DoD Cloud Infrastructure as Code


DOD Cloud IaC

DOD Cloud Infrastructure as Code (IaC) is a collection of preconfigured templates that use automation to build secure cloud environments. The DOD Cloud IaC templates, called “baselines,” use automation to generate preconfigured, preauthorized, Platform as a Service (PaaS) focused environments. These IaC baselines for Azure, AWS and Google can be deployed by a mission partner to establish their own cloud platform.

DOD Cloud IaC helps customers adopt cloud smarter and faster, providing our customers with the best value service for their cloud journey. HaCCers deploy the baselines in a short onboarding session, which significantly shortens our customers’ cloud journeys.

 

Why DOD Cloud IaC?

DOD Cloud IaC streamlines cloud deployment, authorization, and security for mission partners, shortening the typical cloud journey by seven months. DOD Cloud IaC uses automation to accelerate cloud adoption in the form of baselines that build out cloud environments in hours. It also speeds up the authorization process with inheritable common controls and the use of PaaS services, which eliminate the need for Security Technical Implementation Guides, Assured Compliance Assessment Solution and Host Based Security System. The DOD Cloud IaC baseline has successfully shortened the deployment of the networking, identity, and security policies for security compliance from the standard 30 weeks down to just two hours.


Features.

DOD Cloud IaC supports accelerated adoption by leveraging automation in the form of IaC templates that build out cloud environments in minutes. DOD Cloud IaC also speeds the authorization process with inheritable common controls and the use of PaaS services which eliminate the need for Security Technical Implementation Guides (STIGs), Assured Compliance Assessment Solution (ACAS) and Host Based Security System (HBSS). This means that DOD Cloud IaC can deliver organizations a PaaS environment quickly and efficiently.

  • Authorization to Operate (ATO) from DISA Risk Management Executive (RME).
  • 100+ Common Controls in Enterprise Mission Assurance Support Service (eMASS) to expedite mission application Assessment & Authorization (A&A).
  • Complete identity solution for both privileged users and application-level CAC users, including integration with DISA’s Global Directory service to federate with DOD’s Enterprise Identity Infrastructure.
  • Baselines at IL2, IL4, IL5 and IL6
  • Real-time continuous monitoring & compliance
  • Architecture standardization support across all Impact Levels (IL) and classifications
  • Cloud service provider offerings including native security services and Platform as a Service (PaaS), which improve integration and technology insertion, reducing the burden of middleware integration, hardening and patching for mission owners.
  • Monthly updates that incorporate the latest CSP PaaS services.
 

Identity Solution.

DOD Cloud IaC provides a complete identity solution for both privileged users and application-level CAC users. It also integrates with DISA’s Global Directory service to federate with DOD’s Enterprise Identity Infrastructure.

How to order DOD Cloud IaC.

DOD Cloud IaC currently has 20 service deployments across the Department. Baselines are currently available for Microsoft Azure and Amazon Web Services and the HaCC is piloting Google baselines. If you are interested in ordering DOD Cloud IaC, please use the contact us feature and we will be in touch shortly.

Collapse All Expand All
 1. What is Infrastructure as Code (IaC)?
Simply put, it’s a script that deploys cloud resources. IaC has also been defined as managing and provisioning infrastructure using code, instead of manual processes. IaC makes it easier for mission partners to deploy cloud infrastructure.
 
 2. What are the DOD Cloud IaC baselines?
DOD Cloud IaC are pre-configured, pre-authorized, Platform as a Service (PaaS) environment baselines for easy cloud adoption. When possible, these baselines leverage security services offered by Cloud Service Providers (CSPs) over traditional data center tools, resulting in enhanced, holistic environment security. Customers are able to use these baselines to adopt cloud faster by giving them an authorized starting point for their environments.
 
 3. Where do I get the DOD Cloud IaC baselines?
HaCC DOD Cloud IaC baselines are available in a repo. To access the repo, submit a request to https://www.hacc.mil/Contact/ using your .mil email address.
In the future, these DOD Cloud IaC baselines will also be hosted within the Azure Government Marketplace.
 
 4. Can I get help deploying the baselines?
Yes, to request assistance, please contact to us at https://www.hacc.mil/Contact/
 
 5. Does the HaCC deploy my application/s?
No, the HaCC deploys secure computing platforms for your application/s, not the application/s itself.
 
 6. Why Platform as a Service over virtual machines?
Because PaaS removes the requirement for patching, as well as Security Technical Implementation Guides (STIG)! The PaaS offerings (e.g. Azure App Service, Azure Database, AWS lambda) deployed by DOD Cloud IaC make the cloud service provider responsible for vulnerability patching and hardening and securely configuring the operating system and middleware. PaaS services also allow for rapid technology insertion (e.g. Azure Machine Learning, AWS Sagemaker) without the responsibility of integrating middle-tier applications.
 
 7. What Cloud Service Providers are available?
HaCC currently offers infrastructure baselines for AWS and Azure with additional CSPs planned for the future. 
 
 8. Are the DOD Cloud IaC baselines available to the general public?
No, DOD Cloud IaC baselines are only available for use by the US federal government. 
 
