DoD Cloud Security

A Trusted Team Built for the Modern Battlespace

Cloud computing is critical to the Department of Defense (DoD)’s plans to dominate the digital battlefield. But DoD’s complex security and compliance requirements hamper the US’s ability to rapidly field cloud capabilities.

38North Security’s Senior Advisors help private sector organizations meet DoD security requirements and deliver compelling solutions to modern defense challenges. 

Decades of Experience Smoothing the Civilian to DoD Transition

38North’s Senior Advisors help private sector organizations interpret DoD guidance, speak DoD security language and design systems that meet both civilian and DoD standards.

First we conduct an initial gap analysis against the FedRAMP+ C/CEs, targeting your desired Impact Level (IL) and system categorization. Then, we work with you to align existing practices and security controls to DoD’s requirements. We update security documentation to include DoD-specific terminology, deconflict between the STIGs and the CIS Benchmarks and implement the security architecture that DoD expects to see prior to interconnection.  

DoD Cloud Security

DoD layers a challenging array of additional requirements on top of the US Government’s existing FedRAMP control set. DoD’s FedRAMP+ Control/Control Enhancements (C/CEs), described in the Security Requirements Guide, are obviously critical. But additional documents, including DoDI 8510.1, guidance from the Joint Enterprise Standards Committee (JESC), the Cloud Connection Process Guide and the Secure Cloud Computing Architecture (SCCA) must also be addressed throughout the system design and deployment process.

Even for FedRAMP-authorized Cloud Service Providers (CSPs), these unique DoD-specific requirements can be jarring for CSPs transitioning from the civilian world. As an example, DoD mandates technical hardening to the DISA Security Technical Implementation Guides (STIGs), whereas FedRAMP defaults to the Center for Internet Security (CIS) Benchmarks. DoD also requires adherence to DoDI 8551 for approved ports, protocols and services, and introduces additional incident response tracking and reporting requirements.

Decades of Experience Smoothing the Civilian to DoD Transition

38North’s Senior Advisors help private sector organizations interpret DoD guidance, speak DoD security language and design systems that meet both civilian and DoD standards.

First we conduct an initial gap analysis against the FedRAMP+ C/CEs, targeting your desired Impact Level (IL) and system categorization. Then, we work with you to align existing practices and security controls to DoD’s requirements. We update security documentation to include DoD-specific terminology, deconflict between the STIGs and the CIS Benchmarks and implement the security architecture that DoD expects to see prior to interconnection.

Our DoD cloud security services include:

DoD Cloud Security Gap Analysis:

Gap analyses help CSPs, whether FedRAMP-authorized or not, determine their readiness against DoD’s FedRAMP+ controls, up to and including IL6. Our DoD cloud security gap analysis will educate you on the DoD security process, explain the various cloud security guides and evaluate your cloud solutions for readiness to support the DoD mission. 38North’s gap analysis results in a prioritized roadmap of actions that will help you meet DoD requirements. We also help you estimate the cost to undergo an independent assessment to DoD’s standards.

DoD Security Advisory Support:

38North’s experienced FedRAMP consultants can develop all required DoD documentation, or update existing documentation to address DoD’s specific requirements. We also help deconflict between civilian and DoD technical requirements while implementing security approaches that will facilitate interconnection with the Defense Information System Network (DISN).

DoD Security Assessment Support:

If you’re preparing for your first DoD security assessment at the IL4/IL5/IL6 level but need some assistance, we can help translate between civilian CSP teams and DoD assessors. We are well-versed with the quirks of the DoD Provisional Authorization (PA) process and can expeditiously resolve findings and streamline the authorization. We also have relationships across the DoD security community and at the Defense Information Systems Agency (DISA) to help resolve misunderstandings and facilitate a smooth assessment.

DoD Remediation Support:

This service is for those CSPs that recently completed a DoD cloud security assessment and need some assistance with the planning, development and implementation of remedial measures. This may come in the form of new technologies, policies, plans, procedures or training and awareness sessions. It may also mean tailoring current organizational processes to squeeze a little more out of existing investments.

DoD Continuous Monitoring:

Achieving FedRAMP accreditation is tricky. But holding on to that accreditation is even harder. 38North’s Continuous Monitoring packages take care of daily, weekly, monthly, quarterly and annual continuous monitoring tasks so you can stay focused on your organization’s success.

Next Steps

Contact us to get started. The first step is a one hour introductory and readiness session, to understand your business landscape and gather technical details, while also making sure that we’re a mutual fit. We also offer unbilled follow up calls if you have any additional questions or need consulting advice as you gear up for the DoD security marathon.

Following our initial meetings, formal proposals and pricing are submitted within approximately one week. We can kick-off with a dedicated senior-level team within two to three weeks of contract signature.

Jeremiah Thompson

Director of Cloud Security Architecture

Jeremiah Thompson is 38North’s Director of Cloud Security Architecture. He leads 38North’s technical teams as they tackle engineering challenges and design secure, compliant cloud security architectures.

