A Trusted Team Built for the Modern Battlespace
Cloud computing is critical to the Department of Defense (DoD)’s plans to dominate the digital battlefield. But DoD’s complex security and compliance requirements hamper the US’s ability to rapidly field cloud capabilities.
38North Security’s Senior Advisors help private sector organizations meet DoD security requirements and deliver compelling solutions to modern defense challenges.

Decades of Experience Smoothing the Civilian to DoD Transition
38North’s Senior Advisors help private sector organizations interpret DoD guidance, speak DoD security language and design systems that meet both civilian and DoD standards.
First we conduct an initial gap analysis against the FedRAMP+ C/CEs, targeting your desired Impact Level (IL) and system categorization. Then, we work with you to align existing practices and security controls to DoD’s requirements. We update security documentation to include DoD-specific terminology, deconflict between the STIGs and the CIS Benchmarks and implement the security architecture that DoD expects to see prior to interconnection.
DoD Cloud Security
DoD layers a challenging array of additional requirements on top of the US Government’s existing FedRAMP control set. DoD’s FedRAMP+ Control/Control Enhancements (C/CEs), described in the Security Requirements Guide, are obviously critical. But additional documents, including DoDI 8510.1, guidance from the Joint Enterprise Standards Committee (JESC), the Cloud Connection Process Guide and the Secure Cloud Computing Architecture (SCCA) must also be addressed throughout the system design and deployment process.
Even for FedRAMP-authorized Cloud Service Providers (CSPs), these unique DoD-specific requirements can be jarring for CSPs transitioning from the civilian world. As an example, DoD mandates technical hardening to the DISA Security Technical Implementation Guides (STIGs), whereas FedRAMP defaults to the Center for Internet Security (CIS) Benchmarks. DoD also requires adherence to DoDI 8551 for approved ports, protocols and services, and introduces additional incident response tracking and reporting requirements.
Decades of Experience Smoothing the Civilian to DoD Transition
38North’s Senior Advisors help private sector organizations interpret DoD guidance, speak DoD security language and design systems that meet both civilian and DoD standards.
First we conduct an initial gap analysis against the FedRAMP+ C/CEs, targeting your desired Impact Level (IL) and system categorization. Then, we work with you to align existing practices and security controls to DoD’s requirements. We update security documentation to include DoD-specific terminology, deconflict between the STIGs and the CIS Benchmarks and implement the security architecture that DoD expects to see prior to interconnection.
Our DoD cloud security services include:
DoD Cloud Security Gap Analysis:
Gap analyses help CSPs, whether FedRAMP-authorized or not, determine their readiness against DoD’s FedRAMP+ controls, up to and including IL6. Our DoD cloud security gap analysis will educate you on the DoD security process, explain the various cloud security guides and evaluate your cloud solutions for readiness to support the DoD mission. 38North’s gap analysis results in a prioritized roadmap of actions that will help you meet DoD requirements. We also help you estimate the cost to undergo an independent assessment to DoD’s standards.
DoD Security Advisory Support:
38North’s experienced FedRAMP consultants can develop all required DoD documentation, or update existing documentation to address DoD’s specific requirements. We also help deconflict between civilian and DoD technical requirements while implementing security approaches that will facilitate interconnection with the Defense Information System Network (DISN).
DoD Security Assessment Support:
If you’re preparing for your first DoD security assessment at the IL4/IL5/IL6 level but need some assistance, we can help translate between civilian CSP teams and DoD assessors. We are well-versed with the quirks of the DoD Provisional Authorization (PA) process and can expeditiously resolve findings and streamline the authorization. We also have relationships across the DoD security community and at the Defense Information Systems Agency (DISA) to help resolve misunderstandings and facilitate a smooth assessment.
DoD Remediation Support:
This service is for those CSPs that recently completed a DoD cloud security assessment and need some assistance with the planning, development and implementation of remedial measures. This may come in the form of new technologies, policies, plans, procedures or training and awareness sessions. It may also mean tailoring current organizational processes to squeeze a little more out of existing investments.
DoD Continuous Monitoring:
Achieving FedRAMP accreditation is tricky. But holding on to that accreditation is even harder. 38North’s Continuous Monitoring packages take care of daily, weekly, monthly, quarterly and annual continuous monitoring tasks so you can stay focused on your organization’s success.
Next Steps
Contact us to get started. The first step is a one hour introductory and readiness session, to understand your business landscape and gather technical details, while also making sure that we’re a mutual fit. We also offer unbilled follow up calls if you have any additional questions or need consulting advice as you gear up for the DoD security marathon.
Following our initial meetings, formal proposals and pricing are submitted within approximately one week. We can kick-off with a dedicated senior-level team within two to three weeks of contract signature.