About OpenSpace

OpenSpace is a California based company which provides 360 photo documentation, videos, integrations and analytics tools for contractors and builders. OpenSpace's proprietary cutting-edge algorithm creates navigable 360-degree photos and 3D images of construction sites, enabling builders and contractors to capture their work, analyze it, and make better decisions.

OpenSpace's AI technology, which is hosted on Amazon Web Services, trains computers to interpret and understand digital images and videos. This reduces cost, time and pain it takes to build and operate. OpenSpace's tools are revolutionizing the industry's approach to building construction and real estate management broadly.

The Challenge

OpenSpace has been growing its sales and marketing teams, expanding its customer count who all are in the private sector. The public sector remained untapped to OpenSpace. A considerable part of the company's near-term growth strategy is to penetrate the public sector, start bidding for and winning lucrative government contracts.

Openspace's product creates and stores photos and footage of construction sites. For some governmental construction sites, these artifacts are classified and must be handled with utmost privacy and security. OpenSpace must meet the compliance requirements set forth by the Federal Agency, for contractors who oversee information systems and data. In this case, it must comply with Moderate Impact Software as a Service (MiSaaS)

Partner Solution

OpenSpace began offering its services in the federal space with a Low-Impact-Software-as-a-Service (LiSaaS) authorization to operate (ATO). LiSaaS ATO's are approved by agencies based on system categorization and an organization's risk profile primarily based on an independent third-party assessment such as a Service Organization Control Type 2 (SOC2) report and supporting artifacts. OpenSpace is moving towards FedRAMP moderate and pursued a MiSaaS ATO as an interim step.

MiSaaS is more comprehensive than LiSaaS in that it requires implementing 72 controls and control enhancements from NIST 800-53. NIST controls form the basis for FedRAMP and many other compliance baselines. Similar to a full FedRAMP ATO, an independent assessment must be conducted by an authorized third-party assessment organization (3PAO) or the agency itself.

Jacobian Engineering worked with OpenSpace to design, implement and document controls in the platform's system security plan (SSP). The SSP is a key artifact used by assessor organizations as they develop test plans and workbooks to conduct a thorough assessment. Jacobian helped OpenSpace leverage several Amazon platform services to implement many of the requirements of MiSaaS in order to successfully complete the assessment and receive its MiSaaS ATO in October 2023.

There are several categories of controls that Amazon services help customers implement in whole or in part. These include controls in categories such as:

• Access Control Controls
  • Amazon Identity Access Center (IAC)
  • Amazon Identity Access Management (IAM)

  Amazon IAC provides the primary mechanism for access authorization into Amazon services for external identities. Amazon IAM provides role-based access control for internal and cross-account service roles.

• Audit and Accountability Controls
  • Amazon CloudTrail
  • Amazon Config
  • Amazon SNS
  • Amazon EventBridge
  • Amazon GuardDuty
  • Amazon CloudWatch

  Amazon Cloudtrail, Config, SNS, EventBridge, GuardDuty and Cloudwatch provide observability, enterprise policy enforcement, event notification and enable audibility of the environment.

• Configuration Management Controls
  • Amazon Systems Manager

  Amazon Systems Manager provides access into the environment, enabling change management functions and allowing engineers to access internal networks, databases and systems to support operations.

• Risk Assessment Controls
  • Amazon Inspector
  • Amazon Security Hub
  • Amazon Lambda
  • Amazon Audit Manager

  Amazon Inspector, Security Hub and Audit Manager provide assessment tools to ensure the environment meets configuration baseline control standards for all systems and services. Inspector provides near real-time scanning of containers inside the Amazon Elastic Container Registry (ECR) in order to report and mitigate vulnerabilities. Amazon Lambda provides an on-demand malware detection capability for data stored in Amazon S3.

• System and Communication Protection Controls
  • Amazon KMS
  • Amazon Secrets Manager
  • Amazon S3 services
    • Bucket Policies
    • Event Notifications
    • Service Side Encryption
    • VPC Service Endpoint
  • Amazon EBS Encryption
  • Amazon Network Firewall
  • Amazon Application Load Balancer
  • Amazon Web Application Firewall
  • Amazon Shield

Results and Benefits

With assistance from Jacobian Engineering and profound commitment of OpenSpace's information security team, the company achieved MiSaaS compliance. This compliance project enabled OpenSpace improve its infrastructure cybersecurity and has eliminated a major barrier to becoming a government contractor and achieving its growth targets.

About Jacobian Engineering

Jacobian Engineering is an information security company and an advanced consulting partner of Amazon Web Services (AWS). Jacobian Engineering works with customers in several industries including healthcare, biotechnology, energy, financial services, construction and has strong competencies in cloud security, software development, migrations, governance, risk, and compliance.