U.S. Department of Homeland Security
Legacy hosting configurations were not compatible with meeting FISMA, NIST, and DHS security requirements.
The Department of Homeland Security (DHS) has a vital mission to secure the nation from threats utilizing support of more than 240,000 employees in jobs that range from aviation, border security, emergency response, and cybersecurity analytics. DHS also provides career-long training to law enforcement professionals to help them fulfill their responsibilities safely and proficiently and partners extensively with other agencies and stakeholders in training research and the exchange of best practices to ensure it offers the most effective training subject matter, technologies, and methodologies.
This DHS component’s agency public website was comprised of a custom web content management system operated on Microsoft Windows Server platform. The website was hosted in a commercial data center not capable of meeting the government’s demanding FISMA, NIST and DHS security requirements. Developed and supported by DHS agency’s administrative team, this public Internet facing environment consisted of the agency’s main website, as well as a custom-built training scheduling and tracking sub-system.
DHS was looking for government certified, secure and cost-effective cloud provider to host and maintain its public website that would enable faster support and response time SLAs while maintaining and securing highly sensitive personally identifiable information (PII) of law enforcement personnel in training.
One of the key requirements by the agency was to identify an experienced government cloud provider with its own hosting infrastructure capable of providing fully managed Microsoft Windows Server and custom application managed services while also taking full responsibility for managing and securing the entire technical stack. Due to highly sensitive information stored in the system DHS contractually required the hosting vendor to meet federal government’s demanding FISMA, OMB, and unique DHS security requirements for storing Personally Identifiable Information (PII) and obtaining a moderate impact Authorization To Operate (ATO).
Additionally, the agency was looking for specific experience to plan and expeditiously execute a transition from a prior hosting provider that would be transparent for the Internet web visitors and law enforcement training beneficiaries.
Seamless transition to a government-certified cloud datacenter, with complete compliance documentation.
IT-CNP’s GovDataHosting cloud division team collaboratively worked with the DHS component stakeholders to establish a technical transition plan, as well as the required security compliance plan to transition the system from the prior commercial datacenter to its government certified cloud datacenter while preparing the necessary security compliance documentation and scheduling the required DHS security audit.
An expedited 3-month system implementation and transition phase included deployment of the public facing website content on Microsoft Windows Server virtual servers in IT-CNP’s GovDataHosting Cloud Datacenter located in Columbia, Maryland and preparation of over 800+ pages of security compliance documentation including System Security Plan (SSP), Contingency Plan (CP), Configuration Management Plan (CMP), Incident Response Plan (IRP), Plan of Action and Milestones (POAM), vulnerability scan reports, compliance scan reports and other agency-specific documentation.
IT-CNP’s GovDataHosting security architects have designed a secure multi-zone architecture based on defense in depth concepts to ensure multiple layers of sensitive DHS data protection deployed on the new hosted test and production environments. As part of the new contingency plan strategy, an identical copy of the production environment was deployed at IT-CNP’s GovDataHosting Cloud Datacenter located in Cleveland, Ohio as a hot stand-by alternate processing site to ensure that system service can quickly be restored in an event the primary cloud datacenter becomes unavailable.
IT-CNP’s GovDataHosting coordination team worked together with the software vendor to ensure that essential disaster recovery fail over automation was established and tested to meet DHS’s aggressive recovery time (RTO) and recovery point (RPO) objectives to ensure that no data is lost in an event of a primary datacenter site service failure.
In preparations for the required security audit and authorization, all Microsoft Windows Server operating system, middleware components, as well as network, server and database components were hardened utilizing DHS hardening benchmarks and validated through automated compliance validation and vulnerability detection scans.
As part of technical performance and information security continuous monitoring strategy, IT-CNP’s Network Operations Center (NOC) and Security Operations Center (SOC) were used for advanced 24/7/365 system event monitoring and vulnerability scanning.
IT-CNP’s GovDataHosting security management team coordinated all DHS security audit activities to assist DHS designated authorizing official and stakeholders with review of system policies and procedures, collection and review of over 340+ unique system security audit artifacts, and conducting security-oriented personnel interviews to successfully complete the security audit with only a few minor low risk findings.
The new DHS hosted communications environment was issued an Authorization To Operate (ATO) based on DHS Moderate Impact requirements and web service was successfully transitioned to resolve to the new secure hosting datacenter during the off-peak hours transparent for system users.
Improved SLAs and streamlined technical tasking, allowing more time and energy to focus on the mission.
By transitioning to IT-CNP’s GovDataHosting national cloud datacenter infrastructure, the DoD mission team was able to better focus on delivery of health-related services to its beneficiaries while the SLAs were significantly improved. Specific technical tasking that used to take up to a month to complete in a military operated datacenter, would now be completed in under a day in the new hosted environment. IT-CNP’s GovDataHosting team managed all the underlying technical infrastructure components, military security compliance, information security continuous monitoring, vulnerability scanning, operating system patching, middleware patching, Drupal core patching, SharePoint farm patching, full-stack vulnerability remediation and disaster recovery.