U.S. Department of Veterans Affairs
THE PROBLEM
Identify an independent and secure government cloud provider to host and maintain its Drupal Career Website.
The United States Department of Veterans Affairs (VA) is a federal Cabinet-level agency that provides healthcare services to military veterans at medical centers and outpatient clinics located throughout the country.
With over 300,000 active employees, VA has a highly complex number of career growth paths. To assist VA employees with career path choices, VA has established a comprehensive Career Website based on Drupal content management system and a suite of custom software applications.
VA was looking for an independent and secure government cloud provider to host and maintain its Drupal Career Website. The challenge was to identify a provider capable of hosting a complex non-homogeneous environment comprised of Microsoft Windows Server and Red Hat Enterprise Linux virtual servers, security appliances and integration to commercial human resource services while maintaining and securing personally identifiable information (PII) of VA existing and prospective employees.
Developed by a large government contractor software vendor, the Drupal Career Website program team consisted of program management, software development, testing and human resource professionals, the team needed assistance to securely host the system taking it from existing prototype to a full production ready redundant system.
The software vendor was also looking for a cloud provider with its own infrastructure capable of providing fully managed Drupal platform administration service to take on responsibility for managing and securing the entire technical stack. Due to information contained in the system and system interfaces, VA contractually required the software vendor to meet federal government’s demanding FISMA, OMB, and unique VA security requirements for storing Personally Identifiable Information (PII) and obtaining an Authorization To Operate (ATO).
THE SOLUTION
Provide fully managed Drupal platform administration service for managing and securing the entire technical stack.
IT-CNP’s GovDataHosting cloud division team collaboratively worked with the VA software vendor team to establish a technical deployment plan, as well as the required security compliance plan to deploy the system to its government certified cloud datacenter while preparing the necessary security compliance documentation and scheduling the required VA security audit.
An expedited 4-month system deployment phase included deployment of Drupal Microsoft Windows Server and Red Hat Enterprise Linux virtual servers in IT-CNP’s GovDataHosting Cloud Datacenter located in Columbia, Maryland and preparation of over 900+ pages of security compliance documentation including System Security Plan (SSP), Contingency Plan (CP), Configuration Management Plan (CMP), Incident Response Plan (IRP), Plan of Action and Milestones (POAM), and agency-specific documentation.
IT-CNP’s GovDataHosting security architects have designed a secure multi-zone design based on defense in depth concepts to ensure multiple layers for sensitive VA data protection deployed for the new hosted development, test, staging and production environments. As part of contingency plan strategy, an identical copy of the production environment was deployed at IT-CNP’s GovDataHosting Cloud Datacenter located in Cleveland, Ohio as a hot stand-by alternate processing site to ensure that system service can quickly be restored in an event the primary cloud datacenter becomes unavailable.
IT-CNP’s GovDataHosting coordination team worked together with the software vendor to ensure that essential disaster recovery fail over automation was established and tested to meet VA’s aggressive recovery time (RTO) and recovery point (RPO) objectives to ensure that no data is lost in an event of a primary datacenter site service failure.
In preparations for the required VA security audit, all Drupal Career Website network, server and database components were hardened based on IT-CNP’s GovDataHosting Cloud Datacenter hardening standards that are based on Center for Internet Security (CIS) and DoD Security Technical Implementation Guides (STIGs). IT-CNP’s GovDataHosting security team deployed additional custom features through scripting to ensure that full compliance with demanding VA security control requirements were met where native Microsoft Widows Server and Red Hat Enterprise Linux functionality was not available.
As part of technical performance and information security continuous monitoring strategy, IT-CNP’s Network Operations Center (NOC) and Security Operations Center (SOC) were used for advanced 24/7/365 system event monitoring and vulnerability scanning.
IT-CNP’s GovDataHosting security management team coordinated all VA security audit activities to assist a team of VA auditors with review of system policies and procedures, collection and review of over 350+ unique system security audit artifacts, and conducting security-oriented personnel interviews to successfully complete the security audit with only a few minor low risk findings.
VA Drupal Career Website was issued an Authorization To Operate (ATO) based on VA Moderate Impact requirements and the website went live shortly thereafter.
THE RESULTS
Improved focus on website software enhancements, testing, and customer relationship management with VA program stakeholders.
By transitioning to IT-CNP’s GovDataHosting national cloud datacenter infrastructure, the VA Drupal Career Website software vendor was able to better focus on website software enhancements, testing and customer relationship management with VA program stakeholders, while IT-CNP’s personnel manage all the underlying technical infrastructure components, security compliance, information security continuous monitoring, vulnerability scanning, operating system patching, middleware patching, Drupal core patching, full-stack vulnerability remediation and disaster recovery.
