Dockstore achieves the best available security standard in the industry

In this post, we discuss how we became designated a NIST 800 53 Rev 4 Moderate Baseline Complaint System, and why we care.

Published in

Dockstore

5 min readAug 1, 2022

Dockstore’s mission is to enable researchers to share and reuse bioinformatics tools and workflows in a way that makes them easily reusable and runnable in a variety of environments. Many of our end users launch tools and workflows hosted by Dockstore into cloud compute environments, including those used by the U.S. National Institutes of Health (NIH) to analyze protected data. To ensure that sensitive data is properly managed, many controlled-access datasets are often only accessible in the cloud analysis platform and country that generated the data. This model encourages users to bring their analysis to the data, and Dockstore provides an easier way for users to move their analysis to the data even in high-security environments.

As Dockstore grows to become the official tool and workflow repository for NIH cloud programs, we set out to ensure that our end-users, stakeholders, partners, and federal agencies feel confident that our product meets the highest level of security.

What Industry Security Standard Dockstore is Aligned to

The Federal Information Security Act (FISMA) is a U.S. government legislation that defines a comprehensive framework to protect government information, operations, and assets against threats. Signed into law in 2002 and updated in 2014, FISMA requires that federal systems meet a set level of security requirements (also known as “controls”). The primary framework for FISMA compliance is NIST SP 800–53, developed by the National Institute of Standards and Technologies (NIST), which spells out a set of security and privacy controls designed to protect data on information systems.

Dockstore’s FISMA requirements included creating and maintaining a system security plan (SSP), implementing required NIST 800–53 security controls, conducting risk assessments annually, and continuous monitoring of the system. To demonstrate that the Dockstore security program implemented all relevant security controls prescribed in the NIST-800–53 framework, we engaged an authorized third-party assessor, called a Third Party Assessment Organization (3PAO), to systematically review and test every security control, and report their findings to the system owner and Agency authorizing officer. Under FISMA, the Chief Information Officer is solely responsible for accepting cyber risks for their agency.

For this effort, we partnered with the National Human Genome Research Institute’s Analysis Visualization and Informatics Lab-space (AnVIL) and National Heart Lung Blood and Sleep Institute’s (NHLBI) BioData Catalyst. Both are NIH efforts to help scientists bring their research into a secure cloud computing ecosystem. The NHGRI AnVIL’s Chief Information Officer verified the findings submitted by the 3PAO and officially approved Dockstore as a NIST 800–53 Rev 4 Moderate Baseline Compliant System.

Why We Care

The FISMA standard is required for U.S. federal agencies, departments, and contractors who are engaged in the processing or storage of federal data, whether the system is deployed in the cloud or not. This means organizations doing business with federal agencies shall effectively manage their security risk by implementing NIST 800–53 security controls.

FISMA compliance is important to the Dockstore system as it opens more opportunities to interconnect with federal agencies, such as the NIH cloud workspaces our end-users leverage for their research, and demonstrates a commitment to maintaining best practices in data security and risk management that benefits all Docktore uses.

Dockstore Specifics

Dockstore is a cloud-native system that utilizes Amazon Web Services (AWS). We leverage the inherited security provided by AWS for the infrastructure while Dockstore provides security for the application and data. The Dockstore architecture provides data security across the entire stack, from infrastructure to application.

The Dockstore security package consists of the System Security Plan (SSP) and attachments such as the Policies, Procedures, Plan and authorization boundary diagram, Security Assessment Plan (SAP), Security Assessment Report (SAR), and Plan of Action and Milestones (POA&M). The Dockstore Security document is developed in the designated formats MS Word, MS Excel, and the FedRAMP-provided template.

The Dockstore security control goes beyond the standard NIST moderate baseline control set in NIST SP 800–53 Revision 4. In total, 326 controls were implemented and tested. The additional controls implemented are to address the unique elements of cloud computing to ensure all federal data is secure in cloud environments.

The Dockstore team implemented the security controls as described in the Dockstore SSP consistent with industry best practices on security and engineering methodology which was tested and verified internally by the Dockstore security team. Upon completion of this effort, an initial security control assessment and penetration testing were performed by a FedRAMP-authorized 3PAO (MBL technology). During penetration testing, there are no changes made to the system. Once the testing was completed, MBL technology developed a SAR, which details the security control assessment and penetration testing findings. The Dockstore security team then developed a Plan of Action and Milestone (POA&M) based on the SAR findings and it includes input from the 3PAO, which outlines a plan for addressing the findings from testing.

Our Journey

Dockstore is the first product at the UC Santa Cruz Genomics Institute to achieve U.S. federal security compliance. This required building a dedicated security team from scratch, including training our current engineers to examine, document, and plan for future, unknown security threats to every part of our system. After two years of incredibly hard work, a thorough and detailed audit of every security control by the third-party auditors (3PAO) found no critical or high issues in need of remediation. Benedict Paten, Associate Director of the UC Santa Cruz Genomics Institute, said “This is a monumental achievement and we are incredibly proud of the Dockstore team for their efforts”. Their commitment also goes beyond their own product to support other universities and research institutions that are interested in starting a security effort like this. As of today, the Dockstore security team has already shared lessons learned with partners building the Human Cell Atlas.

This achievement demonstrates that the Dockstore team is committed to providing the best available security guarantees for Dockstore users and partners. Dockstore is now officially an approved platform in NHGRI AnVIL ecosystem and is looking to engage with other federal agencies that would benefit from integrating with our repository. By committing to excellent security, we can realize our goal of enabling scientists to conduct reproducible research by offering an easy-to-use, centralized repository of best practice tools and workflows that integrate with diverse platforms.

This security journey will continue as we refine and extend the Dockstore and evolve our practices as industry best practices, and NIST 800–53 standards continue to be updated. Next up, we plan to align with Revision 5 and prepare for annual security control assessment and penetration testing.