Aspire for GovCon Compliance.

Compliance mandates for government contractor information systems continue to expand in complexity and scope. Aspire's security and compliance regimes grow right along with them.

As FAR rule 52.204-21 was finalized – requiring government contractors and subcontractors to apply “basic safeguarding measures” for all their information systems – and the cybersecurity guidelines from NIST publication 800-171 came into effect – protecting “controlled unclassified information” on all contractor computers and information systems – Aspire's Cloud security controls had already been cross-checked to ensure complete compliance.

When it comes to security and compliance our message is simple. For nearly 15 years the Aspire Cloud infrastructure has delivered the most secure and compliant accounting, project management, collaboration, automation and integration solutions for government contractors. We are passionate about securing your most precious project, financial, personnel and contract information, because we know that you are too.

We also understand that your systems don’t stand still. Our customers are constantly evaluating their current software options for enhanced security, increased efficiencies and cost savings. As you consider your accounting, project reporting or business automation systems, keep in mind these important security and compliance facts.

1. Most software sales reps talk a good game when it comes to security. But no matter what they say, remember that your business holds executive responsibility for whether your systems truly meet the growing list of compliance mandates. At the end of the day, it’s YOUR contracts at risk if your security is not up to par.

2. All Seaport-E contracts require ITAR compliance, and Aspire is the only GovCon Cloud ERP that assures comprehensive ITAR control. Here’s why. Aspire owns its hosting infrastructure and does not use consultants or subcontractors. All Aspire employees are U.S. citizens, and all Aspire Hosting Centers are in the continental United States.

Virtually all other Cloud ERPs for GovCons outsource their infrastructure to third parties. However, these third parties’ compliance certifications DO NOT COVER their prime providers. For instance, Deltek’s Support staff for Costpoint SaaS is in the Philippines, an ITAR breach that AWS’s compliance can’t fix. (AWS is the outsourced hosting provider for Deltek SaaS and others.)

Most Army, Navy, Air Force and intelligence community contract vehicles also require ITAR compliance.

3. FAR rule 52.204-21 mandates that all federal prime contractors and subcontractors meet “basic safeguarding measures for all contractor information systems – any information system owned and operated by a contractor that processes, stores, or transmits Federal contract information.”

This includes your accounting and CRM systems, project management and reporting tools, document storage, system integrations and email. The FAR rule DOES NOT distinguish between types of information, and broadly outlines a basic set of protections for ALL federal contract information. Aspire meets and exceeds FAR standards.

4. FedRAMP standards require both Encryption-In Flight and Encryption At-Rest for all applicable government contractor information systems, be they running on premise or hosted in The Cloud.

Aspire's comprehensive encryption at rest encompasses NOT ONLY DATA STORAGE, but also all data “waypoints” used for system transfer and caching, as well as all volumes and all file systems.

FAR this. NIST that. ITAR? What’s next?

As a government contractor your security and compliance requirements are always growing. When you talk with your software and Cloud vendors the acronyms really start flying. How can you stay in control?

The good news is that when it comes to your information systems, one standard rises above them all to assure security – the SOC2 Type II audit. Every Cloud software provider – including ALL of their outsource partners, subcontractors and consultants – must be audited per the AICPA’s “Trust Services Principles” in order to prove their compliance (or lack thereof).

As you evaluate your systems and plan for compliance changes in the future, our advice is to ignore the sales talk and the bluster, and to simply ask to see your providers’ SOC2 audit reports. LET THAT DOCUMENT BE YOUR GUIDE, as it outlines your vendor’s IT controls, compliance measures, and – most critically – the scope of their security.

Just as your financials are audited every year to assure compliance with accounting standards, software providers are evaluated annually to assure their compliance with security standards.

Remember, any provider that outsources its Cloud delivery or that uses subcontractors and consultants must provide you with multiple SOC2 audit reports – their partners’ audits DO NOT cover the prime provider itself, and the prime’s audit DOES NOT cover its subs.

Complete SOC2 Type II Audit Assurance


Aspire’s annual AICPA SOC2 Type II audit assures comprehensive security and compliance across the “full stack” of our Cloud delivery and services.

FAR 52.204-21 and NIST 800-171.
Aspire’s system description, audit controls and testing align with all FAR52 and NIST800 requirements.

Aspire owns and operates it Cloud hardware and infrastructure.

Aspire never uses subcontractors in any facet of its Cloud delivery and services.

All Aspire data migration and conversion tools are delivered within our SOC2-assured Cloud, thereby maintaining security and compliance integrity.

ITAR. All Aspire facilities are in the continental United States. All Aspire employees are U.S. citizens.

FEDRAMP. Aspire security controls align with FEDRAMP standards, including Encryption At Rest.

CMS. Aspire’s SOC2 Type II audited controls incorporate all Centers for Medicare & Medicaid Services and HHS compliance standards.

DISA. Aspire’s SOC2 Type II audited controls incorporate all Defense Information Systems Agency compliance standards.

MA201. Aspire’s SOC2 Type II audited controls incorporate all Massachusetts Commonwealth Standards for the Protection of Personal Information, the leading privacy statute in the U.S.

SOX. Aspire’s SOC2 Type II audited controls incorporate all Sarbanes-Oxley Act compliance standards.

Every year, we expand Aspire's audit scope to meet the growing regulatory needs of our customers. Let us know what you need.