Generated at: 20:29 EDT June/29/2025
| CSP | CSO | Impact Level | Package ID |
|---|---|---|---|
| GoAnimate | Vyond for Government (V4G) | Li-SaaS | FR2433985791 |
| System Description | |||
| Vyond is the only all-in-one video creation platform built for business and government organizations. With a focus on privacy and security, simplicity of use, and powerful video creation, Vyond for Government grants federal and public sector agencies access to our flagship platform, enabling transformation of critical information into engaging videos for employees, partners, and constituents - effectively and at scale. | |||
| Metric | Value |
|---|---|
| Total Items | 51 |
| True/False Ratio | True: 51 (100.00%) False: 0 (0.00%) |
| Auto Validation/Attestation Ratio | Auto Validation: 10 (19.61%) Attestation: 41 (80.39%) |
| Cloud Native Architecture (KSI-CNA) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Configure ALL information resources to limit inbound and outbound traffic | Auto Validation | True | V4G uses AWS Security Group to limit the traffic. Check the AWS Trusted Advisor Security Groups – Specific Ports Unrestricted and Security Groups – Unrestricted Access, V4G commit most qualifications | KSI-CNA-1.txt |
| 02 | Design systems to minimize the attack surface and minimize lateral movement if compromised | Auto Validation | True | Inventory all EC2 hosts to guarantee all hosts are segmented by VPC to minimize lateral movement if compromised | KSI-CNA-2.txt |
| 03 | Use logical networking and related capabilities to enforce traffic flow controls | Auto Validation | True | Confrim all hosts are attahced at least 1 security group to guarantee the traffic flow is enforced by the cloud native network | KSI-CNA-3.txt |
| 04 | Use immutable infrastructure with strictly defined functionality and privileges by default | Attestation | True | V4G utilizes Terraform Infrastructure as Code (IaC) to manage infrastructure and Packer to build immutable AWS AMIs. Each application runs on a dedicated instance profile with least privilege. GitHub Actions are used to implement Blue/Green deployments through CI/CD pipelines, ensuring consistent and controlled rollout. | KSI-CNA-4-Instance Profile.png, KSI-CNA-4-Git Commit-IaC.png, KSI-CNA-4-Git Commit-Packer.png, KSI-CNA-4-Github Action.png, KSI-CNA-4-AWS Code Deploy.png |
| 05 | Have denial of service protection | Attestation | True | V4G benefits from AWS Shield Standard, which provides automatic protection against common DDoS attacks at the network and transport layers. The architecture follows AWS best practices for DDoS resiliency, including using Amazon CloudFront, Route 53, and WAF to provide additional layers of protection. These measures help to ensure high availability and mitigate denial-of-service threats effectively. | KSI-CNA-5-WAF.png, KSI-CNA-5-WAF-GeoLimit.png, KSI-CNA-5-WAF-Log.png, KSI-CNA-5-Route53.png, KSI-CNA-5-CloudFront.png |
| 06 | Design systems for high availability and rapid recovery | Auto Validation | True | Check the AWS Trusted Advisor Fault Tolerance Checks, V4G commit most qualifications | KSI-CNA-6.txt |
| 07 | Ensure cloud-native information resources are implemented based on host provider’s best practices and documented guidance | Auto Validation | True | V4G hosts on AWS and follows AWS Well-Architected Framework to do the implementation | KSI-CNA-7.txt |
| Service Configuration (KSI-SVC) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Harden and review network and system configurations | Attestation | True | V4G hardens the configuration based on CIS benchmark and montly reviews the configuration with Tanable | KSI-SVC-1-AL2023.pdf, KSI-SVC-1-AWS Foundation.pdf |
| 02 | Encrypt or otherwise secure network traffic | Auto Validation | True | V4G has encrypted the network traffics of Application Load balancers, RDS Aurora, Elasticache Redis. | KSI-SVC-2.txt |
| 03 | Encrypt all federal and sensitive information at rest | Auto Validation | True | V4G has encrypted data on S3 buckets, RDS Aurora, Elasticache Redis, the image files and all backup database snapshots. | KSI-SVC-3.txt |
| 04 | Manage configuration centrally | Attestation | True | V4G centrally manages infrastructure and application configurations using a combination of tools and AWS services: 1. Packer: used to build immutable and standardized AWS AMI 2.Terraform: used to consistently provision infrastructure and enforce configuration baselines. 3.AWS SSM Parameter: use to centrally store and retrieve parameters at runtime. 4. AWS Config: is enabled to continuously monitor and record configuration changes. |
KSI-SVC-4-Packer Repo.png, KSI-SVC-4-AMI.png, KSI-SVC-4-Git Commit-IaC.png, KSI-SVC-4-AWS SSM Parameter.png, KSI-SVC-4-AWS Config.png |
| 05 | Enforce system and information resource integrity through cryptographic means | Auto Validation | True | V4G has encrypted all AWS EBS to store the image | KSI-SVC-5.txt |
| 06 | Use automated key management systems to manage, protect, and regularly rotate digital keys and certificates | Auto Validation | True | V4G uses AWS Key Management Service to manage and automatically rotate the key | KSI-SVC-6.txt |
