In 2011, the Office of Management and Budget (OMB) released the Federal Cloud Computing Strategy, also known as “Cloud First.” The purpose of Cloud First was to mandate the Federal Government’s transition to the cloud, which would facilitate the modernization and consolidation of Federal Information Technology and “improve citizen-facing services, accessibility, and maintain cybersecurity.”
Though the Cloud First directive required that federal agencies migrate to cloud-native solutions, it did not provide specific guidance on how to accomplish cloud adoption. Seven years later, OMB released the “Cloud Smart Strategy,” which built upon the principles of Cloud First but included clearer directions on how federal agencies can achieve full cloud adoption.
Despite directives to think “Cloud First,” government cloud initiatives stumbled out of the gate – often due to fears about cloud security and changes that would be needed to agency policies, processes and culture. But the federal government and the military can no longer afford wasted time spent on prolonging cloud adoption due to unfounded challenges. This is clearly evident through the recent Colonial Pipeline cyberattack, and the latest Executive Order from President Biden that specifically lists the cloud as an essential cybersecurity resource for the protection of federal digital infrastructures.
Cloud adoption has also enabled federal agencies and military organizations to make their application and data management more efficient and secure. Not only is the migration to cloud-based solutions key to digital infrastructure security, it has proven to be cost effective for federal agency budgets and beneficial to constituent experience.
The GovCyberHub recently sat down with Brian Schoepfle, Sr. Partner Solutions Architect at Amazon Web Services (AWS), to discuss how cloud-native solutions are modernizing and consolidating federal government and military IT infrastructures and how these solutions are actually making government agencies more secure.
GovCyberHub: What role are public clouds playing in federal government digital transformation initiatives?
Brian Schoepfle: The benefits of cloud adoption to government agencies are well-publicized and, while the historical drivers of cloud adoption have been centered around cost savings, cloud technology provides unique capabilities that federal agencies are using to improve the lives and experiences of their constituents.
Governments around the world want to accelerate their digital transformation to offer simpler access to citizen services online and earn trust with effective solutions. This includes things like being able to send notifications to users, providing a single log-in for government services, or publishing public health information in the wake of a pandemic.
U.S. government customers place a premium on features and functionality that provide for a better constituent experience. With increased emphasis on evidence-driven approaches to service delivery, federal agencies are transforming outdated systems and turning to data management and analytics capabilities on highly-compliant cloud platforms such as AWS GovCloud for improved data quality, operational efficiency and mission outcomes. Customers like the Defense Logistics Agency (DLA) have leveraged the performance and scale of the AWS Cloud to tremendous benefit.
The DLA is responsible for managing the global supply chain for our armed forces. As part of their digital transformation efforts, the DLA migrated five mission-critical applications – which had more than 70 external interfaces, over 200 virtual machines, and more than 300 TB of data – to the cloud in just 138 days, ne
arly six weeks ahead of schedule. The successful migration of these applications delivered significant cost savings to the government, increased efficiency for application management teams, and improved customer experiences.
The Navy worked with AWS and SAP National Security Services to migrate the services’ large SAP enterprise resource planning (ERP) system to AWS GovCloud (US). The new system, which includes Controlled Unclassified Information (CUI), displays details on inventory and the movement of tens of billions of dollars in parts and services into a single, widely available solution set. It supports over 72,000 users and 6 U.S. Navy commands while helping staffers make up-to-date and informed decisions related to logistics, financial reporting, and budgets. It can also be set up to display maintenance and repair logs. The Navy also procured high-end inline databases and other brand-name solutions to help internal customers securely move applications and workloads to the cloud. The full migration was completed ahead of schedule and under budget.
GovCyberHub: What types of government systems and applications are being constructed and hosted in public and hybrid cloud infrastructure? Why is cloud hosting a better option for these systems and applications?
Brian Schoepfle: It’s important to recognize just how few IT systems in government are still “stand-alone.” As a result of the mandated Data Center Optimization Initiative and the “Cloud Smart” strategy, data is increasingly shared across systems, and access to those systems is shared as well. On top of that, the volume of data continuous to grow at incredible rates.
Shared and distributed systems, particularly those with large datasets, lend themselves particularly well to cloud deployment. Andrea Norris, CIT and Chief Information Officer at the National Institute of Health (NIH), has shared how the cloud is helping her agency make use of the data they collect and generate, fundamentally changing the way they do science by making data more accessible. Research, analytics, and data processing systems built in the cloud are making the NIH more effective at finding cures and treatments for disease.
Other federal agencies are using the cloud to improve how they interact with the constituents they serve. To help bring the Census online, the Census Bureau moved its 2020census.gov website to AWS GovCloud (US), Amazon’s Regions designed to host sensitive data and address the most stringent U.S. government security and compliance requirements.
For the past three years, AWS has been working with the Census Bureau to bring its vision of a digital census into reality. From getting the right infrastructure framework in place to processing and storing the information collected, the Census Bureau has turned to AWS to support its work across its survey processes.
“The cloud’s ability to scale to meet demand, securely process enormous amounts of data, and reliably serve the needs of US citizens and residents across the country and around the world is unique.” -Brian Schoepfle
The Census Bureau already has nine petabytes of data on AWS GovCloud (US), and over 4,000 Amazon Elastic Compute Cloud (Amazon EC2) instances allow 2020census.gov to scale in order to meet the demands of millions of users. In particular, Amazon DynamoDB, a database service, enables response collection to scale on mobile or desktop from coast to coast, ensuring the responses are secure and accurate.
