Blog

PreVeil’s FedRAMP Story

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 establishes clear guidelines for how defense companies can store and process Controlled Unclassified Information (CUI) in the cloud as well as standards for the cloud services they use. Contractors must ensure that cloud service providers (CSP)s meet FedRAMP Moderate Baseline or equivalent and use FIPS 140-2 validated encryption to protect data. Unfortunately, the exact definition of what ‘or equivalent’ means for CSPs has not been determined by the DoD and has left agencies and CSPs trying to define the standard for equivalency. PreVeil’s approach has been to set the bar as high as possible and reach full equivalency by implementing a system security program that meets or exceeds the FedRAMP Moderate Baseline standard and then passing a full program assessment by a FedRAMP accredited Third Party Assessment Organization (3PAO).
 

Getting to equivalent

Getting to FedRAMP Moderate Baseline took PreVeil over a year of work. In the process, we had to bring our IT controls, processes, and documentation up to the FedRAMP Moderate Baseline requirements included in NIST 800-53. This work included updating our technology stack to AWS GovCloud, which meant we were able to store all customer data in a FedRAMP High cloud. PreVeil also upgraded IT tools, provided additional systems monitoring and vulnerability scanning, and documented dozens of upgraded processes.
 
We also stood up a more rigorous set of software development life cycle (SDLC) controls and processes. SDLC principles support building security and assurance into the software code, not as an afterthought to be ‘fixed’ later. Code scans, peer reviews and strict source code control ensure we deploy only secure and reliable software changes to our customers.
 
Once these upgrades were completed, PreVeil was ready to be assessed by Sera Brynn, a FedRAMP-accredited 3PAO. This assessment was conducted using the same level of rigor that would be used for any company pursuing a FedRAMP Authority to Operate (ATO). Our entire cloud program was assessed against the FedRAMP Moderate Baseline standard. The Moderate Baseline includes 325 controls specified in NIST 800-53. The assessment required a complete documentation review and collection of artifacts to prove each control is in place and operating as designed.
 
PreVeil received a letter of attestation from Sera Brynn that states PreVeil’s program was found to meet the FedRAMP Moderate Baseline requirements in their assessment. Hence, equivalent. PreVeil has clearly established equivalence to the FedRAMP Moderate Baseline requirements as stated in DFARS 252.204-7012. If and when the DoD provides a more verbose definition of the equivalence requirement, we are very confident that our approach will be within the scope of defined acceptance.

PreVeil received a letter of attestation from Sera Brynn that states PreVeil’s program was found to meet the FedRAMP Moderate Baseline requirements in their assessment. Hence, equivalent. PreVeil has clearly established equivalence to the FedRAMP Moderate Baseline requirements as stated in DFARS 252.204-7012.

Why no ATO?

Some critics state that in order for a CSP to achieve equivalency, it must pursue ATO certification under the FedRAMP program. However, the FedRAMP ATO program is reserved only for those companies selling directly to the US Government. This requirement does not extend to companies selling to government contractors such as PreVeil. Companies that just sell to defense contractors are instructed to follow the regulations laid out for FedRAMP Moderate Baseline equivalent in DFARS.

What equivalency means for customers

Today, hundreds of DIB companies use PreVeil as a part of their programs to secure and protect Controlled Unclassified Information (CUI) in the cloud. In relying on PreVeil, contractors can be confident that they are meeting the high standards for data protection set out by FedRAMP Moderate Baseline because their CSP has met these standards.
 
In addition, PreVeil relies on Zero Trust security principles to protect user data. Zero Trust security means PreVeil does not trust any one element, node, or service. Instead, the PreVeil platform protects user data with end-to-end encryption and ensures information remains secure even if servers are breached, passwords stolen, or admins compromised. Even if a PreVeil server is fully compromised, an attacker will only get encrypted gibberish.

Conclusion

By passing a FedRAMP Moderate Baseline assessment from an accredited 3PAO, our customers can be confident not only that we would be ready for an ATO if we ever needed one, but also that we have clearly established equivalence to the FedRAMP Moderate Baseline requirements stated in DFARS 7012. Our DIB customers are very important to us and we strongly support the mission of bringing cost effective, state of the art security technology to the DIB companies pursuing DFARS, CMMC, ITAR, and NIST compliance.