All data collected in Symphony is accessible via the program interface or through requested reporting. The final contract files containing all the documents uploaded by industry as part of their offer, award documents, and evaluation documents can be provided to a specified System of Record.
Symphony is a cloud computing system and as such it complies with 252.239-7010 (per 252.204-7012 (b) (1) (i)). Symphony is proposed to run on GSA 18F’s cloud.gov platform which itself is a PasS running on AWS. Since cloud.gov is owned and run by the U.S. Federal Government and is FedRAMP moderate, many of its controls and provisions are inherited by Symphony. This includes ensuring that the execution environment and data are encrypted at rest and in transit, and that the data remains within the United States (AWS GovCloud). Furthermore, the data is always under the control of the US Government and Apex Logic can in no way impede access to the underlying data for any purpose including authorized use by third parties, subpoenas, or forensic analysis. Finally, Apex Logic agrees to all other provisions and clauses as stated in 252.239-7010.
Symphony handles Controlled Unclassified Information (CUI) and as such, it has been evaluated and granted an ATO by GSA using the FedRAMP Moderate baseline. A self-assessment using instruction 8582 was conducted and a government acceptance with conditions was recommended on 9/27/2022 for a period of 1 year. The next step of this process is to formalize a DoD Impact Level 4 (IL4) authorization.
GSA 18F provides cloud.gov as a turnkey hosting platform that runs on top of Amazon Web Services. The platform has been used since 2017 to host Symphony for GSA activities. Three-year Authorization to Operate was granted by GSA on March 23, 2020, at a FISMA Moderate level using the FedRAMP Moderate baseline. Symphony is currently in the process of recertification and is scheduled to have the ATO renewed within the next month. Symphony can be deployed to cloud.gov on an agency provided account as a cloud computing Software-as-a-Service (SaaS) solution managed by GSA in an environment that is FedRAMP Authorized at the Moderate Impact Level (cloud.gov)
Symphony requires 2-factor authentication for all users and enables system administrators or authorized users to manage user roles and change security profiles.