The cloud’s ability to scale to meet demand, securely process enormous amounts of data, and reliably serve the needs of US citizens and residents across the country and around the world is unique. It would not be financially practical or, in some cases, technologically possible, to replicate this level of performance and elasticity in on-premises environments.
GovCyberHub: When cloud computing and cloud resources were emerging and gaining adoption, we saw an initial reticence among government organizations – at all levels and across all sectors of the government – to embrace cloud solutions. What role did security play in that reticence? Has that changed, and what have cloud providers – such as AWS – done to put security and other concerns to rest?
Brian Schoepfle: The federal government has many of the same needs as most organizations – To achieve their mission, agencies, departments, and teams require flexible and scalable systems to improve the customer experience and efficiently deliver mission-critical services and information. Government agencies, as well as highly-regulated industries, are entrusted with large and diverse sets of information pertaining to everything from healthcare patient data and financial systems to energy production and national security. They have a responsibility to comply with mandates such as the Federal Information Security Management Act (FISMA), Federal Information Processing Standards (FIPS), Federal Risk and Authorization Management Program (FedRAMP), the Department of Defense Security Requirements Guide (DoD SRG), Criminal Justice Information Services (CJIS), and International Traffic in Arms Regulations (ITAR).
Security at AWS is our top priority. Today, AWS protects millions of active customers around the world, from large enterprises and government organizations, to start-ups and non-profits. Through these relationships, we’ve developed best-in-class resources to allow customers from any industry to quickly understand how to achieve compliance in the AWS Cloud. AWS customers inherit all of the benefits of our experience, including best practices for security policies, architecture, and operational processes validated against external assurance frameworks.
AWS has built some capabilities to address the very specific needs of our government and other public sector customers. AWS GovCloud gives government customers and their partners the flexibility to architect secure storage solutions that comply with: the FedRAMP High baseline, the DOJ’s CJIS Security Policy, U.S. ITAR, Export Administration Regulations (EAR), Dod SRG for Impact Levels 2, 4 and 5, FIPS 140-2, IRS-1075, and other compliance regimes.
GovCyberHub: What are cloud providers like AWS doing today to protect and secure their infrastructure? How does this make cloud infrastructure on-par – or even more secure – than government-owned infrastructure?
Brian Schoepfle: When it comes to evaluating the benefits of cloud computing over on-premises infrastructure, government customers understand that when IT systems do remain on-premises, they will be missing out on the benefits that come with the shared responsibility model. This shared model can help relieve the customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.
“By leveraging the performance, scale, efficiency, and security of AWS, the cloud has become central to the Intelligence Community’s IT strategy to remain agile, adaptive, and accessible at the mission edge.” -Brian Schoepfle
Legacy systems require customers to manually execute patching and security updates. If agencies fall behind in addressing these issues, they risk becoming increasingly vulnerable to breaches, ransomware, and other cyberattacks. Modernized and cloud-native solutions for government customers include enhanced monitoring capabilities, network segmentation, FIPS-2 compliant encryption controls. These benefits, along with many others, allow agencies and departments to quickly and easily prevent, detect, and remediate threats much faster than would be able to in traditional datacenters. This makes the cloud more secure than client/server solutions.
The Defense Intelligence Agency (DIA), provides intelligence that delivers decision advantage in support of military missions globally. It recognizes that the Intelligence Community faces a data explosion and rapid technology changes that challenge its ability to quickly deliver insightful and actionable intelligence. By leveraging the performance, scale, efficiency, and security of AWS, the cloud has become central to the Intelligence Community’s IT strategy to remain agile, adaptive, and accessible at the mission edge.
GovCyberHub: What tools – including AI and ML tools – are available to government users through their cloud providers to help them build secure applications and keep them secure?
Brian Schoepfle: Customers can trust that AWS is designed to help them build secure, high-performing, resilient, and efficient infrastructure for their applications of nearly any type. World-class security experts who monitor our infrastructure also build and maintain our broad selection of innovative security services, which can help customers simplify meeting their own security and regulatory requirements. AWS has 124 fully-featured services authorized or in-review for FedRAMP Moderate baseline and 106 approved or in-review for FedRAMP High baseline.
For example, if customers seek encryption and security controls, services like AWS Certificate Manager, AWS Secrets Manager, and AWS Key Management Service (KMS) can meet their needs. AWS also offers monitoring and observability through solutions like Amazon CloudWatch and AWS CloudTrail.
Services like the AWS Security Hub provide customers with a central location to view and act on alerts and findings from ML-backed AWS security and privacy services like Amazon GuardDuty, Amazon Macie, Amazon Inspector, and Amazon Detective. Additionally, AWS provides customers with network security services like AWS Web Application Firewall and AWS Shield Standard and Shield Advanced.
Customers building applications on AWS will be particularly interested in Amazon Inspector. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity.
In the federal government, innovation can’t happen without security. That innovation must be developed with security in mind—and not as an afterthought. Developing with security in mind helps deliver innovations to service members faster.