CNCS, OPM and AWS Case Study

The operators performing interviews needed secure and remote server-side access to CrossMatch, a biometric identity verification and enrollment application that processes and stores extensive PII. CIS, USGCB and NIST Moderate and High Controls were minimum specifications to obtain a new ATO. Examples included administrative lockdown, encrypted hard drives, multi-factor authentication (MFA) and restricted use of web browsers and all other applications. Further, if cloud services were to be leveraged, it had to be FedRAMP certified and needed to securely communicate with OPM to transfer the PII.

CNCS chose V2 Systems, a long-time member of the Amazon Web Services (AWS) Partner Network (APN), to help them architect, design, build, operate and maintain a modernized platform for federal employment PIV. Based on V2 Systems’ recommendations, CNCS decided to go with AWS because of their FedRAMP certification, monthly billing model, reduced expenses and ease of use. AWS makes it easy to stand up/down virtual infrastructure, resize instances and increase storage without the lengthy procurement or decommission process, while only paying for the services that are required on a monthly basis.

V2 Systems transitioned CNCS from a non-functioning, on-premise system and deployed a state of the art cloud-based environment to AWS Virtual Private Cloud (VPC) with Amazon Machine Images (AMIs) running Microsoft Windows, Amazon Linux and Ubuntu OpenVPN for use on AWS Elastic Compute Cloud (EC2). AWS Elastic Block Store (EBS) provides block level storage for six Amazon EC2 instances. V2 Systems uses separate volumes for the operating system, applications, and storage; runs Alert Logic on AWS to track server and application availability; and takes advantage of AWS CloudTrail for basic monitoring. V2 Systems uses Amazon Simple Storage Service (S3) with Veritas BackupExec to store event logs, database backups and EBS snapshots for system level recovery.

The cloud environment has an established VPN connection to OPM’s primary datacenter using EC2 instances running Openswan, an IPsec implementation for Linux for secure transmission of PII gathered by operators. The environment runs across one availability zone in the US East Region. V2 Systems used security groups and network ACLs to isolate the network traffic between the public and private subnets, OPM and the Internet. Figure 1 shows CNCS’ architecture on AWS.

V2 Systems configured, deployed and supported remote laptops with all scanning equipment (fingerprints, identification, etc.), McAfee ePO for endpoint security including drive encryption, AuthLite & Yubikey for MFA and cellular cards for Internet access through client VPN to connect securely to the cloud PIV platform.

CNCS, through the partnership of V2 Systems and AWS, was able to avoid a costly and lengthy deployment process, expedite the launch of service, increase availability and reduce costs, while meeting the stringent security requirements by leveraging a FedRAMP certified cloud.

Migrating to AWS was a smooth process that remained within budget for both the implementation and production environment. After embracing V2 Systems and the power of AWS Cloud, CNCS re-obtained their ATO knowing that the flexibility of their new platform would be able to scale and adapt to the changing needs of the agency’s mission.