RMF Accreditation for a Mission-Critical DoD AWS Environment

About the CustomerThe U.S. Army War College “Client” is an educational institution that provides graduate-level instruction to senior military officers and civilians to prepare them for senior leadership assignments and responsibilities. The Client is a split-functional institution with emphasis on research, student instruction in leadership, strategy, and joint-service/international operations. The COMPASS application portal is for students to manage Biobook, personal data manager, paper requirement upload, computer account management, grades, library access, program related tasks, and courseware content.   

Customer Challenge: The Client’s cloud environment was established to facilitate reach back to their products and research materials for personnel outside of their domain. The initial deployment accepted a level of risk the Client was comfortable with, but the environment had changed, and requirements grew significantly while maintaining distance education course delivery. Risk Management Framework (RMF) is a disciplined and structured process that combines information system security and risk management activities into the system development life cycle and authorizes their use within the Department of Defense (DOD).  The Client was required to achieve RMF accreditation of their cloud environment and custom application, COMPASS.  Failure to obtain the RMF accreditation would have limited access to critical Client systems for international students and others traveling abroad in foreign countries. 

Partner SolutionThe Client Executive Officer updated his objectives with a commercial first mandate for new academic solutions. If an IT service or solution is not required to reside within the Army enclave, a commercial solution is preferred. 

The Client initiated the domain to address the desire to expand the outreach and influence of the College. The network blocks internet connectivity to many foreign countries, limiting access to the College’s research and publications. Hosting the domain in the Cloud expands the College’s audience and academic outreach. The domain also improves communication with the College’s International Fellows and Fellowships. The Client addressed internal restrictions to foreign publications by installing local commercial internet connectivity to the campus and seminar rooms.  

The public sites contained only public information and maintained their original Impact Level (IL)-2 configuration until 2020. The approval from the Army’s Enterprise Cloud Management Office would be expiring, and the cloud environment needed an Authority to Operate (ATO). The Client started a RMF review and acknowledged the need for additional security services within the AWS environment.  

The Client increased the security level of the AWS cloud environment to DOD IL-4, which aligned with the desire to incorporate an expanded commercial footprint. The enhanced cloud security contract allowed A&T Systems, Inc. (A&T) to leverage its experience to ensure a successful RMF assessment.  

To ensure the application and environment remains operational and in compliance with IL-4 policies, AWS GovCloud was determined to be the best environment for availability, security, continuous monitoring, and management to meet DOD RMF Accreditation.  

A&T provided a comprehensive redesign, implemented additional security capabilities & controls, and migrated to AWS GovCloud to position the Client’s COMPASS application for RMF accreditation.   

  • Maintain a Client vulnerability assessment application instance inside the cloud environment   
  • Deploy and maintain Intrusion Detection System (IDS)/Intrusion Prevention Service (IPS) in the current cloud environment   
  • Deploy and maintain firewalls in the cloud environment   
  • Implement and maintain application security solutions  
  • Provide scalable backup and storage solutions  
  • Implement and maintain messaging solutions  
  • Configure a continuous monitoring system provided by the Client for the environment that allows for alert notifications, firewall and IDS monitoring, and DNS management  
  • Maintain a development, staging, and production environment that allows for controlled cutover operations and minimizes risk of data loss.  
  • Maintain patch management solutions under the guidance of the Client Program-Information System Security Manager (P-ISSM)/O-ISSM  
  • Implement and maintain remote administration  
  • Coordinate all changes, updates, potential adverse effects, and administrative associated actions with the AWS environment through this office prior to execution.   
  • Maintain accurate documentation of changes to the environment   
Amazon Web Service (AWS) Applications   
AWS Certificate Manager AWS KMS AWS CloudFormation AWS Lambda AWS Step Functions  
AWS CloudTrail AWS LightSail AWS CloudWatch AWS RDS AWS VPC  
AWS Code Commit AWS S3 AWS Compute AWS SES   
AWS Config AWS SNS AWS IAM AWS SQS   

Results and Benefits:  Client was able to provide a DOD RMF accredited AWS cloud hosted website and access to armywarcollege.edu domain for International Fellows and other students traveling in foreign countries.  The AWS solution ensures 99.999% uptime.  The AWS GovCloud was able to accommodate the design and functionality required for DOD compliance and the flexibility of a long-distance educational institution.    

We also implemented Information Security Continuous Monitoring (ISCM): Continuous monitoring began the moment the system and application was granted an ATO. 

The Client’s GovCloud environment utilizes virtual systems to host the webservers and AWS Relational Database Services (RDS) remote data service for MS SQL Server. The environment has a Barracuda Firewall and Web Application Firewall (WAF) providing perimeter security. The Firewall operates as a proxy handling the external visitor requests without direct access to the virtual servers. We also incorporate virtual servers for scanning and logging services to monitor the servers and services. AWS CloudWatch provides system and service metrics with alarms to maintain the environment’s health. AWS Backups automates full server backups’ storage, scheduling, and retention.  

The Client hosts its GovCloud environment within a Virtual Private Network (VPN) utilizing the virtual subnet, load balancers, Access Control List (ACLs), and policies. The disaster recovery plan mirrors the virtual network, the database servers, and essential services and servers to a different GovCloud region and ensures service continuity. AWS Identity and Access Management (IAM) provides two-factor authentication and the policies and permissions to maintain the separation of duties security controls. 

About the Partner:  A&T Systems has been a trusted advisor to the Government for almost four (4) decades and has been an AWS Advanced Consulting Partner for over nine years. A&T is an AWS Solutions Provider and recent AWS’ Partner Transformation Program (PTP) graduate. PTP is a comprehensive assessment, training, and enablement program focused on further building and reinforcing a successful AWS Cloud business practice.  Our clients find that A&T is Flexible, Responsive, Innovative, Stable, and Cost-efficient (FRISC).  

A&T Systems is an AWS Advanced Consulting Partner and an Authorized Government Reseller Partner. As an AWS Authorized Government Partner, their cloud architects, DevOps and technical support staff, billing expertise, and project managers enhanced the security of the GovCloud region.