For over 18 years Jeremiah has helped clients in the commercial, defense and federal civilian sectors engineer secure solutions to modern cyber challenges. Prior to 38North, he served as a Director at Coalfire, one of the nation’s preeminent Third-Party Assessment Organizations (3PAOs). At Coalfire he led FedRAMP and DoD FedRAMP+ assessments supporting Fortune 500 organizations. He was also a Lead Information Security Compliance Auditor supporting the National Cancer Institute, and an Information Security Compliance Auditor at IBM.

Jeremiah currently holds CISSP, CISM, CAP, C|EH, Security+, Network+, CCSK and MCP certifications.

Andy Davidson

Senior Director of Cloud Security

Andy Davidson is Senior Director of Cloud Security at 38North. He leads 38North Senior Advisors as they prepare IaaS, PaaS and SaaS providers for the rigors of FedRAMP authorization. One of the nation’s most experienced FedRAMP practitioners, Andy has been supporting FedRAMP assessment and consulting efforts since the initial FedRAMP pilot project. He specializes in helping hyperscale Cloud Service Providers (CSPs) navigate FedRAMP requirements and successfully achieve Provisional Authorities to Operate (P-ATO).

Prior to 38North, Andy was Senior Director of FedRAMP and Assessment Services at Coalfire, one of the leading Third-Party Assessment Organizations (3PAOs). At Coalfire, he was responsible for growing the 3PAO practice and managing assessor teams in the execution of high profile assessments for Fortune 500 CSPs. He also helped start Veris Group’s 3PAO practice. Prior to Veris, Andy was an IT security consultant at Booz Allen Hamilton, supporting security assessments and engineering efforts across the federal government.

Linda Morales

Senior Director of Assessments

Linda Morales is the Senior Director of Assessments at 38North Security. She leads assessments for customers in the healthcare, federal and commercial spaces. She specializes in helping organizations prepare for and complete FISMA, FedRAMP and HIPAA assessments. She is adept at leading teams to deliver efficient, accurate security reviews that withstand scrutiny from federal regulators. Linda is also a recognized expert in Healthcare security, helping Health-IT providers secure and defend Protected Health Information (PHI).

Prior to 38North, Linda served as a Director at Endeavor Systems, where she played a key role growing the federal security services practice. She also served as Security Manager for the Federal Aviation Administration’s (FAA) enterprise-wide assessment program, with responsibility for 150+ systems across FAA.

Linda earned a BS in Computer Science and a Masters in Engineering Management, with a focus in Information Security, both from The George Washington University. She is also a Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), and a Registered Practitioner with the Cybersecurity Maturity Model Certification Advisory Board (CMMC-AB).

Spence Witten

Senior Advisor and Director of Business Development

Spence Witten is a 38North Senior Advisor and Director of Business Development. He serves as a trusted security advisor to 38North’s clients in the cloud services, healthcare, financial, defense and critical infrastructure communities.

Prior to 38North, Spence was Vice President of Global Sales at Lunarline. Spence led sales and marketing across ten cybersecurity business units, culminating in Lunarline’s acquisition by Motorola Solutions. Prior to becoming VP of Global Sales, Spence ran Lunarline’s US Federal Security Services practice, overseeing Lunarline’s defense, intelligence and federal civilian portfolio. He was also an early employee of Endeavor Systems. He played a key role in Endeavor’s rapid expansion in the federal, civilian, defense, and research and development markets, through to Endeavor’s successful acquisition.

An Adjunct Professor at Cleveland-Marshall College of Law, Spence serves on the Board of Directors for the Center for Cybersecurity and Privacy Protection at Cleveland State University. He is also a member of CyberOhio, the official cybersecurity advisory board for the Governor of Ohio.

Virginia Suazo

Senior Director of Cloud Security Advisory

Virginia Suazo is 38North’s Senior Director of Cloud Security Advisory. She is responsible for leading 38North’s cloud security and compliance efforts, with a speciality in helping global CSPs juggle multiple overlapping regulatory frameworks.

Before joining 38North, Virginia worked at a tech startup supporting the first and only Red Hat OpenStack Platform that is FedRAMP-authorized. She played a vital role in successfully obtaining FedRAMP Moderate and High authorizations for IaaS, PaaS, and SaaS systems, while supporting other certifications including DoD IL4/5, PCI DSS, HIPAA and HITECH. Her 15 years of cybersecurity experience also includes several tours supporting US federal agencies, including State Department, Department of Justice, Health and Human Services, Food and Drug Administration, General Services Administration and Department of Transportation.

Matt Earley

Founder

Matt Earley is 38North’s founder and President. He started 38North – the premier cloud security advisory company, in the US and internationally – to solve complex security challenges while developing trusted relationships with an elite client base.

For over 20 years Matt Earley has designed and implemented security solutions for the US and Australian federal governments, critical infrastructure, utilities, and for global finance and healthcare organizations. He focuses on lean security architecture design and prioritizing security efforts based on the critical needs of his clients.

Prior to founding 38North, Matt was the director of federal services at Endeavor Systems, where he was responsible for Endeavor’s largest business unit, serving the Federal Aviation Administration, Department of Homeland Security and some of the world’s largest security operations centers. He was also a Senior Manager in the Australian Department of Defense, where he represented Australasia on the Common Criteria Management Board.

Matt has a Bachelor of Engineering in computer engineering from the University of Canberra in Australia, and a Master’s in engineering management from George Washington University. He also is a Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).