HEAVENLY HOST: The cloud reduces hosting costs, improves continuity of operations and increases security. (Photo by GettyImages)
U.S. Army Acquisition Support Center charts a course to cloud migration amid shifting regulations, provides lessons learned.
by Ellen Summey
Imagine trying follow a map that’s still being drawn. To a location you’ve never been. With few clear landmarks along the way. It might involve some guesswork, you’d probably have to retrace your steps a few times and you’d need a reliable team. That’s exactly what the U.S. Army Acquisition Support Center (USAASC) discovered—and laid out in a detailed white paper, with lessons learned—when moving its Career Acquisition Management Portal (CAMP) and Career Acquisition Personnel & Position Management Information System (CAPPMIS) to the Amazon Web Services commercial GovCloud.
It all started in June 2014, when the undersecretary of the Army signed a memorandum directing that all systems and applications providing enterprise services migrate to core data centers—designated to provide hosting and storage within the Army security architecture—no later than the end of fiscal year 2018. “At that point, cloud was being thought of, but it wasn’t the first choice,” recalled USAASC IT Enterprise Operations Manager Marc Poole, who was the organization’s cloud migration lead. “Then, shortly afterwards, there was further guidance with a little bit of a nudge from the DOD chief information officer [CIO], to consider a ‘cloud first’ mentality, as DOD and Army wanted to get out of owning data centers and having to manage them.”
Migration to a cloud environment enables organizations to consolidate infrastructure, rapidly scale as needed, and reduce duplicated services while reducing hosting and maintenance costs, improving continuity of operations, and increasing security through centralized control and access authorization. Why buy and manage a mountain of servers when you can essentially rent them on demand and forego the maintenance expenses? That’s the infrastructure-as-a-service model, in a nutshell. “The whole premise behind cloud is that you get what you pay for, and you only pay for what you use,” Poole said. “But we didn’t have yet any metrics to show what we were actually going to consume.” And that was just one of the hurdles along the way.
The organization had its goal—move its systems and in excess of 40,000 users, to the cloud. But the directions were less than clear. They began following the as-then-defined Army process, which was still being developed. “Our CAMP and CAPPMIS system was in the sustainment phase, so we had to provide the maintenance and sustainment, and also carry out the directive of moving to the cloud. We wanted to use the Army-defined process and help to create that map to share our experiences with others,” Poole said. “We were all working together to figure things out, and leaning on each other to define them.”
|A MIGRATION TIMELINE
USAASC’s migration to a commercial cloud environment spanned several years, in total. The following are key milestones:
· June 2014—Secretary of the Army directed the migration of Army enterprise systems and applications to core data centers.
· July 2015—The Army CIO/G-6 provided guidance for the migration of enterprise applications to the commercial cloud.
· October 2015—USAASC completed the migration survey provided by Army Application Migration Business Office (AAMBO).
· November 2015—AAMBO delivered version 1.0 of its migration assessment and rough order of magnitude (ROM) of the CAMP environment and recommended that it move to the Defense Information Systems Agency hosting services.
· February 2016—USAASC requested assistance from Acquisition Management Support Solutions (AMS2) to leverage their migration efforts for an analysis of alternatives and proof of concept to validate AAMBO’s recommendation.
· April 2016—Analysis of alternatives started.
· February 2017—Microsoft Azure proof of concept developed.
· April 2018—Cost-benefit analysis approved by HQDA CIO/G-6. USAASC allocated funding to complete its migration.
· June 2018—Upon receipt of funding for the migration, USAASC engaged with AMS2 to initiate the effort.
· July 2018—Amazon Web Services (AWS) environment established.
· January 2019—Initiated AWS hosting service contract
· February 2020—Enterprise Mission Assurance Support Service package workflow initiated.
· March 2020—Authority to operate received.
· April 2020—Go live.
(Source: USAASC cloud migration white paper)
Poole said that he and the USAASC team encountered two particularly difficult challenges during the migration effort. First, the Army and DOD’s testing and standards had not yet caught up to the technology in question. Security guidelines for an Army-owned data center are simply not compatible with commercial cloud computing processes. Second, many of the personnel responsible for inspecting and certifying Army information systems had never worked with cloud systems before. “We found that we were sort of talking past each other at times,” Poole said. “Because there was no real defined process of what was to be looked at and how, and there was a learning curve for people who didn’t fully understand the cloud environment.”
CREATING THE MAP LEGEND
But the team forged ahead through the uncertainties, working to clarify and test the Army’s processes for other organizations to follow. Ultimately, USAASC worked with stakeholders across DOD and the Army to create a sustainable transition to the cloud environment. The organization successfully moved its CAMP and CAPPMIS systems from a traditional data center to the commercial Amazon Web Services GovCloud environment in April 2020. There are several critical takeaways learned during migration for a Cloud Computing Security Requirements Guide Impact Level 4 system, which is a computing environment certified to handle personally identifiable information and sensitive information.
