.

Bringing Expertise That Inspires Confidence

Aquia played an integral role in ensuring Valley IT was set up for success in its FedRAMP assessment. “Leveraging Aquia’s expertise has allowed us to enter the FedRAMP assessment process with a high level of confidence, knowing that the necessary security and compliance measures are in place,” said Hamad Abdelnour, chief executive officer, Valley IT. “This allows our team to focus on meeting the needs of our customers while maintaining compliance with stringent regulatory standards.”

As an AWS Partner, Aquia brought proven AWS technical expertise and a commitment to architecting, deploying, and securing cloud workloads to the initiative.

The Aquia team combines certified AWS Solutions Architects with seasoned security engineers and governance, risk, and compliance (GRC) specialists, helping Valley IT address both technical and process gaps quickly and correctly. In addition, through Aquia’s partnership with DataLock, a FedRAMP third-party assessment organization (3PAO), the team ensured a detailed gap analysis was conducted and the controls that needed to be implemented were identified early in the process. This allowed Valley IT to go into the FedRAMP assessment with confidence and to know the ongoing ConMon — a vital component post-authorization — would be met.

“The collaborative nature of our relationship with Valley IT allowed us to swiftly and accurately bridge any deficiencies, ensuring a robust and secure environment for their application on AWS,” said Nathalie Baker, GRC manager, Aquia. “By proactively identifying the necessary controls that must be implemented to meet the stringent FedRAMP requirements, we can address any potential gaps early in the process, saving Valley IT time and resources while ensuring a thorough and successful assessment outcome.”

Leveraging AWS ECR and Amazon EKS to Meet FedRAMP Compliance Requirements

In an effort to meet the expedited timeline, Valley IT leveraged Aquia’s team of dedicated GRC professionals and security engineers, allowing the GRC documentation to move forward in tandem with the technical implementations. Additionally, Aquia deployed services and toolings within Valley IT’s AWS cloud environment to allow their team to maintain ownership and control of the data.

Using AWS Elastic Container Registry (ECR), a fully-managed container registry that makes it easy to store, manage, and deploy Docker container images, the team was able to simplify their container image management and deployment processes. Using AWS ECR, the team can easily push and pull container images to and from Amazon Elastic Kubernetes Service (Amazon EKS), allowing for faster application deployment and better resource utilization, and more control over access to the docker image repository.

In order to satisfy FedRAMP configuration management controls, the team leveraged AWS ECR and Amazon EKS for deploying open source software (OSS) ticketing systems, such as TrueDesk, to track and manage customer support requests. By deploying TrueDesk in a containerized environment using EKS and ECR, they are able to ensure that their help desk software is easily deployable and scalable, while still meeting strict security requirements.

Vulnerability management is a key component of FedRAMP system integrity and risk assessment controls. To meet that need, the team used AWS ECR and Amazon EKS to deploy DefectDojo, an open-source vulnerability management tool, to easily track and manage vulnerabilities in their systems and ensure that any flaws are remediated in a timely manner.

In addition to vulnerability management, the team needed to deploy a security information and event management (SIEM) solution, which is crucial for meeting FedRAMP system integrity, incident response, and audit and accountability controls. Aquia worked with Valley IT to use Amazon EKS and containerization to deploy the SIEM solution WAZUH. By containerizing WAZUH and deploying it on Amazon EKS, ValleyIT ensured that their security monitoring and incident response capabilities are easily scalable and highly available.

To further enhance their security posture, the team also configured Amazon Simple Storage Service (Amazon S3) to store security hub and inspector findings, a key component of FedRAMP system integrity controls. By exporting and storing this data in Amazon S3, Valley IT can easily analyze and monitor their security posture and ensure that any potential vulnerabilities are identified and addressed in a timely manner.

Finally, by configuring DefectDojo to import scan results from Amazon S3 and using Amazon CloudWatch Events to trigger AWS Lambda functions to automate the export of this data, the team can further streamline their vulnerability management processes. This allows for faster and more efficient identification and remediation of potential security flaws, which is essential for meeting FedRAMP system integrity and risk assessment controls.

“Amazon ECR and Amazon EKS are powerful tools for containerizing and deploying critical applications and services to meet FedRAMP compliance requirements,” said Nathalie Baker, GRC manager, Aquia. “By leveraging these tools, along with S3, Lambda, CloudWatch, and CloudWatch Events, ValleyIT can ensure that their systems are secure, highly available, and easily scalable. Whether it's ticketing systems, vulnerability management, SIEM, or other security solutions, ECR and EKS provide a robust and flexible platform for meeting the complex security requirements of FedRAMP.”

Expanding Federal Opportunities Through FedRAMP ATO

Working with Aquia on its journey to ATO enabled Valley IT to streamline and prioritize the necessary technical and procedural implementations while giving consideration to future growth. Not only did the team manage to retain its federal customer, but now the SaaS application will be added to the FedRAMP Marketplace as an application approved for use by other federal agencies — increasing their profits as they add to their customer base.

In addition, Aquia will continue to support the Valley IT team with its FedRAMP continuous monitoring, ensuring the health of the application’s security posture is maintained and security controls remain effective over time.