IronFort is a comprehensive Security Assessment & Authorization (SA&A) lifecycle management solution designed for Government of Canada departments and technology vendors. It facilitates the process of obtaining and maintaining Authority to Operate (ATO) status for applications across cloud and on-premises environments. IronFort streamlines control selection, evidence collection, security assessments, and continuous monitoring, aligning with GC cloud security requirements on a secure and compliant platform.

The solution offers flexible deployment options including:

• Secure Public-cloud deployment in Canada
• Private-Cloud deployment within GC-managed environments
• On-premises deployment in GC data centers

Each option maintains complete data residency within Canada.

The solution is designed for:

• Federal government departments and agencies managing their cloud service assessments
• Technology vendors seeking to obtain and maintain ATO status for their solutions
• Security assessment teams conducting SA&A processes
• Continuous monitoring teams maintaining security compliance

The initial release is designed to handle Unclassified (Unprotected) data only; however, it can link to secured data repositories. Future releases will incorporate capabilities for handling higher security levels, subject to appropriate certifications and approvals.

Yes, the solution is built to align with GC cloud security control profiles and relevant TBS directives. Specific compliance documentation is available upon request.

All data is stored exclusively within Canadian borders, regardless of deployment model. This includes primary data, backups, and any cached information.

The solution is multi-cloud and on-prem capable, supporting major cloud service providers approved for GC use. This includes but is not limited to Azure, AWS, and Google Cloud, provided they meet Canadian data residency requirements.

Release 1 focuses on core SA&A lifecycle management capabilities. A detailed feature matrix is available separately, but key functionalities include:

• Initial security assessment workflow management
• Evidence collection and documentation
• Basic reporting capabilities

Future releases will expand these capabilities based on user feedback and requirements.

We are working towards more automated control selections based on departmental preferences and recommendations for where the users can find and capture the evidence needed for assessments. We are also developing an assistant to work alongside the business and security teams to quickly answer any questions according to best practices for evidence collection and process workflows.

The solution is designed to work independently while maintaining compatibility with GC systems. Future versions will enhance interoperability through standard interfaces, enabling continuous monitoring and proactive remediation. Specific integration requirements would be discussed during implementation planning.

Our Licensing Arrangement includes both IronFort Customer Support [through our IronFort Customer Success Team] as well as included LNine Professional Services Support for deployments, configurations, integrations, and additional benefits. A non-exhaustive list of support includes:

• Technical support
• Documentation, on-boarding training
• Implementation assistance & regular maintenance and updates
• LNine’s “white glove” Professional Services Support Wrapper

All support is provided within Canada using only local security-cleared staff on our payroll.

Implementation timelines vary based on deployment model and organizational requirements. Typical implementations range from 4-12 weeks, including testing and user training.

The solution implements comprehensive backup procedures including:

• Regular automated backups
• Geographic redundancy within Canada
• Encryption at rest and in transit
• Configurable retention policies

Yes, the solution includes data export capabilities in standard formats to ensure departmental data portability and sovereignty into standard CSV and Excel files.

The solution follows a regular update schedule with:

• Readily available security updates
• Monthly feature updates
• Quarterly major version releases

All updates are communicated in advance and deployed according to change management procedures.

IronFort was designed in conjunction with the GoC requirements and communities. Building the solution to be valued by our clients remains a priority. As such, we do have a user-group that is open to all interested parties and is not restricted just to paying customers. We want your voice to be heard.

The solution fully supports both English and French in accordance with Official Languages Act requirements, including:

• Complete bilingual user interface
• All documentation available in both official languages
• Support services in both English and French
• Reporting capabilities in both languages
• System-generated communications in both languages

Yes, the solution is designed to comply with the Accessible Canada Act and Treasury Board Secretariat accessibility standards, including:

• WCAG 2.1 Level AA compliance
• Keyboard navigation support
• Screen reader compatibility
• Configurable display options for visibility and readability
• Accessible documentation formats

The solution provides comprehensive audit features including:

• Complete audit trails of all system actions
• User activity logging
• Change tracking for all assessment documentation
• Exportable audit logs for compliance reporting
• Integration capabilities with departmental audit systems
• Custom report generation for oversight requirements

The solution includes robust business continuity features:

• High availability architecture
• Automated failover capabilities
• Regular disaster recovery testing
• Documented recovery time objectives (RTO)
• Documented recovery point objectives (RPO)
• Business continuity documentation aligned with GC standards

The solution provides comprehensive IAM features including:

• Role-based access control (RBAC)
• Integration with departmental identity providers
• Support for multi-factor authentication
• Granular permission settings
• User session management
• Access review and certification capabilities

The solution includes comprehensive training support:

• Role-based training materials
• Online self-service training portal
• Regular training webinars
• Custom training sessions available
• Training materials in both official languages
• Best practices documentation
• Quick reference guides

The solution is designed for enterprise-scale performance:

• Configurable resource allocation based on workload
• Automated scaling capabilities
• Performance monitoring and alerting
• Regular performance testing and optimization
• Documented performance benchmarks
• Capacity planning tools

The solution is designed to meet various regulatory requirements including:

• Privacy Act compliance
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Treasury Board information management policies
• Digital Standards
• Cloud Security Program requirements
• Departmental security requirements

The solution includes comprehensive incident management procedures:

• Automated incident detection and alerting
• Incident response playbooks
• Integration with departmental incident management systems
• Regular incident response testing
• Post-incident analysis and reporting
• Continuous improvement processes