KSI Validation Report

Generated at: 20:30 EDT June/28/2025

Summary of CSP and CSO

CSPCSOImpact LevelPackage ID
GoAnimateVyond for Government (V4G)Li-SaaSFR2433985791
System Description
Vyond is the only all-in-one video creation platform built for business and government organizations. With a focus on privacy and security, simplicity of use, and powerful video creation, Vyond for Government grants federal and public sector agencies access to our flagship platform, enabling transformation of critical information into engaging videos for employees, partners, and constituents - effectively and at scale.

Executive Summary

MetricValue
Total Items51
True/False RatioTrue: 51 (100.00%)
False: 0 (0.00%)
Auto Validation/Attestation RatioAuto Validation: 10 (19.61%)
Attestation: 41 (80.39%)

Key Security Indicators and Validations

Cloud Native Architecture (KSI-CNA)
#Capability DescValidation MethodResultNoteEvidence
01 Configure ALL information resources to limit inbound and outbound traffic Auto Validation True V4G uses AWS Security Group to limit the traffic. Check the AWS Trusted Advisor Security Groups – Specific Ports Unrestricted and Security Groups – Unrestricted Access, V4G commit most qualifications KSI-CNA-1.txt
02 Design systems to minimize the attack surface and minimize lateral movement if compromised Auto Validation True Inventory all EC2 hosts to guarantee all hosts are segmented by VPC to minimize lateral movement if compromised KSI-CNA-2.txt
03 Use logical networking and related capabilities to enforce traffic flow controls Auto Validation True Confrim all hosts are attahced at least 1 security group to guarantee the traffic flow is enforced by the cloud native network KSI-CNA-3.txt
04 Use immutable infrastructure with strictly defined functionality and privileges by default Attestation True V4G utilizes Terraform Infrastructure as Code (IaC) to manage infrastructure and Packer to build immutable AWS AMIs. Each application runs on a dedicated instance profile with least privilege. GitHub Actions are used to implement Blue/Green deployments through CI/CD pipelines, ensuring consistent and controlled rollout. KSI-CNA-4-Instance Profile.png, KSI-CNA-4-Git Commit-IaC.png, KSI-CNA-4-Git Commit-Packer.png, KSI-CNA-4-Github Action.png, KSI-CNA-4-AWS Code Deploy.png
05 Have denial of service protection Attestation True V4G benefits from AWS Shield Standard, which provides automatic protection against common DDoS attacks at the network and transport layers. The architecture follows AWS best practices for DDoS resiliency, including using Amazon CloudFront, Route 53, and WAF to provide additional layers of protection. These measures help to ensure high availability and mitigate denial-of-service threats effectively. KSI-CNA-5-WAF.png, KSI-CNA-5-WAF-GeoLimit.png, KSI-CNA-5-WAF-Log.png, KSI-CNA-5-Route53.png, KSI-CNA-5-CloudFront.png
06 Design systems for high availability and rapid recovery Auto Validation True Check the AWS Trusted Advisor Fault Tolerance Checks, V4G commit most qualifications KSI-CNA-6.txt
07 Ensure cloud-native information resources are implemented based on host provider’s best practices and documented guidance Auto Validation True V4G hosts on AWS and follows AWS Well-Architected Framework to do the implementation KSI-CNA-7.txt
Service Configuration (KSI-SVC)
#Capability DescValidation MethodResultNoteEvidence
01 Harden and review network and system configurations Attestation True V4G hardens the configuration based on CIS benchmark and montly reviews the configuration with Tanable KSI-SVC-1-AL2023.pdf, KSI-SVC-1-AWS Foundation.pdf
02 Encrypt or otherwise secure network traffic Auto Validation True V4G has encrypted the network traffics of Application Load balancers, RDS Aurora, Elasticache Redis. KSI-SVC-2.txt
03 Encrypt all federal and sensitive information at rest Auto Validation True V4G has encrypted data on S3 buckets, RDS Aurora, Elasticache Redis, the image files and all backup database snapshots. KSI-SVC-3.txt
04 Manage configuration centrally Attestation True V4G centrally manages infrastructure and application configurations using a combination of tools and AWS services:
1. Packer: used to build immutable and standardized AWS AMI
2.Terraform: used to consistently provision infrastructure and enforce configuration baselines.
3.AWS SSM Parameter: use to centrally store and retrieve parameters at runtime.
4. AWS Config: is enabled to continuously monitor and record configuration changes.
KSI-SVC-4-Packer Repo.png, KSI-SVC-4-AMI.png, KSI-SVC-4-Git Commit-IaC.png, KSI-SVC-4-AWS SSM Parameter.png, KSI-SVC-4-AWS Config.png
05 Enforce system and information resource integrity through cryptographic means Auto Validation True V4G has encrypted all AWS EBS to store the image KSI-SVC-5.txt
