Controls

We take security, compliance, and privacy seriously. Explore our certifications, reports, and policies in one place.

⌘K

20x Low - Phase One Pilot

A streamlined, cost-effective authorization pathway for federal cloud security, designed to be Continuously Monitored, ensuring that security posture is maintained in real-time rather than just at the point of audit. Geared toward applications that handle data not strictly "public" but not "critically sensitive," where a breach would have serious adverse effects. Offers a faster route to authorization than traditional processes while ensuring robust monitoring and protection for moderate-risk data.

CED-01

Pass

Ensure all employees receive security awareness training

CED-02

Pass

Require role-specific training for high risk roles, including at least roles with privileged access

CMT-01

Pass

Log and monitor system modifications

CMT-02

Pass

Execute changes through redeployment of version controlled immutable resources rather than direct modification wherever possible

CMT-03

Pass

Implement automated testing and validation of changes prior to deployment

CMT-04

Pass

Have a documented change management procedure

CMT-05

Pass

Evaluate the risk and potential impact of any change

CNA-01

Pass

Configure ALL information resources to limit inbound and outbound traffic

CNA-02

Pass

Design systems to minimize the attack surface and minimize lateral movement if compromised

CNA-03

Pass

Use logical networking and related capabilities to enforce traffic flow controls

CNA-04

Pass

Use immutable infrastructure with strictly defined functionality and privileges by default

CNA-05

Pass

Have denial of service protection

CNA-06

Pass

Design systems for high availability and rapid recovery

CNA-07

Pass

Ensure cloud-native information resources are implemented based on host provider's best practices and documented guidance

IAM-01

Pass

Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication

IAM-02

Pass

Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA

IAM-03

Pass

Enforce appropriately secure authentication methods for non-user accounts and services

IAM-04

Pass

Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services

IAM-05

Pass

Apply zero trust design principles

IAM-06

Pass

Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity

INR-01

Pass

Report incidents according to FedRAMP requirements and cloud service provider policies

INR-02

Pass

Maintain a log of incidents and periodically review past incidents for patterns or vulnerabilities

INR-03

Pass

Generate after action reports and regularly incorporate lessons learned into operations

MLA-01

Pass

Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes

MLA-02

Pass

Regularly review and audit logs

MLA-03

Pass

Rapidly detect and remediate or mitigate vulnerabilities

MLA-04

Pass

Perform authenticated vulnerability scanning on information resources

MLA-05

Pass

Perform Infrastructure as Code and configuration evaluation and testing

MLA-06

Pass

Centrally track and prioritize the mitigation and/or remediation of identified vulnerabilities

PIY-01

Pass

Have an up-to-date information resource inventory or code defining all deployed assets, software, and services

PIY-02

Pass

Have policies outlining the security objectives of all information resources

PIY-03

Pass

Maintain a vulnerability disclosure program

PIY-04

Pass

Build security considerations into the Software Development Lifecycle and align with CISA Secure By Design principles

PIY-05

Pass

Document methods used to evaluate information resource implementations

PIY-06

Pass

Have a dedicated staff and budget for security with executive support, commensurate with the size, complexity, scope, and risk of the service offering

PIY-07

Pass

Document risk management decisions for software supply chain security

RPL-01

Pass

Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

RPL-02

Pass

Develop and maintain a recovery plan that aligns with the defined recovery objectives

RPL-03

Pass

Perform system backups aligned with recovery objectives

RPL-04

Pass

Regularly test the capability to recover from incidents and contingencies

SVC-01

Pass

Harden and review network and system configurations

SVC-02

Pass

Encrypt or otherwise secure network traffic

SVC-03

Pass

Encrypt all federal and sensitive information at rest

SVC-04

Pass

Manage configuration centrally

SVC-05

Pass

Enforce system and information resource integrity through cryptographic means

SVC-06

Pass

Use automated key management systems to manage, protect, and regularly rotate digital keys and certificates

SVC-07

Pass

Use a consistent, risk-informed approach for applying security patches

TPR-01

Pass

Identify all third-party information resources

TPR-02

Pass

Regularly confirm that services handling federal information or are likely to impact the confidentiality, integrity, or availability of federal information are FedRAMP authorized and securely configured

TPR-03

Pass

Identify and prioritize mitigation of potential supply chain risks

TPR-04

Pass

Monitor third party software information resources for upstream vulnerabilities, with contractual notification requirements or active monitoring services