Amazon Web Services
Amazon Web Services (AWS) Partner
CACI is an Amazon Web Services (AWS) Premier Consulting Partner, Public Sector Partner, and Authorized Reseller and has developed secure, mission-critical cloud solutions for customers across all data classification levels. AWS provides a secure, efficient, and scalable environment that reduces cost and enables mission advancement for our customers.
CACI delivers industry-leading Infrastructure as a Service (IaaS), DevSecOps, machine learning, and big data solutions to transform our customers’ information technology environments while accelerating their mission-essential capabilities.
Current software deliveries are characterized by slow turn-around, long accreditation cycles, lack of innovation, and limited use of emerging open-source and commercial capabilities. This results in deliveries that regularly fall short of meeting mission needs and can be “too big to fail” because of high upfront investment. There is also a high cost associated with each development team building their own DevOps pipeline and related security methodology.
The customer is using a DevOps pipeline to speed initial and ongoing delivery and accreditation of software solutions. Mission capabilities are delivered to end-users much faster via a common pipeline, unclassified development, open-source libraries, and the delivery of minimum viable products. Rapid delivery of initial capabilities allows for early user feedback. This has long been a tenet of Agile development methods but has been difficult to realize within the Intelligence Community.
Our methodology relies heavily on several native AWS capabilities and open-source software deployed on Amazon Elastic Compute Cloud (EC2) instances. It begins with building security-hardened and regularly updated Amazon Machine Images and uses Cloud Formation to ensure consistent, repeatable infrastructure deployments. Our deployments heavily leverage EC2 autoscaling and load balancers to ensure consistent performance and availability under load. We then deploy and maintain industry-standard DevOps and DevSecOps tools to create a flexible and powerful DevOps platform.
Leveraging AWS and a standardized DevOps pipeline has resulted in a significant increase in operational efficiency and cost savings. The DevOps tools have been instantiated in three different security environments, speeding time to mission for development teams across the enterprise.
The DevOps pipeline and development processes are planned and released in conjunction with the customer’s security and risk management organizations, and this has drastically decreased lead time for Authorization and Accreditation activities. Involving security in the planning phase has enabled ATO in less than two weeks for several development teams.
Our customer required us to migrate a monolithic, mission-essential system into AWS as efficiently and rapidly as possible, while maintaining its core feature set and security posture. Compounding the challenge, the cloud-based solution had to support growth in both data ingestion and users, meaning the new architecture had to be able to scale dynamically to support growing mission demands.
The program team instantiated a DevOps pipeline – featuring AWS Technology Partners GitLab, Jenkins, and Puppet – that supported completion of the rehosting effort in less than nine months. Since transitioning to the new environment, the team has re-architected the entire application to be cloud native. The new microservices-based architecture uses Elastic Load Balancing to distribute user traffic across web servers and has multiple instances running across Availability Zones supporting increased availability while expanding mission capability.
With the successful migration and cloud-native architectural updates, the program team created a more efficient and reliable system, and was selected as an early adopter for a new AWS region. We deployed successfully in the new region, allowing us to add new customers to our mission portfolio. In aggregate, the team has realized significant cost efficiencies and increased operational capabilities since its transition to the new AWS environment.
While challenging at the outset, rearchitecting for the cloud has enabled a more efficient and resilient operational tempo. Further, our ability to instantiate a DevSecOps methodology that supports continuous integration and continuous delivery has allowed our user base to grow, supporting more mission-essential environments. We continue to innovate our program by establishing an automated recovery process that maintains mission resiliency in the event of a failure.
A CACI customer needed a mission-essential, single web gateway to support and integrate technical data and databases across all their Amazon Web Services (AWS) systems. CACI created and implemented a single web gateway that provides authorized users access to current technical data and supports customer databases 24/7, 365 days a year. It houses all required data for the customer’s contract and provides consistent and effective confidentiality, data integrity, and data availability. CACI also provided a searchable environment that hosts specific interfaces and includes workflow tools to assist in continuous improvement.
