Subject: Military Health System Information Platform (MIP)
It has proven increasingly difficult for the client to maintain and improve health services amidst emerging vulnerabilities and significant technology transformation. As an example, the client determined it needed to quickly migrate MIP services to the Amazon Web Services (AWS) GovCloud in order to eliminate known and recently exploited security vulnerabilities discovered in several specific web applications. For our team, that meant accelerating efforts to obtain necessary Authorizations to Operate (ATOs) for four large-scale information systems. Additionally, significant changes in the target enterprise platform and approach required the team to quickly identify and resolve learning curves inherent in “first instance” technology applications. These challenges also needed to be successfully addressed amidst resource constraints arising from the impacts of COVID-19.
Under a constricted timeline, our Risk Management Framework (RMF) experts leveraged their experience in the design and application of the client’s Rapid ATO process to include all requisite artifacts (e.g., topology and dataflow diagrams, vulnerability reports); thereby, the overhead attributed to the RMF process was reduced. Equally important, the team quickly identified and engaged technologists and software engineers to accurately apply this process to novel cloud and containerization technology instances. Additionally, lessons-learned were quickly identified and applied, both to the target ATO instance, and the remaining system packages. As a result, our personnel were able to successfully achieve favorable authorization decisions for all target systems in four months (vs. a more typical 1-1.5 years per system).
The Mission Impact:
• Advanced Military Health:
Our solution bolstered tools and capabilities needed by medical personnel to perform critical testing, diagnostics, treatment, and service delivery.
• Enabled the Use of New Technologies:
In this case, the MHS Platform-as-a-Service (PaaS) was the first enterprise system to feature Kubernetes (K8s) containerization technology for staging and deploying new applications and tools. Now that MHS PaaS is authorized and operational, the client (and by extension, our cybersecurity team) is assessing risk for the very first K8 software package within this environment.
• Set Industry Standard for Rapid ATO Approach:
Our team established and refined how to effectively employ a Rapid ATO approach within complex cloud migration initiatives. Moreover, our team was able to document and provide quantitative data beneficial to future authorization efforts and migrations.
• Leveraged Process and Collaboration Efficiencies:
Through the project, our team identified and leveraged process and collaboration efficiencies in order to mitigate resource and operational constraints arising from the COVID-19 pandemic.