DOD Cloud IaC

What is DOD Cloud IaC?

Infrastructure as Code is a product that leverages IaC automation to generate preconfigured, Platform as a Service (PaaS) focused environments. DOD Cloud IaC creates the basic building blocks that all DOD systems need. It helps to jump start setting up networking, auditing, identity, and notifies administrators if they configure something outside of DOD security standards.

Why DOD Cloud IaC?

Adoption of cloud services can take over a year. This is even after FEDRAMP and DISA Provisional Authorization (PA). That is a long time and a lot of effort to go live without cloud services. DOD Cloud IaC enables you to overcome most of the design complexities inherent to standing up a cloud environment.

The Speed of DOD Cloud IaC

DOD Cloud IaC supports accelerated adoption by leveraging automation in the form of IaC templates that build out cloud environments in minutes. DOD Cloud IaC also speeds the authorization process with inheritable common controls and the use of PaaS services which eliminate the need for STIGs, ACAS and HBSS. This means that DOD Cloud IaC can deliver organizations a PaaS environment quickly and efficiently.

What’s in DOD Cloud IaC?

Using an IaC template, you will start with Network Security, Audit Logging, Enterprise Identity & Authentication, Least Privilege Model, and Secure Configuration Policies. All this gives you a quick and easy starting point for your PaaS. You are also able to extend the templates for additional instances of an application or database while still meeting security requirements.
DOD Cloud IaC provides real-time continuous monitoring using 200+ Policies to enforce secure cloud configuration. There is also built-in integration with Security Information and Event Management (SIEM) & Security Orchestration, Automation, and Response (SOAR) tools for real-time alerting and threat identification.

Identity Solution

DOD Cloud IaC provides a complete identity solution for both privileged users and application-level CAC users. It also integrates with DISA’s Global Directory service to federate with DOD’s Enterprise Identity Infrastructure.

DOD Cloud IaC Baselines
Amazon Web Services
Google
Microsoft Azure

DOD Cloud IaC baselines are currently supporting Microsoft Azure, AWS and a Google Cloud Platform baseline is in development. If you are interested in access to the DOD Cloud IaC Repository or becoming a pilot user, please submit a request.

Supporting Services
AWS Audit Manager
AWS CloudTrail
AWS CloudWatch
Amazon Cognito
AWS Config
AWS Network Firewall
Amazon GuardDuty
AWS Identity and Access Management (IAM)
AWS Key Management Service
AWS Organizations
AWS Security Hub
AWS Service Catalog
AWS Service Control Policies (* Supporting Services)
AWS Transit Gateway
Amazon Virtual Private Cloud (VPC)

DevOps Services
AWS CodeBuild
AWS CodeCommit
AWS CodePipeline

Managed Desktop
Amazon AppStream 2.0

Containers
AWS Elastic Kubernetes Service - Fargate
AWS Elastic Container Service (ECS) - Fargate
Amazon Elastic Container Registry

Database Housing
Amazon Aurora
Amazon DynamoDB

Serverless
AWS Lambda

AI/ML
Amazon SageMaker

IoT
AWS IoT Greengrass

Hybrid Cloud
AWS Storage Gateway

Virtual Machines *
EC2

AWS Config Rules: 156

Supporting Services
Google Cloud Armor
Google Cloud Logging
Google Cloud Monitoring
Google Cloud Identity & Access Management
Google Data Loss Prevention API
Google Cloud Security Command Center
Google Forseti*
Google Cloud IDS*
Google Virtual Private Cloud
3rd Party Firewall
Google Cloud Router
Google Cloud Interconnect (BCAP)
VPC/Firewall Flow Logs
Google Cloud KMS
Identity Platform (GD)
Google Cloud Trace
Google Cloud Load Balancing
Google Cloud Storage

Containers
Google Kubernetes Engine
Google Anthos
Google Container Registry
Container Analysis*
Container Thread Detection*

Database
Google BigQuery

Virtual Machines
Google Compute Engine
Persistent Disk

Additional VDMS Services
Endpoint Protection Networking*
Vulnerability Scanning *

*Post MVP Enhancement

Supporting Services
Azure Active Directory
Azure Activity Logs
Azure Alerts
Azure API management
Azure Bastion
Azure Blueprints
Azure Cloud Shell
Azure DDOS Protection
Azure Firewall
Azure Front Door
Azure Key Vault
Azure Log Analytics Notebook
Azure Network Security Groups
Azure Policies
Azure Security Center
Azure Sentinel
Azure Service Health
Azure VNET
Azure VNET Flow Logs
Azure VNET Peering
Azure VNET Gateway
Azure Web Application Firewall

Application & DB Hosting
Azure App Service
Azure Database
Azure Cosmos DB

Containers
Azure Kubernetes Service
Azure Container Registry

Serverless
Azure Functions
Azure Event Hub

Storage
Azure Blob Storage
Azure Data Lake

AI/ML
Azure Machine Learning

IoT
Azure IoT Hub

Hybrid Cloud
Azure Data Factory

Virtual Machines*
Azure Virtual Machines*
Azure VM Scale Sets
Azure Defender

Azure Policies: 414

How does it work?
What do you get?
DOD Cloud IaC FAQs

Leverages Automation

The DOD Cloud IaC baselines are a service that leverages IaC automation to generate preconfigured, preauthorized, Platform as a Service (PaaS) focused environments. These baselines exist in the form of IaC templates that organizations can deploy themselves to establish their own decentralized cloud platform.