CACI’s solution enabled interoperability between platforms and its open systems architecture supports six government mission support systems that are government-off-the-shelf, commercial-off-the-shelf, and open source applications. To maximize safeguards for mission data protection, data held within the applications is categorized so that the correct security controls can be applied depending on the type of data. Role-based security profiles allow full control, restricted access, and limited access for personnel. Security controls also include two-factor authentication and encrypted communication between the client system and web server for user access to the website.
This solution is implemented in AWS GovCloud (US). AWS GovCloud is an isolated AWS region designed to host sensitive data and regulated workloads in the cloud, helping customers support their U.S. Government compliance requirements, including the International Traffic in Arms Regulations (ITAR) and Federal Risk and Authorization Management Program (FedRAMP). CACI uses AWS GovCloud as an infrastructure-as-a-service (IaaS) provider. As such, Amazon is responsible for managing the security of the cloud and CACI is responsible for managing the security in the cloud. CACI builds upon GovCloud’s physical infrastructure security controls and have designed the integration of tools, applications, and data integration controls to provide a cybersecurity approach that meets the Department of Defense and DFARS requirements to ensure proper protection of data.
Amazon Virtual Private Cloud (Amazon VPC) is a construct used to provision a logically isolated section of the AWS cloud where AWS resources can be created in a virtual network that is defined by the owner. As the owner/administrator of the VPC, CACI has control over the virtual networking environment, including selection of IP address ranges to use, creation of subnets, and configuration of route tables and network gateways. Amazon allows for deployment of a single VPC with multiple subnets, or multiple VPCs with multiple subnets. Because the design is the responsibility of the customer, CACI has chosen a multiple VPC configuration for the greatest system isolation and protection. In our multiple VPC configuration, each of the major logical application components are separated into isolated virtual private clouds with a separate services VPC established for operational functions and directory services for the infrastructure.
Multiple support systems are implemented within the environment alongside the actual mission applications and contribute to a secure ecosystem. Some are inherent within the AWS service, like CloudWatch, and some are implemented by CACI as operational best practices for security and management. Examples of CACI implemented systems are active directory change audit tools, host-based security systems (HBSS), application monitoring tools, access control tools, and security information and event management (SIEM) tools.
CACI’s expertise in cloud environments was integral to addressing the customer’s needs and creating a repeatable, scalable solution that can be customized to support the customer in securely, effectively, and efficiently operating their cloud environment. The customer now has 99.99 percent system availability and reduced the time to achieve FAR 252 cybersecurity compliance by over 30 percent. Since implementing this solution, we have saved our government customer more than 88 percent in operations and maintenance costs, and more than 60 percent in total cost of ownership.
Our customer faced a common challenge in software development delivery – a lack of automation caused extensive turnaround times for environment builds, deployments, and product installs – resulting in delayed release of capabilities to end users. With more than twenty essential mission applications, the customer’s goals were to reduce the time to market (requirement to delivery), achieve more within available funds, enhance mission success, and improve quality and security.
To solve this customer’s challenge, CACI engaged its award-winning Agile Solution Factory (ASF) to implement a continuous integration (CI)/continuous deployment (CD) pipeline through automated builds and installations and other associated processes that support automation. CACI established our ASF development pipeline in AWS GovCloud to enable DevSecOps automated processes to stand up environments, allowing for automated builds, revision control, and build completion.
AWS GovCloud allowed us to build a highly-available fault tolerant environment in which to deploy CACI’s proven Agile methodology and provide CI/CD automated processes that begin when the developer checks-in code. Within this secure environment, an automated migration pathway subjects the code to a series of tests, which must be passed before automatically moving to the next environment. Once the testing passes at the application environment, then the packaged code moves to an integrated test environment, where automated regression tests are run again with all applications. The automated process concludes with the creation of the artifacts needed for release and delivery to the customer sites. CI has now been achieved with nearly all the applications that support this customer.
CACI’s successful solution delivered:
- Agile-enabled automated processes in AWS GovCloud, along with test automation, which improved the quality of the software released to the end users prior to delivery
- Improved security through the review of information assurance scans earlier in the release process to detect and resolve issues faster
- CI processes resulted in a 60 percent reduction in the amount of time required by site system administrators to complete installations, and also increased the number of sites concurrently installing new releases. This eliminated the need for a “guinea pig” site to install a new release before other sites also adopted the release
End users are now benefiting from new capabilities faster through repeatable, rapid, high-quality software deployments.
