I am just wondering if anyone has obtained an Authority To Operate (ATO) using Anvil within United States Government systems?
We are looking to possibly use Anvil for a small (non-critical) Department of Defense (DoD) system.
1 Like
I’m not sure what the requirements are for DoD but be aware that hosted Anvil app servers are physically located in London.
Would be great to hear if someone has gone down this path.
1 Like
I forget that most people use Anvil on Anvil’s servers. (lol)
We deploy the open-source Anvil app server on a VM on our own infrastructure.
That is what I was referring to.
4 Likes
For those interested in the current status of anvil application server in US Federal Systems:
After reviewing Anvil against the Approved Products Lists (APL), Security Technical Implementation Guides (STIG), and FedRAMP, it was found that Anvil is not listed on any of these compliance repositories.
Why that is important:
- A STIG checklist contains guidelines for securely configuring the application and ensuring compliance for DoD systems
- The lack of FedRAMP authorization indicates that Anvil has not gone through the (very rigorous) assessment required to manage federal data securely in a cloud environment.
Note: This just means that it has not yet been evaluated. Not that it is denied due to known issues.
6 Likes