CASE 78 · SAFFRON · 2024
A GovCloud footprint, established before the contract started.
A federal subcontractor had been awarded a contract requiring all workload data to reside in GovCloud (US) by Q1. The team had never operated in GovCloud and the AWS account-vetting process was already in flight. We delivered the GovCloud landing zone, the ITAR controls baseline, and a working pilot workload in eight weeks.
Federal subcontractor
LANDING ZONE
2024
RESULTS
What changed, by the numbers.
TIME TO CONTRACT START
ON TIME
NIST CONTROLS BASELINED
320
COMMERCIAL ↔ GOVCLOUD
NONE
EVIDENCE READINESS
92%
HOW IT WENT
The clock was already running. AWS account vetting takes time; ITAR-trained engineers are scarce; the contract had a hard deadline. We started by parallelising — the vetting paperwork moved through AWS while we worked the architecture in the commercial-region staging environment.
Control Tower handles GovCloud the same as commercial regions, with a few caveats around region availability. We baselined NIST 800-53 controls via Audit Manager, with custom controls for the ITAR-specific guardrails the contract required. The commercial-to-GovCloud boundary was made deliberately uncrossable — no shared VPC, no shared IAM principals.
The pilot workload landed in week seven. Contract start happened on schedule. The auditor’s pre-assessment gap report came in at 92% ready; the remaining 8% were procedural items the team closed in the first contract month.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.