Collapse All Expand All
Expand List item 486Collapse List item 486  1. What is Infrastructure as Code (IaC)?
Simply put, it’s a script that deploys cloud resources. IaC has also been defined as managing and provisioning infrastructure using code, instead of manual processes. IaC makes it easier for mission partners to deploy cloud infrastructure.
 
Expand List item 487Collapse List item 487  2. What are the DOD Cloud IaC baselines?
DOD Cloud IaC are pre-configured, pre-authorized, Platform as a Service (PaaS) environment baselines for easy cloud adoption. When possible, these baselines leverage security services offered by Cloud Service Providers (CSPs) over traditional data center tools, resulting in enhanced, holistic environment security. Customers are able to use these baselines to adopt cloud faster by giving them an authorized starting point for their environments.
 
Expand List item 488Collapse List item 488  3. Where do I get the DOD Cloud IaC baselines?
HaCC DOD Cloud IaC baselines are available in a repo. To access the repo, submit a request to https://www.hacc.mil/Contact/ using your .mil email address.
In the future, these DOD Cloud IaC baselines will also be hosted within the Azure Government Marketplace.
 
Expand List item 489Collapse List item 489  4. Can I get help deploying the baselines?
Yes, to request assistance, please contact to us at https://www.hacc.mil/Contact/
 
Expand List item 490Collapse List item 490  5. Does the HaCC deploy my application/s?
No, the HaCC deploys secure computing platforms for your application/s, not the application/s itself.
 
Expand List item 491Collapse List item 491  6. Why Platform as a Service over virtual machines?
Because PaaS removes the requirement for patching, as well as Security Technical Implementation Guides (STIG)! The PaaS offerings (e.g. Azure App Service, Azure Database, AWS lambda) deployed by DOD Cloud IaC make the cloud service provider responsible for vulnerability patching and hardening and securely configuring the operating system and middleware. PaaS services also allow for rapid technology insertion (e.g. Azure Machine Learning, AWS Sagemaker) without the responsibility of integrating middle-tier applications.
 
Expand List item 492Collapse List item 492  7. What Cloud Service Providers are available?
HaCC currently offers infrastructure baselines for AWS and Azure with additional CSPs planned for the future. 
 
Expand List item 493Collapse List item 493  8. Are the DOD Cloud IaC baselines available to the general public?
No, DOD Cloud IaC baselines are only available for use by the US federal government. 
 
Expand List item 494Collapse List item 494  9. Is this a managed service environment?
No, the HaCC does not manage the baselines once they are deployed.  DOD Cloud IaC is deployed in a decentralized model.  As DOD Cloud IaC primarily uses PaaS, the CSP will manage many of the services, but the customer will be responsible for the mission application and data hosted.  The HaCC will continuously update the baselines with improvements and new services that will be uploaded to the repo, so that customers can access the most current version of a baseline.
 
Expand List item 495Collapse List item 495  10. What security services are provided by DOD Cloud IaC baselines? 
DOD Cloud IaC baselines satisfy 92% of Virtual Datacenter Security Services (VDSS) and Virtual Datacenter Management Services (VDMS) by leveraging PaaS and security services from the Cloud Service Providers. Mission Owners need to acquire a Cloud Security Service Provider (CSSP) and a Cloud Access Point (CAP) to be in compliance with the DOD Cloud Computing Security Requirements Guide (SRG).
 
Expand List item 496Collapse List item 496  11. How much does it cost to use a baseline?
Our baselines are free! Mission owners are responsible for the storage and compute costs associated with using a CSP.
 
Expand List item 497Collapse List item 497  12. How does application-level CAC authentication work?
DoD Cloud IaC uses DISA’s Global Directory (GD) - DoD’s centralized Identity, Credential, and Access Management solution - to authenticate and enable CAC users.  The link between the CSP tenant and GD is transparent, and once a CAC user is authenticated, the application uses the CSP’s role based access controls to enforce permissions as decided by the application developer. 
 
Expand List item 498Collapse List item 498  13. Can I incorporate my own Continuous Integration/Continuous Deployment (CI/CD) tooling?
Yes! You can incorporate your own CI/CD tooling once you deploy the baseline to your environment.
 
Expand List item 499Collapse List item 499  14. Can I request a new service?
Yes! HaCC is open to suggestions about or requests for new baseline services. We use these demand signals to develop roadmaps for future IaC services. 
Customers can reach us at https://www.hacc.mil/Contact/ 
 
Expand List item 500Collapse List item 500  15. What are the DOD Cloud IaC monitoring features?
DOD Cloud IaC provides easy to use dashboards to monitor the status of cloud configurations in real-time.
    Collapse All Expand All
    Expand List item 517Collapse List item 517  1. What is a container?
    Containers are packages of software that contain all of the necessary elements to run in any environment: from a private data center, to the public cloud, or even on a developer’s personal laptop. 
     
