Coalfire Helps Customers Accelerate FedRAMP Compliance Using AWS
“Coalfire helped us fast-track our path to FedRAMP compliance and save between six and twelve months of work we would have had to do ourselves.”
Erick Lindley, Chief Security Officer at Innovest
Helping a Customer Overcome Compliance Challenges
When enterprises begin working with federal government customers, they must often first comply with the Federal Risk and Authorization Management Program (FedRAMP)—a government program that provides a standardized approach to security. FedRAMP compliance, though, is a complex and time-consuming process. “Many software or cloud providers aren’t thinking of compliance first—they’re thinking about their technology. FedRAMP certification can easily take 12 to 18 months, and it draws engineers away from improving the product because they’re trying to retrofit compliance into that product,” says Adam Kerns, managing principal for Coalfire, a cybersecurity advisory firm and Government Solutions Partner with Amazon Web Services (AWS).
Coalfire, an Advanced Consulting Partner and Public Sector Partner in the AWS Partner Network (APN), helps organizations meet FedRAMP and other compliance requirements quickly and cost-effectively. Coalfire uses an AWS security automation and orchestration (SAO) methodology to assess customer IT environments and build secure AWS architectures configured to meet common security requirements. The organization recently needed to put its approach into action quickly when Innovest Systems, a financial technology solution provider, approached Coalfire. Kerns says, “Innovest came to us because they had a potential new government customer and needed to become FedRAMP-compliant in under six months.”
Erick Lindley, the chief security officer of Innovest, adds, “A government entity wanted to use our Trust & Wealth Management software-as-a-service platform, but we knew we couldn’t become FedRAMP-compliant on our own. We were not experienced in FedRAMP compliance requirements, which is why we needed expertise from a partner like Coalfire.”
Using Automation to Prepare for a Move to the AWS GovCloud
Coalfire sent a team of technical consultants to the main Innovest office to implement an AWS SAO methodology. After an initial assessment, Coalfire recognized that the best solution would be to move the Innovest SaaS platform to AWS GovCloud (US), which holds FedRAMP Moderate and High accreditations. “We saw some gaps in the Innovest system and we knew it would be best to build a brand-new environment for government customers in the AWS GovCloud,” says Kerns.
Coalfire engineering and advisory teams created comprehensive documentation and devised a systems security plan that contained all FedRAMP monitoring and policy generation requirements, so Innovest could prepare for a final FedRAMP Authority to Operate (ATO) audit. Coalfire used AWS CloudFormation templates to speed the migration. “All our code is in AWS CloudFormation templates, so we deploy scripts and let them run to simplify the migration,” Kerns says. The Coalfire teams also provided a defined workload migration and modernization platform, based on a DevOps deployment model, to help Innovest remain FedRAMP-compliant once it passed the audit.
Audit-Ready in Less Than Six Months
Relying on its technical expertise and AWS SAO methodology, Coalfire helped Innovest quickly create a FedRAMP-compliant platform. “Working with Coalfire and using the AWS GovCloud, we had a FedRAMP-compliant platform and all FedRAMP required documentation in less than six months,” says Lindley. “Coalfire helped us fast-track our path to FedRAMP compliance and save between six and twelve months of work we would have had to do ourselves. Coalfire’s expertise and the AWS Cloud were critical in getting this done.”
Coalfire used automation and repeatable processes to accelerate the migration to AWS GovCloud. “In addition to our SAO process, a key is using prebuilt infrastructure as code that aligns to compliance and security reference architectures, so we can quickly stand up a compliant and secure infrastructure for our customers,” Kerns says. “Our SAO process enables customers to be agile and get their solutions to market faster.”
Helping Innovest Expand Its Business
Once it had a FedRAMP-compliant platform, Innovest was able to pass its FedRAMP ATO audit—a critical part of the process of winning new business. Another third-party assessment organization conducted the audit. “By working with Coalfire and passing our FedRAMP ATO audit, we met the requirements of our new government customer, and they were able to begin using our Trust & Wealth platform to manage their own customers,” says Lindley.
By working with Coalfire, Innovest also eliminated the need to hire its own technical staff. “Many companies will spend more than $1 million to invest in technology and develop all the documentation for the FedRAMP program. Innovest spent a fraction of the cost,” says Kerns. “Because of our methodology and the agility enabled by AWS, it didn’t have to put resources into hiring and managing the entire process.” Additionally, Innovest will benefit from Coalfire’s strong DevOps focus. “Through our SAO work, we provide reusable automation and DevOps orchestration for customers’ applications,” says Kerns. “As a result, Innovest can maintain the current platform and remain FedRAMP-compliant in the future.”
About Innovest Systems
Innovest Systems is a leading provider of financial technology solutions delivered to forward-thinking trust, wealth management, and retirement professionals. The company has more than $600 billion in assets under administration on its Trust & Wealth Management platform, serving more than 300 global financial institutions.
Innovest needed to become FedRAMP-compliant in under six months in order to serve a new government entity customer.
Once it had a FedRAMP-compliant platform, Innovest was able to pass its FedRAMP ATO audit—a critical part of the process of winning new business. By working with Coalfire, Innovest also eliminated the need to hire its own technical staff.
Coalfire is a cybersecurity, risk management, compliance, and technical testing advisor that helps private- and public-sector organizations avert threats, close gaps, and effectively manage risk. The company provides independent and tailored advice, assessments, and cyber- engineering services. Coalfire is an APN Advanced Consulting Partner and Public Sector Partner.