The challenge
Security operations center (SOC) personnel use telemetry from hosts, cloud services, and other log sources to perform threat hunting, identify suspicious activity, isolate users or devices, and report incidents.
However, these activities often involve transferring suspicious files to cloud infrastructure for sandboxing and additional analysis. If transferred files contain any Controlled Unclassified Information (CUI), the SOC’s cloud infrastructure must be authorized under the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.
The steep costs tied to FedRAMP assessment and authorization often result in a “government” cloud service with higher license costs and “seat minimums.” For many defense contractors and MSPs, this makes some FedRAMP-authorized services cost-prohibitive or downright unobtainable inside a constrained security budget.
The best possible outcome is to preserve the capabilities of a SOC and its ability to detect, contain, report, and remediate incidents, while mitigating the risk of CUI data transfers.
Why Huntress doesn’t need FedRAMP
Huntress identified that, for most defense contractors, there was little to no overlap between the types of files a SOC needs to analyze (executables, scripts, installers) and the files containing CUI (Microsoft Office files, PDFs, CAD drawings, etc.).
Sensitive Data Mode was developed to permanently block the file extensions that the Huntress SOC can transfer from hosts using the Huntress agent. The current list of blocked file extensions is available for review by defense contractors. Organizations don’t need to know the exact hosts or file shares that contain CUI; they only need to know the file types that could contain it.
Once contractors verify that any potential CUI file extensions will be blocked and activate Sensitive Data Mode via a support request. This mode can't be modified or disabled by SOC analysts or Huntress Agentic Security Platform users.
Why that’s a good thing
By preventing SOC data transfers of files containing CUI, Huntress has established the “logical separation” necessary to avoid becoming a CUI Asset. This allows the Huntress Agentic Security Platform to function as a Security Protection Asset (SPA) in a contractor’s assessment scope.
Operating as a Security Protection Asset without needing a FedRAMP Moderate authorization results in several advantages:
Cost savings. Achieving and maintaining FedRAMP authorization is resource-intensive. Vendors with a “government cloud” version of their cloud services must often charge more per seat or license to cover these costs. Avoiding these costs allows Huntress to charge less per endpoint, identity, log source, and learner.
Reduced minimums. FedRAMP-authorized cloud services often come with higher minimum “buy-ins,” ranging anywhere from 500 to 100,000 licenses. Huntress keeps access practical for smaller contractors, with a 50-seat minimum for individual organizations and no per-org minimum when delivered through an MSP.
Faster features. Because of change management approvals tied to FedRAMP Third-Party Assessment Organizations (3PAOs) and agency sponsors, features are often released several months later than commercial versions of the same cloud service offering. Huntress aggressively releases capabilities and features based on emerging attacker techniques. Threat actors don’t wait to innovate.
More than just unmatched endpoint visibility, detection, and response
Huntress Managed EDR combines custom-built technology with industry-leading expertise through a 24/7 SOC and a top-rated support team.
Managed EDR minimizes the alert fatigue that’s prevalent with other tools, and it comes at an affordable price with no surprise add-ons or extra tiers. Plus, it's deployable throughout your network in just minutes. Demo Huntress today.
Ryan Bonner is the founder and CEO of DEFCERT. Ryan has led DFARS and CMMC compliance transformation projects for over 150 contractors in the Defense Industrial Base (DIB), often involving MSPs.