| 07 | Use a consistent, risk-informed approach for applying security patches | Attestation | True | V4G has subscripted AWS Linux 2023 update to inform for applying security patches, and uses a Security Tracker to guarantee the deployment is controlled | KSI-SVC-7-AL2023 Update.png, KSI-SVC-7-V4G Security Tracker.pdf |
| Identity and Access Management (KSI-IAM) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Enforce multi-factor authentication (MFA) using methods that are difficult to intercept or impersonate (phishing-resistant MFA) for all user authentication | Attestation | True | V4G has enforced YubiKey 5 FIPS Series (CMVP #3914) to be the MFA device of AWS and Google Identity (the other external service must SSO with Google Identity) to guarantee phishing-resistent | KSI-IAM-1-AWS.png, KSI-IAM-1-Google.png |
| 02 | Use secure passwordless methods for user authentication and authorization when feasible, otherwise enforce strong passwords with MFA | Attestation | True | V4G has enforced strong passwords for users, and the other external service must SSO with Google Identity | KSI-IAM-2-AWS.png, KSI-IAM-2-Google.png |
| 03 | Enforce appropriately secure authentication methods for non-user accounts and services | Attestation | True | V4G does not allows the non-user accounts/services to do the console login | KSI-IAM-3.png |
| 04 | Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services | Attestation | True | V4G follows the Separation of Duties Matrix to fulfill the requirement | KSI-IAM-4.xlsx |
| 05 | Apply zero trust design principles | Attestation | True | V4G follows AWS document to implement the Zero Trust Design principle and the following are implemented: 1. Strong Authentication (refer to KSI-IAM-2) 2. Least Privileges Access (refer to KSI-IAM-4) 3. Micro Segmentation (refer to KSI-CNA-2) 4. Full Encryption (refer to KSI-SVC-2, KSI-SVC-3) 5. Endpoint Security 6. Logging and Alert Automated Policy Enforcement(refer to KSI-MLA-1) |
KSI-IAM-5-DeepSecurity.pdf |
| 06 | Automatically disable or otherwise secure accounts with privileged access in response to suspicious activity | Attestation | True | V4G hosts on AWS and adopts Google Workspace to be the document repository, the automation management is inherited from the security control of each side. Moreover, V4G has adopted Sumo Logic (FR#: FR1918740338) and AWS CloudWatch to detect the abnormal account behaviors | KSI-IAM-6-SumoLogic.png, KSI-IAM-6-CloudWatch.png |
| Monitoring, Logging, and Auditing (KSI-MLA) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Operate a Security Information and Event Management (SIEM) or similar system(s) for centralized, tamper-resistent logging of events, activities, and changes | Attestation | True | V4G adopts Sumo Logic (FR#: FR1918740338) to be the SIEM | KSI-MLA-1.png |
| 02 | Regularly review and audit logs | Attestation | True | Sumo Logic helps to review and analyze the log immediately and V4G runs the investigation for the suspicious behaviors when occurred | KSI-MLA-2.png |
| 03 | Rapidly detect and remediate or mitigate vulnerabilities | Attestation | True | V4G follows the procedure (the section 'Flaw Remediation') to remediate the vulnerability based on 30 (High) - 90 (Moderate) - 180 (Low) days principle | KSI-MLA-3.pdf |
| 04 | Perform authenticated vulnerability scanning on information resources | Attestation | True | V4G runs the installed agent to run the authenticated vulnerability scanning with Tenable (FR#: FR1814276801), the installed agent runs credentialed checks to guarantee the uthenticated vulnerability scanning | KSI-MLA-4.pdf |
| 05 | Perform Infrastructure as Code and configuration evaluation and testing | Attestation | True | V4G adopts TerraForm to be the IaC and monthly runs the Configuration scanning with Tenable (FR#: FR1814276801) | KSI-MLA-5-TerraForm.png, KSI-MLA-5-ConfigScan.png |
| 06 | Centrally track and prioritize the mitigation and/or remediation of identified vulnerabilities | Attestation | True | V4G follows FedRAMP requirements and adopts the POA&M sheet to centrally track and prioritize the remediation of identified vulnerabilities | KSI-MLA-6.png |
| Change Management (KSI-CMT) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Log and monitor system modifications | Attestation | True | V4G adopts on-premise Trend Micro Deep Security to monitor system modifications | KSI-CMT-1.png |
| 02 | Execute changes though redeployment of version controlled immutable resources rather than direct modification wherever possible | Attestation | True | V4G adopts Blue-Green Deployment strategy and all hosts are immutable and relaunched with the new version of the image per monthly deployment | KSI-CMT-2.png |
| 03 | Implement automated testing and validation of changes prior to deployment | Attestation | True | V4G has executed the automation process to test and verify the change per deployment | KSI-CMT-3.png |
| 04 | Have a documented change management procedure | Attestation | True | V4G has followed FedRAMP requirements to document the change management procedure, all chenage requirements must follow the procedure | KSI-CMT-4.pdf |
| 05 | Evaluate the risk and potential impact of any change | Attestation | True | V4G has evaluated the risk and potential impact of each change | KSI-CMT-5-CR.pdf, KSI-CMT-5-SIA.pdf |
