Customer is wanting their vendors to have a 3rd party verify compliance. I can’t find a single company that doesn’t just try to get us to move everything into “the cloud”. Does anyone audit and assist with on prem solutions?

old.reddit.com / @/u/TechOWL30, https://old.reddit.com/user/TechOWL30

I’ll try and make it short.

My primary role is engineering but Im also the one the handles all the computer systems and networking.

We went through the whole 800-171 thing a few years ago and it literally just ran on the honor system. I know, I sat through a whole 4 hour presentation right along side people from Lockheed, Grumman, L3, and all the other big players.

So I went through the entire 800-171 handbook line by line and implemented everything I knew I could resonably handle on my own.

I also contracted a local IT firm who did not specifically deal with 800-171, but because of their experience in numerous other high security environments and our tightness on funds at the time they were willing to help us out.

They set us up with an on-prem Active Directory server and setup all the group policies for our network folders exactly how we wanted and even gave me some quick training on how to edit the policies and add/remove users and new systems, etc.

So while we should still be fine, our largest customer is wanting our systems to be “verified” preferably by a 3rd party. While I’m fairly confident in what we have, Im unwilling to put my name on something I’m not actually trained in, and with no input from someone who is. especially when it comes to govt work.

But the big problem comes into play when every single company we have contacted that does this just wants to shove everything into Office365 and Azure and call it a day…

Not only do we not want to operate “in the cloud” but as soon as we mention that some of the stuff is ITAR controlled they tell us that part can just stay on our current server…which then begs the question that if our current servers are good enough for the ITAR stuff, then why move any of it?

This whole situation is driving me nuts and I now have less than a month to figure it out or we’re going to begrudgingly pay some company almost $4k to move our stuff into the cloud, and fill out some paperwork for us

Full disclosure it’s a family owned business and I am the son of the owner and have been with the company for nearly 20years. So we’re not some big corporate entity and I’m not being pressured into cutting corners or anything like that. None of us want to use cloud services especially me, and my dad.

submitted by /u/TechOWL30
[link] [comments]

published 9 days ago


Previous

ITAR CUI and Remote VPN while in Europe
published 14 days ago

Next

Can someone explain to me how to be compliant with nist 800-171 control 3.13.08? It seems impossible from a network engineers perspective
published 8 days ago
See all items from the same source