Written by Andy Keller
Decision Lens takes security of its cloud service offerings (CSOs) very seriously. Of course, cloud security is also a paramount concern of both the federal government and the Department of Defense (DoD).
In order to offer managed services (i.e., SaaS) to these communities, commercial vendors like Decision Lens are held to high security standards. The federal government relies on FedRAMP, or the Federal Risk Assessment Management Program. FedRAMP is a security and compliance initiative based on the NIST 800-53 control set and overseen by the General Services Administration (GSA). Vendors offering cloud services must all meet the same requirements, implement the same control sets, and undergo standardized security assessments and penetration tests by vetted 3rd party organizations (3PAO).
These annual assessments, along with vendor documentation, produce a package which allows any government agency to review and make authorization decisions. This allows agency staff to understand explicitly the risks they’re accepting when storing government data in Cloud Service Provider (CSP) cloud service offerings (CSOs), and in turn binds CSPs to be well-behaved and provide monthly continuous monitoring data. Decision Lens participates in the FedRAMP program and has authorizations from several federal agencies.
Department of Defense components and mission owners also consume cloud services and store data in services like Decision Lens. Some of this data is sensitive data, or what is known as Controlled Unclassified Information (CUI). In order to protect this data, there are some additional requirements. The DoD requirements are established by DISA in the DoD Cloud Computing Security Requirements Guide (SRG). The SRG establishes what are known as Impact Levels. DISA considers FedRAMP Moderate (the FedRAMP level Decision Lens maintains) to be equivalent, by default, to Impact Level 2 (IL2). Unfortunately, IL2 services are mostly only suitable for public data or publicly releasable data.
Because of this, in September 2018, Decision Lens decided to pursue the next level of DoD compliance: Impact Level 4 (IL4). IL4 is suitable for “CUI and/or other mission critical data to include that used in direct support of military or contingency operations,” as per the SRG. Basically, this is information that must be protected by strong access controls and logical or physical data isolation practices. IL4 introduces an additional 38 NIST 800-53 controls or control enhancements and a multitude of additional data security requirements, such as being addressable as a .mil and being accessible through a DoD Cloud Access Point. As is common in cloud service delivery, this creates a shared responsibility matrix between Decision Lens and DoD customers (which are defined as “Mission Owners” within the SRG).
Decision Lens is currently undergoing a full FedRAMP and IL4 assessment rather than tacking the IL4 controls and requirements onto a standard FedRAMP annual assessment, which is typically about half of the 325 controls and enhancements FedRAMP has selected from the NIST control set. We expect to have an IL4-Ready authorization package completed with a final assessment report by mid-August 2019. This package will be suitable for any DoD Mission Owners seeking to utilize managed service offerings from Decision Lens.
Q: Is Decision Lens “FedRAMP+”?
A: Yes. FedRAMP+ is a term from the SRG that essentially means FedRAMP Moderate plus IL4/5. IL4/5 cannot be achieved independently of FedRAMP Moderate/IL2. IL4 builds on IL2, and IL5 builds on IL4.
Q: Are Decision Lens cloud service offerings fully Impact Level 4 certified or approved?
A: Currently our CSOs are offered in an “IL4-Ready” package. There are shared technical responsibilities as defined in the SRG between DoD Mission Owner customers and Decision Lens, some of which Decision Lens cannot accomplish on its own. Typically, these are addressed contractually. In being IL4-Ready, Decision Lens is delivering to Mission Owners its SaaS products and authorization package such that authorization can be expedited and completed as quickly as possible.
Q: How can Decision Lens guarantee that physical systems supporting its managed SaaS service also provide IL4 data security?
A: Decision Lens is provisioned on AWS GovCloud, which as a cloud infrastructure service maintains IL4 (and IL5) levels of compliance. No customer data is transmitted or stored in any external services.
Q: I’m a DoD Mission Owner customer, and I know my agency has its own IL4 “Government Cloud.” What’s the difference between this and the standard Decision Lens SaaS cloud service offering?
A: Decision Lens SaaS offerings are fully managed. We provide all the security and system administration operations. As a customer utilizing our SaaS, you pay the license cost, we spin up your instance(s), and you get right to work with your portfolio management tasks. An IL4-Ready ATO package is maintained on a continuous basis for authorization requirements. This is significantly less expensive, faster, and operationally leaner than deploying an application like Decision Lens in your own agency cloud (or otherwise on-prem). Our cloud service offerings benefit from frequent security patching, vulnerability fixes, bug fixes, and updated feature sets. On-premise deployments frequently linger on old versions and do not have the latest features. In short, Decision Lens is the expert in delivering and securing Decision Lens cloud services offerings.
Q: Our DoD IL4 data is sensitive. How can we ensure this data is adequately isolated and protected in Decision Lens CSOs?
A: Decision Lens customer data is isolated in its own database tables. That is, data from Customer A and Customer B are not co-mingled. This enables Decision Lens to meet search and seizure requests for non-DoD customers without revealing DoD data. In fact, any law enforcement request for data need not reveal data from customers outside of the scope of the request regardless of industry. Moreover, the only roles with access to customer data on the backend are kept to a minimum by strict least privilege enforcement, and staff who do so are fully cleared at the TS level. Customers may wish to grant application-level access to additional Decision Lens employees (such as customer success reps). In this case customer group administrators are responsible for authorizing and granting this access, and can remove it at any time.