- Conducting the required cost-benefit analysis demands a thorough understanding of the system to accurately estimate compute resource needs (e.g. number of instances, storage requirements, network throughput, etc.). When possible, a proof of concept should be performed in the targeted cloud service provider environment to help the team validate assumptions and accurately evaluate alternative commercial providers.
- The government should procure cloud infrastructure resources separately and not as part of its system integrator’s other direct costs line. This prevents a scenario where the root account credentials and overall security posture fall solely under the contractor’s purview and may introduce significant risk to government.
- The new cloud environment will require services from an approved cybersecurity service provider for endpoint security and vulnerability scanning tools. The majority of the tools configuration and customization will be the responsibility of the system owner and the designated system administrator.
- The IT system design should be established well in advance and based on unique system requirements, not default commercial settings. The latter approach may introduce unnecessary dependencies on the infrastructure and result in extensive rework in the future if the system needs to be migrated to another service provider.
- The IT portfolio system will require a new authorization to operate prior to the “go-live” in the new cloud environment. Due to limited familiarity with cloud technologies across government organizations at present, it is strongly recommended to coordinate closely with all parties by performing additional checkpoints and gaining consensus upfront on the strategy for the Enterprise Mission Assurance Support Service package.
- Conducting pre-migration tests of the available data migration options will help determine the best one to utilize and support migration of the IT portfolio’s high-priority applications and/or environments first.
- Throughout the final transition activities, frequent synchronization meetings with government stakeholders are recommended, to provide progress updates, address any issues or risks and receive feedback from users. A formal gate review should be conducted to formally transition the infrastructure to sustainment. These activities should identify any open findings, risks, issues or actions needed for a successful transition.
“My biggest takeaway from this entire process would be that you should get in touch with ECMO [Enterprise Cloud Management Office], up front and early,” Poole said. “It’s very important that is the first step you take.” He advises organizations to ask for the most up-to-date guidance before moving forward, but said they should be ready for that process to change along the way. “If you think you’re going to make it to the cloud in a year, double that,” he said. “Not that it’s going to take you that long to get through the process, but as the process changes, be prepared to change your direction a couple of times.”
The map to migration is becoming more clear, thanks to the efforts of USAASC and key players within the Army and DOD. Poole and the IT Enterprise Operations team at USAASC have provided the entire experience in a white paper, through which they aim to share these and other insights with Army stakeholders and other organizations planning to move to the cloud.
“It’s all about helping each other out, sharing those lessons learned, and working together to accomplish this goal,” he said. With their insights as a guide, perhaps other commands can accomplish their own migrations while sidestepping a few potholes.
|ROLES AND RESPONSIBILTIES
· The Army Application Migration Business Office (AAMBO) was responsible for the initial cloud readiness assessment, cost-benefit analysis assistance and served as a liaison between the application owner and the DOD-approved enterprise environment providers. This office later became part of the Enterprise Cloud Management Office, which serves as the enterprise cloud migration resource for Army data and application owners.
· Chief Information Officer/G-6 (CIO/G-6) is responsible for application migration and data center consolidation policy and provided concurrence on cost-benefit analysis submissions.
· Deputy Assistant Secretary of the Army for Cost and Economics reviews and may provide final concurrence for the cost-benefit analysis.
· Office of the Assistant Secretary of the Army for Acquisition, Logistics, and Technology’s/Office of the Chief Systems Engineer is responsible for the overarching cybersecurity for USAASC and contributes to the risk-management framework and authorization process through the authorizing official and the Program-Information System Security Manager roles.
· System or application owner is responsible for application rationalization, cost-benefit analysis, cloud-services provider procurement, cybersecurity-services provider agreements, environment setup and migration, obtaining authorization to operate, final cut-over and sustainment on cloud.
· Defense Information Systems Agency (DISA) registers the migrated system and provides access to a cloud-access point. A cloud-access point is needed for all Impact Level 4 or 5 cloud environments to connect to the DOD network.
· The U.S. Army Command, Control, Computers, Communications, Cyber, Intelligence, Surveillance, and Reconnaissance (C5ISR) Center is the CSSP. It provides host-based security system and Assured Compliance Assessment Solution licenses to track vulnerabilities within the USAASC IT system environment.
(Source: USAASC cloud migration white paper)
For more information, see the Army’s 2020 Cloud Plan at https://go.usa.gov/x7ptF and download the USAASC cloud migration white paper at https://asc.army.mil/web/wp-content/uploads/2020/12/USAASC-Cloud-White-Paper.pdf
ELLEN SUMMEY provides contract support to the U. S. Army Acquisition Support Center at Fort Belvoir, Virginia, as a writer and editor for SAIC. She holds an M.A. in human relations from the University of Oklahoma and a B.A. in mass communication from Louisiana State University. She is certified as a Project Management Professional and Change Management Professional, and has more than 15 years of communication experience in both the government and commercial sectors.