State Examination System Company Security FAQs

Frequently Asked Questions about SES Security.

SES is implemented through a combination of FedRAMP-authorized Appian Cloud (PaaS, Package ID: F1210011608) and CSBS-managed systems located in FedRAMP-authorized AWS (IaaS, Package ID: AGENCYAMAZONEW). The system is integrated with the CSBS FedRAMP-authorized Single Sign-On platform, Okta (SaaS, Package ID: F1512167750), which enforces the use of multi-factor authentication (MFA) for all users. All access is via TLS v1.2-encrypted connections requiring MFA.

Accounts are used for separating out the various environments for development, testing, training, production, and management. They allow for granular separation of duties and access controls following the concept of least privilege. Each account also uses multiple subnets to further restrict and manage traffic.

SES systems are configured to a tailored Center for Internet Security (CIS) baseline. Operating systems include current versions of Windows Server and Red Hat Linux. AWS itself is configured against CIS Web Services Foundation v1.2, as well as Amazon’s own AWS Best Practices.

Vulnerabilities, patching, and baseline configuration are continuously monitored using a combination of external scanning, locally installed agents, and detailed logging. All data is correlated in a central Security Information and Event Management (SIEM) tool.

The system was assessed by an Accredited Third-Party Auditor to NIST 800-53 rev 4, at a FISMA Moderate level and undergoes annual assessments of the security controls. A full penetration test conducted by a third-party, separate from the FISMA auditors, is conducted annually.