Public References
Current software deliveries are characterized by slow turn-around, long accreditation cycles, lack of innovation, and limited use of emerging open-source and commercial capabilities. This results in deliveries that regularly fall short of meeting mission needs and can be “too big to fail” because of high upfront investment. There is also a high cost associated with each development team building their own DevOps pipeline and related security methodology.
The customer is using a DevOps pipeline to speed initial and ongoing delivery and accreditation of software solutions. Mission capabilities are delivered to end-users much faster via a common pipeline, unclassified development, open-source libraries, and the delivery of minimum viable products. Rapid delivery of initial capabilities allows for early user feedback. This has long been a tenet of Agile development methods but has been difficult to realize within the Intelligence Community.
Our methodology relies heavily on several native AWS capabilities and open-source software deployed on Amazon Elastic Compute Cloud (EC2) instances. It begins with building security-hardened and regularly updated Amazon Machine Images and uses Cloud Formation to ensure consistent, repeatable infrastructure deployments. Our deployments heavily leverage EC2 autoscaling and load balancers to ensure consistent performance and availability under load. We then deploy and maintain industry-standard DevOps and DevSecOps tools to create a flexible and powerful DevOps platform.
Leveraging AWS and a standardized DevOps pipeline has resulted in a significant increase in operational efficiency and cost savings. The DevOps tools have been instantiated in three different security environments, speeding time to mission for development teams across the enterprise.
The DevOps pipeline and development processes are planned and released in conjunction with the customer’s security and risk management organizations, and this has drastically decreased lead time for Authorization and Accreditation activities. Involving security in the planning phase has enabled ATO in less than two weeks for several development teams.
Our customer required us to migrate a monolithic, mission-essential system into AWS as efficiently and rapidly as possible, while maintaining its core feature set and security posture. Compounding the challenge, the cloud-based solution had to support growth in both data ingestion and users, meaning the new architecture had to be able to scale dynamically to support growing mission demands.
The program team instantiated a DevOps pipeline – featuring AWS Technology Partners GitLab, Jenkins, and Puppet – that supported completion of the rehosting effort in less than nine months. Since transitioning to the new environment, the team has re-architected the entire application to be cloud native. The new microservices-based architecture uses Elastic Load Balancing to distribute user traffic across web servers and has multiple instances running across Availability Zones supporting increased availability while expanding mission capability.
With the successful migration and cloud-native architectural updates, the program team created a more efficient and reliable system, and was selected as an early adopter for a new AWS region. We deployed successfully in the new region, allowing us to add new customers to our mission portfolio. In aggregate, the team has realized significant cost efficiencies and increased operational capabilities since its transition to the new AWS environment.
While challenging at the outset, rearchitecting for the cloud has enabled a more efficient and resilient operational tempo. Further, our ability to instantiate a DevSecOps methodology that supports continuous integration and continuous delivery has allowed our user base to grow, supporting more mission-essential environments. We continue to innovate our program by establishing an automated recovery process that maintains mission resiliency in the event of a failure.
A CACI customer needed a mission-essential, single web gateway to support and integrate technical data and databases across all their Amazon Web Services (AWS) systems. CACI created and implemented a single web gateway that provides authorized users access to current technical data and supports customer databases 24/7, 365 days a year. It houses all required data for the customer’s contract and provides consistent and effective confidentiality, data integrity, and data availability. CACI also provided a searchable environment that hosts specific interfaces and includes workflow tools to assist in continuous improvement.
CACI’s solution enabled interoperability between platforms and its open systems architecture supports six government mission support systems that are government-off-the-shelf, commercial-off-the-shelf, and open source applications. To maximize safeguards for mission data protection, data held within the applications is categorized so that the correct security controls can be applied depending on the type of data. Role-based security profiles allow full control, restricted access, and limited access for personnel. Security controls also include two-factor authentication and encrypted communication between the client system and web server for user access to the website.
