Technology & Business Solutions, LLC ~ Compliant Cloud Hosting for GovCons

Security & compliance

Don’t trust. Verify.

Security & Compliance.

Compliance mandates for government contractor information systems continue to expand in complexity and scope. TBS's security and compliance regimes grow right along with them.

As FAR rule 52.204-21 was finalized – requiring government contractors and subcontractors to apply “basic safeguarding measures” for all their information systems – and the cybersecurity guidelines from NIST publication 800-171 came into effect – protecting “controlled unclassified information” on all contractor computers and information systems – TBS's Cloud security controls had already been cross-checked to ensure complete compliance.

When it comes to security and compliance our message is simple. For nearly 15 years the TBS Cloud has delivered the most secure and compliant accounting, project management, collaboration, automation and integration solutions for government contractors. We are passionate about securing your most precious project, financial, personnel and contract information, because we know that you are too.

We also understand that your systems don’t stand still. Our customers are constantly evaluating their current software options for enhanced security, increased efficiencies and cost savings. As you consider your accounting, project reporting or business automation systems and their hosted delivery, keep in mind these important security and compliance facts.


1. Cloud sales reps talk a good game when it comes to security. But no matter what they say, remember that your business holds executive responsibility for whether your systems truly meet the growing list of compliance mandates. At the end of the day, it’s YOUR contracts at risk if your security is not up to par.

2. All Seaport-E contracts require ITAR compliance, and TBS delivers the only GovCon Cloud that assures comprehensive ITAR control. Here’s why. TBS owns its hosting infrastructure and does not use consultants or subcontractors. All TBS employees are U.S. citizens, and all TBS Hosting Centers are in the continental United States.

Other GovCon Clouds outsource their infrastructure to third parties, but these third parties’ compliance certifications DO NOT COVER their prime providers. For instance, Deltek’s Support staff for Costpoint SaaS is in the Philippines, an ITAR breach that AWS’s compliance can’t fix. (AWS is the outsourced hosting provider for Deltek SaaS and others.)

Most Army, Navy, Air Force and intelligence community contract vehicles also require ITAR compliance.

3. FAR rule 52.204-21 mandates that all federal prime contractors and subcontractors meet “basic safeguarding measures for all contractor information systems – any information system owned and operated by a contractor that processes, stores, or transmits Federal contract information.”

This includes your accounting and CRM systems, project management and reporting tools, document storage, system integrations and email. The FAR rule DOES NOT distinguish between types of information, and broadly outlines a basic set of protections for ALL federal contract information. The TBS Cloud meets and exceeds FAR standards.

4. FedRAMP standards require both Encryption-In Flight and Encryption At-Rest for all applicable government contractor information systems, be they running on premise or hosted in The Cloud.

TBS's comprehensive encryption at rest encompasses NOT ONLY DATA STORAGE, but also all data “waypoints” used for system transfer and caching, as well as all volumes and all file systems.


FAR this. NIST that. ITAR? What’s next?

As a government contractor your security and compliance requirements are always growing. When you talk with Cloud vendors the acronyms really start flying. How can you stay in control?

The good news is that when it comes to your information systems, one standard rises above them all to assure security – the SOC2 Type II audit. Every Cloud Hosting provider – including ALL of their outsource partners, subcontractors and consultants – must be audited per the AICPA’s “Trust Services Principles” in order to prove their compliance (or lack thereof).

As you evaluate your systems and plan for compliance changes in the future, our advice is to ignore the sales talk and the bluster, and to simply ask to see your providers’ SOC2 audit reports. LET THAT DOCUMENT BE YOUR GUIDE, as it outlines your vendor’s IT controls, compliance measures, and – most critically – the scope of their security.

Just as your financials are audited every year to assure compliance with accounting standards, Cloud Hosting providers are evaluated annually to assure their compliance with security standards.

Remember, any provider that outsources its Cloud delivery or that uses subcontractors and consultants must provide you with multiple SOC2 audit reports – their partners’ audits DO NOT cover the prime provider itself, and the prime’s audit DOES NOT cover its subs.

 
soc-service_marks_2c_web.png

TBS’s annual AICPA SOC2 Type II audit assures comprehensive security and compliance across the “full stack” of our Cloud delivery and services.

FAR 52.204-21 and NIST 800-171.

TBS’s system description, audit controls and testing align with all FAR52 and NIST800 requirements.

TBS owns and operates it Cloud hardware and infrastructure.

TBS never uses subcontractors in any facet of its Cloud delivery and services.

SECURE DATA TRANSFERS.

All TBS data migration and conversion tools are delivered within our SOC2-assured Cloud, thereby maintaining security and compliance integrity.

ITAR.

All TBS facilities are in the continental United States. All Aspire employees are U.S. citizens.

FEDRAMP.

TBS security controls align with FEDRAMP standards, including Encryption At Rest.

CMS.

TBS’s SOC2 Type II audited controls incorporate all Centers for Medicare & Medicaid Services and HHS compliance standards.

DISA.

TBS’s SOC2 Type II audited controls incorporate all Defense Information Systems Agency compliance standards.

MA201.

TBS’s SOC2 Type II audited controls incorporate all Massachusetts Commonwealth Standards for the Protection of Personal Information, the leading privacy statute in the U.S.

SOX.

TBS’s SOC2 Type II audited controls incorporate all Sarbanes-Oxley Act compliance standards.

MORE SECURITY CONTROLS.

Every year, we expand TBS's audit scope to meet the growing regulatory needs of our customers. Let us know what you need.