CONTROLLED DATA
Leidos Proprietary - US Citizens ONLY
The information contained herein is proprietary to Leidos, Inc. It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.

Security

SDO is deployed in Leidos' Enterprise Cloud Management (ECM) on AWS GovCloud.  

  • Authentication
    • Access is limited to Leidos US-only personnel
    • Authentication is achieved through Leidos IT services Active Directory (AD)
  • Authorization
    • Project groups are created in Leidos AD for limiting user access (complete project access segregation)
    • AWS security groups and IAM roles limit server access
  • Resource Hardening
    • CIS Benchmark L2 Ubuntu 16.04 hardened images configured with FIPS 140-2 crypto modules, Quest Authentication Services (VAS), Splunk logging, McAfee A/V and Nessus scanning
    • Continuous assessment of the risk posture

High Availability, and Data Redundancy

High Availability is achieved through SDO deployment across multiple Availability Zones (AZs) complete with auto scaling at the Network Load Balancer and HAProxy layer. Applications and tools are clustered instances, each cluster on a separate AZ.  SDO can seamlessly handle simultaneous outages in two AWS AZs, providing high availability and data redundancy

NIST 800-171 compliance

  • Access Control
    • Leidos AD, Session Timeout, Account Access Policy, Service Account Policy, Authorization Non Standard User Policy
    • System Administration us controlled through Y-Accounts, Y-Certs
    • SSL Certs
  • Audit and Accountability
    • Splunk Logging – Applications and Servers
  • Configuration Management
    • Asset Inventory, Ansible Playbooks – System Configurations, CCB Process Defined
  • Identification and Authentication
    • PKI with MFA, Corporate CyberArc – Service Accounts, Y-Accounts, Admins use Y-Accounts
  • Incident Response
    • Business Impact Analysis, Continuity of Operations Plan, Recovery Operating Procedure for 14 Applications/Tools
  • Maintenance
    • Backup, Retention & Restore Plan, Patch Management Plan, Scan all Software before Installation
  • Media Protection (Not Applicable)
  • Personnel Security (Corporate)
  • Physical Protection (Not Applicable)

  • Risk Assessment 

    • Nessus Scans, Risk Assessment of all Applications (Upgrades to Address Known Vulnerabilities)

  • Security Assessment
    • CISO Security Assessment against NIST 800-171 controls, Annual Security Assessment Policy
  • Systems and Communication Protection
    • Access by Corp Security Stack, FIPS 140-2 Crypto on all Servers, Encryption in Transit, Encryption at Rest
  • System Information and Integrity
    • Jira Service Desk, McAfee, Splunk log monitoring
  • No labels



The information contained herein is proprietary to Leidos, Inc. It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
CONTROLLED DATA