CASE STUDY

Nuix, a leading provider of investigative analytics and intelligence software, provides organizations across the globe with cybersecurity and electronic discovery (eDiscovery) solutions. Nuix’s eDiscovery solutions are primarily utilized in the government, law enforcement, and legal services sectors.

Based in Australia, the company faced a significant hurdle in expanding its presence in the United States public sector due to the requirement that all cloud service providers (CSPs) that want to work with the U.S. government must be FedRAMP authorized. In addition, the company has been growing rapidly, necessitating additional engineering support.

Recognizing the need for FedRAMP-specific cloud security and compliance expertise, the company commissioned Aquia to streamline its journey to FedRAMP Ready status at the FedRAMP High level for its “Discover for Government” solution. 

Developing and Deploying a FedRAMP-Compliant Cloud Platform

FedRAMP High is the most stringent level of the three FedRAMP security baselines, and is intended for systems managing high-impact data such as classified information. This level demands an extensive set of security controls to protect against sophisticated and persistent cyber threats. Nuix knew that identifying the right support and resources would be critical to its success in achieving a FedRAMP authorization to operate (ATO) at that level.

Working with Aquia and DataLock Consulting Group, Aquia’s third-party assessment organization (3PAO) partner, Nuix received customized FedRAMP support that met them where they were. The team began by conducting a gap analysis, where they performed a deep dive of the technical requirements and took time to understand the organizational structure. This allowed the team to identify an efficient and compliant architecture that could support Nuix’s global presence. Next, the team conducted an analysis of Nuix’s technical controls against the FedRAMP baseline of controls to identify any gaps in implementation and develop all remediation actions associated with each gap.

Aquia went on to develop a FedRAMP High architecture that would meet Nuix’s requirements, including the use of only FedRAMP High cloud services that could be utilized in other environments across the globe and an architecture that would also meet the requirements of the Information Security Registered Assessor Program (IRAP). Once the architecture was finalized, Aquia developed all required infrastructure as code (IaC) to deploy a compliant cloud platform in which Nuix could deploy their Discover for Government solution. At Aquia’s recommendation, and based on their internal team’s knowledge, Nuix decided to deploy their solution on AWS. With a majority of FedRAMP SaaS products hosted on AWS and Aquia’s deep expertise as an AWS Advanced Tier partner, this was an easy choice for the team.

Working jointly with the team, Aquia developed all required documentation, including the system security plan (SSP), policies and procedures, and all ancillary documentation. Passionate about upskilling and knowledge-sharing, Aquia also trained the appropriate stakeholders on how to maintain compliance with control requirements and supported the development of a robust continuous monitoring (ConMon) program. 

The project was completed ahead of schedule and on budget, with Nuix achieving a FedRAMP High “Ready” status. This status indicates to agencies that Nuix can meet several of the baseline FedRAMP criteria and allows it to be listed on the FedRAMP Marketplace.