SIDES Site Security Policy
How secure is the State Information Data Exchange System (SIDES)?
SIDES Infrastructure
SIDES is hosted in AWS’ Federal Risk and Authorization Management Program (FedRAMP) Moderate compliant data centers.
The AWS US East/West system has been determined to have a security categorization of Moderate (M).
AWS US East/West leverages the IaaS cloud computing model as defined by NIST SP 800-145 (September 2011). The IaaS model enables on-demand Internet access to a shared pool of configurable AWS computing resources such as servers, storage, network infrastructure, applications, and various services. Computing resources are rapidly provisioned with minimal overhead or interaction with the Cloud Service Provider (CSP).
The accreditation boundary includes AWS Regions, Availability Zones (AZs), and services that support the SIDES application architecture. Identical sets of the various services are contained within each AZ. Services may communicate between AZs and Regions for disaster recovery or availability purposes.
The AWS US East/West system comprises these AWS Regions:
- US East (Northern Virginia)
- US East (Ohio)
- US West (Northern California)
- US West (Oregon)
AWS provides third-party attestations and certifications to provide visibility and independent validation of compliance with FedRAMP controls.
The Joint Authorization Board (JAB) of the FedRAMP program completes an annual assessment of the AWS East/West security authorization package. Based on Federal Information Processing Standards (FIPS) security categorization of High and the Security Assessment Report (SAR), the JAB has determined that the AWS East/West continues to met the necessary security requirements and that the Provisional Authorization to Operate (P-ATO) granted by the JAB is still in good standing.
The authorized security boundary of the AWS East/West includes the following services:
- Amazon API Gateway, Amazon AppStream 2.0, Amazon Athena, Amazon Aurora (MySQL), Amazon Chime, Amazon Cloud Directory, Amazon CloudFront, Amazon CloudWatch, Amazon CloudWatch Logs, Amazon Cognito, Amazon Comprehend, Amazon Connect, Amazon DynamoDB, Amazon ElastiCache, Amazon Elastic Block Store (EBS), Amazon Elastic Container Registry (ECR), Amazon Elastic Container Service (ECS), Amazon Elastic File System (EFS), Amazon Elastic Compute Cloud (EC2), Amazon Elastic Kubernetes Service (EKS), Amazon Elastic MapReduce, Amazon Elasticsearch, Amazon Glacier, Amazon Inspector, Amazon Guard Duty, Amazon Kinesis Data Firehose, Amazon Kinesis Data Streams, Amazon Macie, Amazon PinPoint, Amazon Polly, Amazon QuickSight, Amazon Redshift, Amazon RDS (MariaDB, MySQL, Oracle, Postgres, SQL Server), Amazon Rekognition, Amazon Route 53, Amazon SageMaker, Amazon Simple Email Service (SES), Amazon Simple Notification Service (SNS), Amazon Simple Queue Service (SQS), Amazon Simple Storage Service (S3), Amazon Simple Workflow Service (SWF), Amazon Transcribe, Amazon Translate, Amazon Virtual Private Cloud (VPC), AWS Batch, AWS Certificate Manager, AWS CloudFormation, AWS CloudTrail, AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, AWS Config, AWS Control Tower, AWS Database Migration Service, AWS Data Sync, AWS Direct Connect, AWS Directory Service, AWS Elastic Beanstalk, AWS Glue, AWS Identity & Access Management (IAM), AWS IoT Core, AWS IoT Device Manager, AWS IoT Greengrass, AWS Key Management Service (KMS), AWS Lambda, AWS License Manager, AWS Managed Service, AWS Organizations, AWS Secrets Manager, AWS Security Hub, AWS Serverless Application Repository, AWS Service Catalog, AWS Server Migration Service (SMS), AWS Shield (Standard and Advanced), AWS Snowball, AWS Snowball Edge, AWS Step Functions, AWS Trusted Advisor, AWS WAF, AWS WorkDocs, AWS WorkSpaces, CloudWatch Events.
AWS implements security controls as a foundational element to manage risk across the organization. The AWS control environment is comprised of the standards, processes, and structures that provide the basis for implementing security requirements across AWS, including physical security. Control automation is used to proactively minimize potential inconsistencies in process execution of security controls.
Engineering teams at AWS across security functions are responsible for engineering the AWS control environment to support increased levels of control automation wherever possible. Examples of automated controls at AWS include:
- Governance and Oversight: Policy versioning and approval
- Personnel Management: Automated training delivery, rapid employee termination
- Development and Configuration Management: Code deployment pipelines, code scanning, code backup, integrated deployment testing
- Identity and Access Management: Automated segregation of duties, access reviews, permissions management
- Monitoring and Logging: Automated log collection and correlation, alarming
- Physical Security: Automated processes related to AWS data centers, including hardware management, data center security training, access alarming, and physical access management
- Scanning and Patch Management: Automated vulnerability scanning, patch management, and deployment
SIDES utilizes the AWS FedRAMP Moderate compliant data centers to provide high availability, dependability, and high-security infrastructure for SIDES. The SIDES program has had a successful full Federal Information Security Management Act (FISMA) audit and participates in continuous FISMA audits and penetration tests. Among the SIDES security controls implemented, below are items to note:
- SIDES is protected by network firewalls built into Amazon VPC.
- DDoS mitigation technologies at network layer 3 or 4 as well as layer 7
- Automatic encryption of all traffic on the AWS global and regional networks between AWS secured facilities.
- Vulnerability scanning is in place.
- Penetration testing is performed.
- Intrusion Detection System (IDS) is installed and monitored in real-time.
- Multiple anti-virus scanners are utilized by SIDES.
SIDES Applications
- Given the sensitive data exchanged between integrated partners and state agencies, SIDES was designed from the ground-up starting with security first, using client requirements.
- Multiple layers of security are implemented.
- Application software is written to protect the system against attacks, and ensure the data is protected and supplied by authorized users.
E-Response Website Controls
- Login credentials for the SIDES E-Response website are created and managed by the state agencies.
- State agencies have the option of allowing employers access to E-Response via their state employer portal using Single-Sign-On (SSO) protocol to pass user credentials.
- State agencies control security and track users within state employer portals.
- SIDES tracks E-Response use with audit logs.
- Website is designed to prevent intrusive and malicious attacks.
User/End Point Requirements:
- Based on the SIDES Agreement to Participate, parties must implement the SIDES security standards.
- Participating parties are required to obtain commercially available certificate authority (CA) certificates.
SIDES Security Testing:
- In 2016, SIDES underwent a penetration test by an independent third party. The contractor was unable to penetrate nor compromise the infrastructure.
- In 2019, a full Federal Information Security Management Act (FISMA) National Institute of Standards and Technology (NIST) 800-53 audit was completed and the Security Controls Assessment (SCA) Report recommended a full Authority to Operate (ATO) be granted.
- A continuous FISMA/NIST audit program has been implemented where partial audits are completed once per year and a full audit is completed every third year. Penetration tests are conducted by the independent third-party auditor as part of the full audit.
Updated July 15, 2022