 9. Is this a managed service environment?
No, the HaCC does not manage the baselines once they are deployed.  DOD Cloud IaC is deployed in a decentralized model.  As DOD Cloud IaC primarily uses PaaS, the CSP will manage many of the services, but the customer will be responsible for the mission application and data hosted.  The HaCC will continuously update the baselines with improvements and new services that will be uploaded to the repo, so that customers can access the most current version of a baseline.
 
 10. What security services are provided by DOD Cloud IaC baselines? 
DOD Cloud IaC baselines satisfy 92% of Virtual Datacenter Security Services (VDSS) and Virtual Datacenter Management Services (VDMS) by leveraging PaaS and security services from the Cloud Service Providers. Mission Owners need to acquire a Cloud Security Service Provider (CSSP) and a Cloud Access Point (CAP) to be in compliance with the DOD Cloud Computing Security Requirements Guide (SRG).
 
 11. How much does it cost to use a baseline?
Our baselines are free! Mission owners are responsible for the storage and compute costs associated with using a CSP.
 
 12. How does application-level CAC authentication work?
DoD Cloud IaC uses DISA’s Global Directory (GD) - DoD’s centralized Identity, Credential, and Access Management solution - to authenticate and enable CAC users.  The link between the CSP tenant and GD is transparent, and once a CAC user is authenticated, the application uses the CSP’s role based access controls to enforce permissions as decided by the application developer. 
 
 13. Can I incorporate my own Continuous Integration/Continuous Deployment (CI/CD) tooling?
Yes! You can incorporate your own CI/CD tooling once you deploy the baseline to your environment.
 
 14. Can I request a new service?
Yes! HaCC is open to suggestions about or requests for new baseline services. We use these demand signals to develop roadmaps for future IaC services. 
Customers can reach us at https://www.hacc.mil/Contact/ 
 
 15. What are the DOD Cloud IaC monitoring features?
DOD Cloud IaC provides easy to use dashboards to monitor the status of cloud configurations in real-time.
Supporting Services
Azure Active Directory
Azure Activity Logs
Azure Alerts
Azure API management
Azure Bastion
Azure Blueprints
Azure Cloud Shell
Azure DDOS Protection
Azure Firewall
Azure Front Door
Azure Key Vault
Azure Log Analytics Notebook
Azure Network Security Groups
Azure Policies
Azure Security Center
Azure Sentinel
Azure Service Health
Azure VNET
Azure VNET Flow Logs
Azure VNET Peering
Azure VNET Gateway
Azure Web Application Firewall

Application & DB Hosting
Azure App Service
Azure Database 
Azure Cosmos DB
 
Containers
Azure Kubernetes Service
Azure Container Registry

Serverless
Azure Functions
Azure Event Hub

Storage
Azure Blob Storage
Azure Data Lake

AI/ML
Azure Machine Learning

IoT
Azure IoT Hub

Hybrid Cloud
Azure Data Factory

Virtual Machines*
Azure Virtual Machines*
Azure VM Scale Sets
Azure Defender

  Azure Policies: 414



Supporting Services
AWS Audit Manager
AWS CloudTrail
AWS CloudWatch
Amazon Cognito
AWS Config
AWS Network Firewall
Amazon GuardDuty
AWS Identity and Access Management (IAM)
AWS Key Management Service
AWS Organizations
AWS Security Hub
AWS Service Catalog
AWS Service Control Policies (* Supporting Services)
AWS Transit Gateway
Amazon Virtual Private Cloud (VPC)

DevOps Services
AWS CodeBuild
AWS CodeCommit
AWS CodePipeline

Managed Desktop
Amazon AppStream 2.0
 
Containers
AWS Elastic Kubernetes Service - Fargate
AWS Elastic Container Service (ECS) - Fargate
Amazon Elastic Container Registry

Database Housing
Amazon Aurora
Amazon DynamoDB

Serverless
AWS Lambda

AI/ML
Amazon SageMaker

IoT
AWS IoT Greengrass

Hybrid Cloud
AWS Storage Gateway

Virtual Machines *
EC2


AWS Config Rules: 156

Supporting Services
Google Cloud Armor
Google Cloud Logging
Google Cloud Monitoring
Google Cloud Identity & Access Management
Google Data Loss Prevention API
Google Cloud Security Command Center
Google Forseti*
Google Cloud IDS*
Google Virtual Private Cloud
3rd Party Firewall
Google Cloud Router
Google Cloud Interconnect (BCAP)
VPC/Firewall Flow Logs
Google Cloud KMS
Identity Platform (GD)
Google Cloud Trace
Google Cloud Load Balancing
Google Cloud Storage

 
Containers
Google Kubernetes Engine
Google Anthos
Google Container Registry
Container Analysis*
Container Thread Detection*

Database
Google BigQuery

Virtual Machines
Google Compute Engine
Persistent Disk

Additional VDMS Services
Endpoint Protection Networking*
Vulnerability Scanning *

*Post MVP Enhancement
 Download the Slick Sheet