| Policy and Inventory (KSI-PIY) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Have an up-to-date information resource inventory or code defining all deployed assets, software, and services | Attestation | True | V4G runs the asset inventory for each deployment and modification | KSI-PIY-1.pdf |
| 02 | Have policies outlining the security objectives of all information resources | Attestation | True | V4G has outlined the security objective as the commitment in the policy | KSI-PIY-2.pdf |
| 03 | Maintain a vulnerability disclosure program | Attestation | True | The vulnerability disclosure program is maintained and published in the help center | KSI-PIY-3.pdf |
| 04 | Build security considerations into the Software Development Lifecycle and align with CISA Secure By Design principles | Attestation | True | The SDLC is documented and the security function is covered in the Technical Specification phase to guarantee Secure by Design | KSI-PIY-4.pdf |
| 05 | Document methods used to evaluate information resource implementations | Attestation | True | The method to run the automation testing plan for the implementation is documented | KSI-PIY-5.pdf |
| 06 | Have a dedicated staff and budget for security with executive support, commensurate with the size, complexity, scope, and risk of the service offering | Attestation | True | The dedicated staff and budget for security is arranged. However, for the confidential purpose there is no evidence can be published | NA |
| 07 | Document risk management decisions for software supply chain security | Attestation | True | V4G has documented the Supply Chain Risk Management Plan and follows the plan to perform the decision | KSI-PIY-7.pdf |
| Third Party Information Resources (KSI-TPR) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Identify all third-party information resources | Attestation | True | V4G has identified all third-party vendors and place the inventory information in the SSP, see the section 6 and 7 of the evidence file | KSI-TPR-1.pdf |
| 02 | Regularly confirm that services handling federal information or are likely to impact the confidentiality, integrity, or availability of federal information are FedRAMP authorized and securely configured | Attestation | True | V4G annually reviews all external services are FedRAMP authorized and securely configured | KSI-TPR-2.pdf |
| 03 | Identify and prioritize mitigation of potential supply chain risks | Attestation | True | V4G has identified the potential supply chain risks and reviewed it annually | KSI-TPR-3.pdf |
| 04 | Monitor third party software information resources for upstream vulnerabilities, with contractual notification requirements or active monitoring services | Attestation | True | V4G has subscribed the third party vendor's subscription for the status notification | KSI-TPR-4-SumoLogic.pdf, KSI-TPR-4-Tenable.pdf |
| Cybersecurity Education (KSI-CED) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Ensure all employees receive security awareness training | Attestation | True | V4G has performed and ensured all participants receive and complete the security awareness training with KnowBe4 (FR#: FR2201340492) | KSI-CED-1.png |
| 02 | Require role-specific training for high risk roles, including at least roles with privileged access | Attestation | True | V4G has requested the participants to complete the security awareness training based on the role | KSI-CED-2.png |
| Recovery Planning (KSI-RPL) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) | Attestation | True | The RTO is 8 hours and RPO is 24 hours based on the frequency of data backup strategy | KSI-RPL-1.pdf |
| 02 | Develop and maintain a recovery plan that aligns with the defined recovery objectives | Attestation | True | V4G has developed a recovery plan that aligns with the defined recovery objectives, and reivewed the plan annually | KSI-RPL-2.pdf |
| 03 | Perform system backups aligned with recovery objectives | Auto Validation | True | V4G has backup the required images and data to align with the RTO and RPO | KSI-RPL-3.txt |
| 04 | Regularly test the capability to recover from incidents and contingencies | Attestation | True | V4G tests the contingency plan annually | KSI-RPL-4.pdf |
| Incident Reporting (KSI-INR) | |||||
|---|---|---|---|---|---|
| # | Capability Desc | Validation Method | Result | Note | Evidence |
| 01 | Report incidents according to FedRAMP requirements and cloud service provider policies | Attestation | True | V4G has followed federal requirements and documented the Incident Response Plan | KSI-INR-1.pdf |
| 02 | Maintain a log of incidents and periodically review past incidents for patterns or vulnerabilities | Attestation | True | V4G has documented the Incident Response Form and asked to maintrain the log of incidents, also review the incident escalated by Sumo Logic (FR#: FR1918740338) | KSI-INR-2-IRF.pdf, KSI-INR-2-SumoLogic.png |
| 03 | Generate after action reports and regularly incorporate lessons learned into operations | Attestation | True | V4G has documented the lesson learned session in the Incident Response Plan | KSI-INR-3.pdf |