For Immediate use and Accelerated Accreditation

The environments can be immediately consumed for development and test workloads, with concurrence from your local Authorization Official. They also support an accelerated accreditation model for production workloads, by significantly reducing the security requirements that mission owners are responsible for by leveraging inheritance from PaaS services, where host and middleware security is the responsibility of the CSP, including hardening and patching (No STIGS, No HBSS and no ACAS required!). Whenever possible, DOD Cloud IaC leverages native security services offered by Cloud Service Providers (CSP) over traditional data center tools for improved integration with cloud services. DOD Cloud IaC baselines can be built into your DevSecOpsPS pipeline to rapidly deploy the entire environment and mission applications. The DOD Cloud IaC baseline has successfully shortened the deployment of the networking, identity, and security policies for security compliance from the standard 30 weeks down to just 2 hours.

Real-time continuous monitoring & compliance
Reduction of burden on developer teams so they can focus on app deployments
Architecture standardization support across all Impact Levels (IL) and classifications
Decrease in the lift for accreditation of your production system
Baselines that are updated monthly to incorporate the latest CSP PaaS services

Collapse All Expand All

1. What is Infrastructure as Code (IaC)?

Simply put, it’s a script that deploys cloud resources. IaC has also been defined as managing and provisioning infrastructure using code, instead of manual processes. IaC makes it easier for mission partners to deploy cloud infrastructure.

2. What are the DOD Cloud IaC baselines?

DOD Cloud IaC are pre-configured, pre-authorized, Platform as a Service (PaaS) environment baselines for easy cloud adoption. When possible, these baselines leverage security services offered by Cloud Service Providers (CSPs) over traditional data center tools, resulting in enhanced, holistic environment security. Customers are able to use these baselines to adopt cloud faster by giving them an authorized starting point for their environments.

3. Where do I get the DOD Cloud IaC baselines?

HaCC DOD Cloud IaC baselines are available in a repo. To access the repo, submit a request to https://www.hacc.mil/Contact/ using your .mil email address.
In the future, these DOD Cloud IaC baselines will also be hosted within the Azure Government Marketplace.

4. Can I get help deploying the baselines?

Yes, to request assistance, please contact to us at https://www.hacc.mil/Contact/

5. Does the HaCC deploy my application/s?

No, the HaCC deploys secure computing platforms for your application/s, not the application/s itself.

6. Why Platform as a Service over virtual machines?

Because PaaS removes the requirement for patching, as well as Security Technical Implementation Guides (STIG)! The PaaS offerings (e.g. Azure App Service, Azure Database, AWS lambda) deployed by DOD Cloud IaC make the cloud service provider responsible for vulnerability patching and hardening and securely configuring the operating system and middleware. PaaS services also allow for rapid technology insertion (e.g. Azure Machine Learning, AWS Sagemaker) without the responsibility of integrating middle-tier applications.

7. What Cloud Service Providers are available?

HaCC currently offers infrastructure baselines for AWS and Azure with additional CSPs planned for the future.

8. Are the DOD Cloud IaC baselines available to the general public?

No, DOD Cloud IaC baselines are only available for use by the US federal government.

9. Is this a managed service environment?

No, the HaCC does not manage the baselines once they are deployed. DOD Cloud IaC is deployed in a decentralized model. As DOD Cloud IaC primarily uses PaaS, the CSP will manage many of the services, but the customer will be responsible for the mission application and data hosted. The HaCC will continuously update the baselines with improvements and new services that will be uploaded to the repo, so that customers can access the most current version of a baseline.

10. What security services are provided by DOD Cloud IaC baselines?

DOD Cloud IaC baselines satisfy 92% of Virtual Datacenter Security Services (VDSS) and Virtual Datacenter Management Services (VDMS) by leveraging PaaS and security services from the Cloud Service Providers. Mission Owners need to acquire a Cloud Security Service Provider (CSSP) and a Cloud Access Point (CAP) to be in compliance with the DOD Cloud Computing Security Requirements Guide (SRG).

11. How much does it cost to use a baseline?

Our baselines are free! Mission owners are responsible for the storage and compute costs associated with using a CSP.

12. How does application-level CAC authentication work?

DoD Cloud IaC uses DISA’s Global Directory (GD) - DoD’s centralized Identity, Credential, and Access Management solution - to authenticate and enable CAC users. The link between the CSP tenant and GD is transparent, and once a CAC user is authenticated, the application uses the CSP’s role based access controls to enforce permissions as decided by the application developer.

13. Can I incorporate my own Continuous Integration/Continuous Deployment (CI/CD) tooling?

Yes! You can incorporate your own CI/CD tooling once you deploy the baseline to your environment.

14. Can I request a new service?

Yes! HaCC is open to suggestions about or requests for new baseline services. We use these demand signals to develop roadmaps for future IaC services.
Customers can reach us at https://www.hacc.mil/Contact/

15. What are the DOD Cloud IaC monitoring features?

DOD Cloud IaC provides easy to use dashboards to monitor the status of cloud configurations in real-time.