    Expand List item 530Collapse List item 530  2. What containers are available to use right now?

    Web Servers, databases, application servers, middleware, compilers, interpreters, caching applications, messaging servers, machine learning, shells, security scanners, firewall, filtering, inspection, and most everything else. Large catalogs of containers exist that are free to use. Most vendors have their application in a supported container version as well as community supported containers with most mainline configuration variations.

    Expand List item 518Collapse List item 518  3. What is Containers as a Service (CaaS)? 

    Containers as a Service, or CaaS (pronounced “cass”), enables mission partners to run an application and all its dependencies in isolated processes. These isolated processes, also known as code packages, have everything the app needs to reliably run its software in any environment (including the app, runtime, system libraries, etc.). With all critical elements packaged together, applications can be easily moved from one environment to another. Simply put, CaaS is like an application suitcase, with wheels.

    ▸    CaaS is a modern IL4/5 Container Platform Cloud Service from DISA
    ▸    On-Premise protection, behind the DISA communication infrastructure
    ▸    NIPRnet accessible
    ▸    Fully ATOed
    ▸    DoD Identity Integrated - Global Directory (GFUD)
    ▸    Compatible with public clouds and your on-prem solutions for true hybrid deployment options
    ▸    As a Service Model, Billed Monthly to Mission Partners
    ▸    Service delivered and maintained via modern DevSecOps principles and practices - DevSecOps, GitOps, Infrastructure-as-Code and heavy automation

    Expand List item 525Collapse List item 525  4. Why CaaS?

    Focus on your mission and applications while DISA handles the Kubernetes Layer: Updates, patching, etc. DISA handles the platform ATO, reducing overhead burden on your IT staff. DISA handles the platform ATO, reducing overhead burden and maintenance on your IT staff while you pay as you go, taking advantage of DISA datacenter security. CaaS has Industry and DoD experts to help you onboard, moving at the speed mission.

    Expand List item 527Collapse List item 527  5. Why would I want to containerize my application?

    Release code faster 
    Cost Savings 
    Simpler, lighter, and denser than Virtual Machines
    Manage application through code
    No OS to maintain
    Eliminate Configuration Drift
    Simplified Networking
    Large catalogs of applications to build from
    Deploy to more environments

    Speed of Mission
    Efficiency
    Density
    Standardization, Auditing, Version Control        
    Lightweight
    Standardization
    Efficient Deployments
    No Wheel Rebuilding
    Portability, Scalability

    Expand List item 531Collapse List item 531  6. What are the cost saving benefits for mission partners?

    Given equal CPU and RAM, CaaS is about ½ the price of a traditional hosted virtual server running in a DISA datacenter.

    Expand List item 528Collapse List item 528  7. What capability gap does CaaS meet?

    Cloud Native Applications and applications seeking modernization can utilize CaaS to develop or host production container based applications. Code based deployments are constantly monitored through CI/CD pipelines.

    Expand List item 529Collapse List item 529  8. Is CaaS operational now?

    Yes, we began offering the service on 1 October 2022. 

    Collapse All Expand All
    Expand List item 532Collapse List item 532  1. How does CaaS compare to commercial containers? 
    A CaaS and commercial application deployment would be very similar and one of the benefits of containerization is the portability between environments. It is likely that if your container runs anywhere else, it runs on CaaS also. However, CaaS is on premise and may easily integrate with existing DISA hosted services to create a hybrid operating environment or transition into container based infrastructure. CaaS  inherits many DISA security controls and comes with NIPR connectivity. 
     
    Collapse All Expand All
    Expand List item 542Collapse List item 542  1. Red hat Advanced Cluster Security 
    Provides detailed CVE and vulnerable configuration detection in the hosted namespace for running containers. 
     
    Expand List item 543Collapse List item 543  2. Red Hat Core OS

    An OS designed for hosted Cloud Based applications. 

    Expand List item 544Collapse List item 544  3. Role Based 2FA 

    Integrated with GFUD, signing in to OpenShift is easy and CAC protected. 

    Expand List item 545Collapse List item 545  4. FIPS 

    A high standard for cryptography, enabled at install time on the physical nodes. 

    Expand List item 546Collapse List item 546  5. Red Hat Compliance Operator 
    Protects the cluster itself from misconfigurations. 
     
    Expand List item 547Collapse List item 547  6. SELInux

    Protects against arbitrary inter-container access and access to the nodes from containers.

    Expand List item 548Collapse List item 548  7. Arbitrary IDs 

    A container runs without node level root access, although it can access all of its own assigned resources and no more. 

    Expand List item 549Collapse List item 549  8. Hosted Physically Inside DISA data center