06 Use automated key management systems to manage, protect, and regularly rotate digital keys and certificates Auto Validation True V4G uses AWS Key Management Service to manage and automatically rotate the key KSI-SVC-6.txt
07 Use a consistent, risk-informed approach for applying security patches Attestation True V4G has subscripted AWS Linux 2023 update to inform for applying security patches, and uses a Security Tracker to guarantee the deployment is controlled KSI-SVC-7-AL2023 Update.png, KSI-SVC-7-V4G Security Tracker.pdf
Identity and Access Management (KSI-IAM)
#Capability DescValidation MethodResultNoteEvidence
01 Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication Attestation True V4G has enforced YubiKey 5 FIPS Series (CMVP #3914) to be the MFA device of AWS and Google Identity (the other external service must SSO with Google Identity) to guarantee phishing-resistent KSI-IAM-1-AWS.png, KSI-IAM-1-Google.png
02 Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA Attestation True V4G has enforced strong passwords for users, and the other external service must SSO with Google Identity KSI-IAM-2-AWS.png, KSI-IAM-2-Google.png
03 Enforce appropriately secure authentication methods for non-user accounts and services Attestation True V4G does not allows the non-user accounts/services to do the console login KSI-IAM-3.png
04 Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services Attestation True V4G follows the Separation of Duties Matrix to fulfill the requirement KSI-IAM-4.xlsx
05 Apply zero trust design principles Attestation True V4G follows AWS document to implement the Zero Trust Design principle and the following are implemented:
1. Strong Authentication (refer to KSI-IAM-2)
2. Least Privileges Access (refer to KSI-IAM-4)
3. Micro Segmentation (refer to KSI-CNA-2)
4. Full Encryption (refer to KSI-SVC-2, KSI-SVC-3)
5. Endpoint Security
6. Logging and Alert Automated Policy Enforcement(refer to KSI-MLA-1)
KSI-IAM-5-DeepSecurity.pdf
06 Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity Attestation True V4G hosts on AWS and adopts Google Workspace to be the document repository, the automation management is inherited from the security control of each side. Moreover, V4G has adopted Sumo Logic (FR#: FR1918740338) and AWS CloudWatch to detect the abnormal account behaviors KSI-IAM-6-SumoLogic.png, KSI-IAM-6-CloudWatch.png
Monitoring, Logging, and Auditing (KSI-MLA)
#Capability DescValidation MethodResultNoteEvidence
01 Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes Attestation True V4G adopts Sumo Logic (FR#: FR1918740338) to be the SIEM KSI-MLA-1.png
02 Regularly review and audit logs Attestation True Sumo Logic helps to review and analyze the log immediately and V4G runs the investigation for the suspicious behaviors when occurred KSI-MLA-2.png
03 Rapidly detect and remediate or mitigate vulnerabilities Attestation True V4G follows the procedure (the section 'Flaw Remediation') to remediate the vulnerability based on 30 (High) - 90 (Moderate) - 180 (Low) days principle KSI-MLA-3.pdf
04 Perform authenticated vulnerability scanning on information resources Attestation True V4G runs the installed agent to run the authenticated vulnerability scanning with Tenable (FR#: FR1814276801), the installed agent runs credentialed checks to guarantee the uthenticated vulnerability scanning KSI-MLA-4.pdf
05 Perform Infrastructure as Code and configuration evaluation and testing Attestation True V4G adopts TerraForm to be the IaC and monthly runs the Configuration scanning with Tenable (FR#: FR1814276801) KSI-MLA-5-TerraForm.png, KSI-MLA-5-ConfigScan.png
06 Centrally track and prioritize the mitigation and/or remediation of identified vulnerabilities Attestation True V4G follows FedRAMP requirements and adopts the POA&M sheet to centrally track and prioritize the remediation of identified vulnerabilities KSI-MLA-6.png
Change Management (KSI-CMT)
#Capability DescValidation MethodResultNoteEvidence
01 Log and monitor system modifications Attestation True V4G adopts on-premise Trend Micro Deep Security to monitor system modifications KSI-CMT-1.png
02 Execute changes though redeployment of version controlled immutable resources rather than direct modification wherever possible Attestation True V4G adopts Blue-Green Deployment strategy and all hosts are immutable and relaunched with the new version of the image per monthly deployment KSI-CMT-2.png
03 Implement automated testing and validation of changes prior to deployment Attestation True V4G has executed the automation process to test and verify the change per deployment KSI-CMT-3.png
04 Have a documented change management procedure Attestation True V4G has followed FedRAMP requirements to document the change management procedure, all chenage requirements must follow the procedure KSI-CMT-4.pdf
05 Evaluate the risk and potential impact of any change Attestation True V4G has evaluated the risk and potential impact of each change KSI-CMT-5-CR.pdf, KSI-CMT-5-SIA.pdf
