U.S. Department of Defense
THE PROBLEM
Identify a provider capable of hosting a complex non-homogeneous environment.
The Department of Defense is the Federal Government's largest agency and one of the most complex organizations in the world. With more than 1 million active duty service members and over 700,000 civilian personnel, the DoD is the nation's largest employer.
As part of its mission, DoD supports the delivery of integrated, affordable, and high-quality health services to its beneficiaries. To assist its beneficiaries in distributing relevant medical information, DoD stakeholders needed a fast-paced and secure hosting environment to support rapid information dissemination to the public and its private data exchange partners.
This DoD component’s communications environment was comprised of multiple public facing websites built on Red Hat Enterprise Linux custom application as well as Drupal content management system. The component’s private information exchange environment consisted of multiple audience-specific Microsoft SharePoint farms installed on Microsoft Windows Server platform. The entire communications environment was hosted in a military datacenter. Developed and supported by government-managed software development teams, the public facing environment consisted of multiple agency’s websites, specialized military social network, suicide prevention content and mobile apps.
DoD was looking for military certified, secure and cost-effective government cloud provider to host and maintain its suite of public and private communications websites that would enable faster support and response time SLAs versus the ones being provided internally by the military datacenter. The challenge was to also identify a provider capable of hosting a complex non-homogeneous environment comprised of Microsoft Windows Server and Red Hat Enterprise Linux virtual servers, security appliances and integration while maintaining and securing personally identifiable information (PII) of DoD end users and data exchange partners.
The agency was also looking for an experienced government cloud provider with its own hosting infrastructure capable of providing fully managed Microsoft SharePoint farm and Drupal platform administration service and take on full responsibility for managing and securing the entire technical stack. Due to information contained in the system DoD contractually required the hosting vendor to meet federal government’s demanding FISMA, OMB, and unique DoD security requirements for storing Personally Identifiable Information (PII) and obtaining an Authorization To Operate (ATO).
Additionally, the agency was looking for specific experience to plan and expeditiously execute a highly complex system transition from a military data center including a strategy to maintain its critical services e.g. DoD Common Access Card (CAC) authentication for support personnel and single sign-on authentication for web visitors.
THE SOLUTION
Design a secure multi-zone architecture based on defense in depth concepts to ensure multiple layers for sensitive DOD data protection.
IT-CNP’s GovDataHosting cloud division team collaboratively worked with the DoD component stakeholders to establish a technical transition plan, as well as the required security compliance plan to transition the system from the military datacenter to its government certified cloud datacenter while preparing the necessary security compliance documentation and scheduling the required DoD security audit.
An expedited 3-month system implementation and transition phase included deployment of Drupal content management system websites on Red Hat Enterprise Linux virtual servers and Microsoft SharePoint farm software on Microsoft Windows Server virtual servers in IT-CNP’s GovDataHosting Cloud Datacenter located in Columbia, Maryland and preparation of over 1,400+ pages of security compliance documentation including System Security Plan (SSP), Contingency Plan (CP), Configuration Management Plan (CMP), Incident Response Plan (IRP), Plan of Action and Milestones (POAM), and other agency-specific documentation.
IT-CNP’s GovDataHosting security architects have designed a secure multi-zone architecture based on defense in depth concepts to ensure multiple layers for sensitive DOD data protection deployed for the new hosted development, test, staging and production environments. As part of contingency plan strategy, an identical copy of the production environment was deployed at IT-CNP’s GovDataHosting Cloud Datacenter located in Cleveland, Ohio as a hot stand-by alternate processing site to ensure that system service can quickly be restored in an event the primary cloud datacenter becomes unavailable.
IT-CNP’s GovDataHosting coordination team worked together with the software vendor to ensure that essential disaster recovery fail over automation was established and tested to meet DoD’s aggressive recovery time (RTO) and recovery point (RPO) objectives to ensure that no data is lost in an event of a primary datacenter site service failure.
In preparations for the required security audit and authorization, all SharePoint and Drupal components, as well as network, server and database components were hardened utilizing DoD Security Technical Implementation Guides (STIGs). IT-CNP’s GovDataHosting security team deployed additional custom features through scripting to ensure that full compliance with demanding DoD Information Security Program security control requirements were met where native Microsoft Widows Server and Red Hat Enterprise Linux functionality was not available.
As part of technical performance and information security continuous monitoring strategy, IT-CNP’s Network Operations Center (NOC) and Security Operations Center (SOC) were used for advanced 24/7/365 system event monitoring and vulnerability scanning.
IT-CNP’s GovDataHosting security management team coordinated all DoD security audit activities to assist DoD designated authorizing authority stakeholders with review of system policies and procedures, collection and review of over 375+ unique system security audit artifacts, and conducting security-oriented personnel interviews to successfully complete the security audit with only a few minor low risk findings.
The new DoD hosted communications environment was issued an Authorization To Operate (ATO) based on DoD Moderate Impact requirements and service for all technical components was successfully transitioned.
THE RESULTS
Improved SLAs and streamlined technical tasking, allowing more time and energy to focus on the mission.
By transitioning to IT-CNP’s GovDataHosting national cloud datacenter infrastructure, the DoD mission team was able to better focus on delivery of health-related services to its beneficiaries while the SLAs were significantly improved. Specific technical tasking that used to take up to a month to complete in a military operated datacenter, would now be completed in under a day in the new hosted environment. IT-CNP’s GovDataHosting team managed all the underlying technical infrastructure components, military security compliance, information security continuous monitoring, vulnerability scanning, operating system patching, middleware patching, Drupal core patching, SharePoint farm patching, full-stack vulnerability remediation and disaster recovery.