Increasing the Speed of Defense Software Development with a STIG hardened Amazon Machine Image
Over the past 3 years of developing cloud software for the Department of Defense, we found ourselves spending lots of time meeting the Security Technical Implementation Guide (STIG), before we could start developing. We couldn’t find a ready-built, DoD compliant cloud image, so we built one.
As we worked to cloud connect Air Force Operational Technology / Control Systems (OT/CS) over the past 3 years, we kept running into the same problem. Any time we’d spin up a new Amazon Web Services (AWS) Elastic Compute Cloud instance (EC2), we’d have to bring the image into full compliance for our Authority to Operate (ATO) on the defense network.
Every defense contractor developing on AWS has to go through the same process, resulting in hundreds or even thousands of hours a year of duplicated labor. There hasn’t been a ready-built, DoD compliant, constantly updated operating system image available. So we built one.
Today, Simplesense announced the launch of a STIG Hardened Amazon Linux 2 image in the AWS Marketplace. Our team developed this baseline for our work building a secure cyber physical infrastructure for our Department of Defense (DoD) customers and supporting a continued Authority to Operate (ATO) within operationally deployed systems.
We launched this Amazon Machine Image (AMI) to accomplish the following goals:
- Accelerate the adoption of secure by default designs by development teams across the DoD
- Enhance overall security
- Reduce effort duplication
- Build a community of developers in the defense ecosystem
- Provide an enhanced AWS marketplace experience targeting cloud developers in the defense ecosystem
Our company is uniquely positioned between the commercial and defense worlds, focused on bridging the gap between the two, to accelerate the protection of critical infrastructure (learn more about OT/CS threats here). As an AWS public sector partner, Simplesense has a proven track record of delivering software to our government customers and ecosystem partners.
How it Works
We scan our AMIs daily and provide the scan results to subscribers to assure them the AMI is a trustable foundation to build their application on. We are continuously updating our AMI baselines to the latest STIG guidance and can rapidly navigate the AMI publishing process to provide the latest version. More details here.
Future Updates
Keep an eye on this blog, the AWS Marketplace, and our social media to be notified of more AMIs launching this year. If you have any questions about our efforts here or suggestions for additional AMIs reach out to ami@simplesense.io.
What is Amazon Linux 2?
Amazon Linux 2 is an AWS-developed and maintained Linux operating system providing a security-focused, stable, and high-performance execution environment to develop and run cloud applications. Amazon Linux 2 is open source and provided at no additional charge. AWS provides ongoing security and maintenance updates for Amazon Linux 2, currently through June 30, 2025.
What is the AWS Marketplace?
The AWS Marketplace is a place for businesses to provide third-party software, data, and services to customers through the Amazon Web Services to simplify acquisition.
What is an AMI?
Amazon Machine Images (AMI) are a set of launch specifications for a cloud hosted EC2 instance.
What is a STIG?
Security Technical Implementation Guides (STIGs) are provided by the Defense Information Security Agency (DISA) to give IT professionals a set of steps to securely configure various operating systems, databases, or devices.
What is an ATO?
An Authorization to Operate (ATO) is a formal declaration by an Authorizing Official (AO) that authorizes the operation of a business product and explicitly accepts its risks. The ATO is a product of the Risk Management Framework (RMF) process and officially certifies that the system has met and passed all requirements to become operational.