This solution is implemented in AWS GovCloud (US). AWS GovCloud is an isolated AWS region designed to host sensitive data and regulated workloads in the cloud, helping customers support their U.S. Government compliance requirements, including the International Traffic in Arms Regulations (ITAR) and Federal Risk and Authorization Management Program (FedRAMP). CACI uses AWS GovCloud as an infrastructure-as-a-service (IaaS) provider. As such, Amazon is responsible for managing the security of the cloud and CACI is responsible for managing the security in the cloud. CACI builds upon GovCloud’s physical infrastructure security controls and have designed the integration of tools, applications, and data integration controls to provide a cybersecurity approach that meets the Department of Defense and DFARS requirements to ensure proper protection of data.
Amazon Virtual Private Cloud (Amazon VPC) is a construct used to provision a logically isolated section of the AWS cloud where AWS resources can be created in a virtual network that is defined by the owner. As the owner/administrator of the VPC, CACI has control over the virtual networking environment, including selection of IP address ranges to use, creation of subnets, and configuration of route tables and network gateways. Amazon allows for deployment of a single VPC with multiple subnets, or multiple VPCs with multiple subnets. Because the design is the responsibility of the customer, CACI has chosen a multiple VPC configuration for the greatest system isolation and protection. In our multiple VPC configuration, each of the major logical application components are separated into isolated virtual private clouds with a separate services VPC established for operational functions and directory services for the infrastructure.
Multiple support systems are implemented within the environment alongside the actual mission applications and contribute to a secure ecosystem. Some are inherent within the AWS service, like CloudWatch, and some are implemented by CACI as operational best practices for security and management. Examples of CACI implemented systems are active directory change audit tools, host-based security systems (HBSS), application monitoring tools, access control tools, and security information and event management (SIEM) tools.
CACI’s expertise in cloud environments was integral to addressing the customer’s needs and creating a repeatable, scalable solution that can be customized to support the customer in securely, effectively, and efficiently operating their cloud environment. The customer now has 99.99 percent system availability and reduced the time to achieve FAR 252 cybersecurity compliance by over 30 percent. Since implementing this solution, we have saved our government customer more than 88 percent in operations and maintenance costs, and more than 60 percent in total cost of ownership.
Our customer faced a common challenge in software development delivery – a lack of automation caused extensive turnaround times for environment builds, deployments, and product installs – resulting in delayed release of capabilities to end users. With more than twenty essential mission applications, the customer’s goals were to reduce the time to market (requirement to delivery), achieve more within available funds, enhance mission success, and improve quality and security.
To solve this customer’s challenge, CACI engaged its award-winning Agile Solution Factory (ASF) to implement a continuous integration (CI)/continuous deployment (CD) pipeline through automated builds and installations and other associated processes that support automation. CACI established our ASF development pipeline in AWS GovCloud to enable DevSecOps automated processes to stand up environments, allowing for automated builds, revision control, and build completion.
AWS GovCloud allowed us to build a highly-available fault tolerant environment in which to deploy CACI’s proven Agile methodology and provide CI/CD automated processes that begin when the developer checks-in code. Within this secure environment, an automated migration pathway subjects the code to a series of tests, which must be passed before automatically moving to the next environment. Once the testing passes at the application environment, then the packaged code moves to an integrated test environment, where automated regression tests are run again with all applications. The automated process concludes with the creation of the artifacts needed for release and delivery to the customer sites. CI has now been achieved with nearly all the applications that support this customer.
CACI’s successful solution delivered:
- Agile-enabled automated processes in AWS GovCloud, along with test automation, which improved the quality of the software released to the end users prior to delivery
- Improved security through the review of information assurance scans earlier in the release process to detect and resolve issues faster
- CI processes resulted in a 60 percent reduction in the amount of time required by site system administrators to complete installations, and also increased the number of sites concurrently installing new releases. This eliminated the need for a “guinea pig” site to install a new release before other sites also adopted the release
End users are now benefiting from new capabilities faster through repeatable, rapid, high-quality software deployments.