Policy and Inventory (KSI-PIY)
#Capability DescValidation MethodResultNoteEvidence
01 Have an up-to-date information resource inventory or code defining all deployed assets, software, and services Attestation True V4G runs the asset inventory for each deployment and modification KSI-PIY-1.pdf
02 Have policies outlining the security objectives of all information resources Attestation True V4G has outlined the security objective as the commitment in the policy KSI-PIY-2.pdf
03 Maintain a vulnerability disclosure program Attestation True The vulnerability disclosure program is maintained and published in the help center KSI-PIY-3.pdf
04 Build security considerations into the Software Development Lifecycle and align with CISA Secure By Design principles Attestation True The SDLC is documented and the security function is covered in the Technical Specification phase to guarantee Secure by Design KSI-PIY-4.pdf
05 Document methods used to evaluate information resource implementations Attestation True The method to run the automation testing plan for the implementation is documented KSI-PIY-5.pdf
06 Have a dedicated staff and budget for security with executive support, commensurate with the size, complexity, scope, and risk of the service offering Attestation True The dedicated staff and budget for security is arranged. However, for the confidential purpose there is no evidence can be published NA
07 Document risk management decisions for software supply chain security Attestation True V4G has documented the Supply Chain Risk Management Plan and follows the plan to perform the decision KSI-PIY-7.pdf
Third Party Information Resources (KSI-TPR)
#Capability DescValidation MethodResultNoteEvidence
01 Identify all third-party information resources Attestation True V4G has identified all third-party vendors and place the inventory information in the SSP, see the section 6 and 7 of the evidence file KSI-TPR-1.pdf
02 Regularly confirm that services handling federal information or are likely to impact the confidentiality, integrity, or availability of federal information are FedRAMP authorized and securely configured Attestation True V4G annually reviews all external services are FedRAMP authorized and securely configured KSI-TPR-2.pdf
03 Identify and prioritize mitigation of potential supply chain risks Attestation True V4G has identified the potential supply chain risks and reviewed it annually KSI-TPR-3.pdf
04 Monitor third party software information resources for upstream vulnerabilities, with contractual notification requirements or active monitoring services Attestation True V4G has subscribed the third party vendor's subscription for the status notification KSI-TPR-4-SumoLogic.pdf, KSI-TPR-4-Tenable.pdf
Cybersecurity Education (KSI-CED)
#Capability DescValidation MethodResultNoteEvidence
01 Ensure all employees receive security awareness training Attestation True V4G has performed and ensured all participants receive and complete the security awareness training with KnowBe4 (FR#: FR2201340492) KSI-CED-1.png
02 Require role-specific training for high risk roles, including at least roles with privileged access Attestation True V4G has requested the participants to complete the security awareness training based on the role KSI-CED-2.png
Recovery Planning (KSI-RPL)
#Capability DescValidation MethodResultNoteEvidence
01 Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) Attestation True The RTO is 8 hours and RPO is 24 hours based on the frequency of data backup strategy KSI-RPL-1.pdf
02 Develop and maintain a recovery plan that aligns with the defined recovery objectives Attestation True V4G has developed a recovery plan that aligns with the defined recovery objectives, and reivewed the plan annually KSI-RPL-2.pdf
03 Perform system backups aligned with recovery objectives Auto Validation True V4G has backup the required images and data to align with the RTO and RPO KSI-RPL-3.txt
04 Regularly test the capability to recover from incidents and contingencies Attestation True V4G tests the contingency plan annually KSI-RPL-4.pdf
Incident Reporting (KSI-INR)
#Capability DescValidation MethodResultNoteEvidence
01 Report incidents according to FedRAMP requirements and cloud service provider policies Attestation True V4G has followed federal requirements and documented the Incident Response Plan KSI-INR-1.pdf
02 Maintain a log of incidents and periodically review past incidents for patterns or vulnerabilities Attestation True V4G has documented the Incident Response Form and asked to maintrain the log of incidents, also review the incident escalated by Sumo Logic (FR#: FR1918740338) KSI-INR-2-IRF.pdf, KSI-INR-2-SumoLogic.png
03 Generate after action reports and regularly incorporate lessons learned into operations Attestation True V4G has documented the lesson learned session in the Incident Response Plan KSI-INR-3.pdf