Department of Transportation (DOT) System Migration & Modernization

Client Organization Name: Defense Contractor
Offeror’s Role for the Case Study: Prime Contractor

About the Customer:
Our client was a British multinational arms, security, and aerospace company based in London,
England. The defense contractor contracted CTAC to help migrate their corporate desktop
computing capabilities into a cloud-based Virtual Desktop Infrastructure (VDI). The contractor
required the duplication of their on-premise/hybrid cloud computing capabilities and the migration
of those workflows into a secure, isolated infrastructure. The new cloud-based platform was to
be built in support of classified workloads for the United States Navy on the development of
onboard naval missile systems. The work was classified at the Department of Defense (DoD)
Cloud Computing (CC) Security Requirements Guide (SRG) Impact Level 5 (IL5).

Customer Challenge:
Due to the DoD CC SRG IL5 security posture of the Navy’s missile systems, The contractor’s
engineers could not leverage their corporate IT infrastructure for this project. Instead, they
needed their corporate computing capabilities and workflows to be duplicated and migrated into
a new, isolated cloud-based Information Technology environment. This isolated platform would
provide a working environment capable of storing and processing Controlled Unclassified
Information and access to services for employees and other authorized users. The secure
environment would also have to be fully self-contained including its own full IT infrastructure
including separate Outlook servers, Citrix VDI, Active Directory, etc. The defense contractor
contracted CTAC’s AWS DevOps engineers and cloud migration experts to design, migrate and
deploy this new secure working environment.

Connections to various on premises hardware resources (thin clients, printers, etc…) needed to
be provided in a secure and effective manner while maintaining a strongly isolated security
posture for the environment as a whole. It was vital that core workflows, services, and
applications remain unchanged in the new environment to minimize the impact and disruption
associated with the migration effort. This meant that all existing software, licensing, account,
access controls, and configurations needed to be replicated in the cloud with little to no
divergence from the existing on-premises equivalents.

Partner Solution:
The defense contractor has a capable, mature corporate IT environment enabling its engineers
to provide their clients with modern, robust solutions. The security requirements to access and
enhance secure military systems are outlined by the DoD CC SRG IL5. All endpoints accessing
classified systems are required to originate from trusted, secured environments. The defense
contractor’s corporate environment had not been subject to a Navy security review, and meeting
such strict guidelines would limit the tools, applications and systems on their corporate network.
Instead of limiting the capabilities of their own network/environment, they chose to build a new,
isolated environment and migrate all data, files, applications, users, and workflow processes to
the new platform. To meet this goal, the defense contractor turned to CTAC to help provision the
infrastructure and migrate their workflows.

CTAC’s DevOps engineering team established four new AWS GovCloud accounts each addressing
a specific business need: Management, VDI, Shared Services, and Security. Within each account,
our engineers provisioned new Virtual Private Clouds (VPCs) each with best practice subnet
configurations. As no Navy data can be commingled with corporate or other program data, this
infrastructure had to be isolated, but completely self-contained. Within each of the VPCs, EC2
instances were provisioned to manage the required computing capabilities supporting Microsoft
Exchange Services, Microsoft Active Directory, Citrix VDI, and Liquidware App Suite. CTAC DevOps
engineers leveraged Terraform to develop the Infrastructure as Code (IaC) to provision the entire
solution. CTAC leveraged AWS Direct Connect to connect the defense contractor’s corporate, on
premises network to the new, secure AWS network using software defined networking to manage
isolation and connectivity. Through the point-to-point secure connection, all workflows,
information, files, and data-sets were migrated to AWS. Documentation and files were migrated
into the encrypted network file system Amazon Elastic File System (EFS). Amazon Elastic Block
Storage (EBS) and Amazon Relational Database Service (RDS) were leveraged for the secure
object and database storage.

Classified at IL5, it was imperative that the environment restrict unauthorized access and remain
completely isolated. CTAC leveraged AWS’s native managed services available within its US
GovCloud offering. In addition to the provisioned subnets, users were migrated with user access
and permissions managed through AWS Identity and Access Management (IAM). CloudWatch is
utilized to monitor applications and the overall performance of the infrastructure. CloudTrail
ensures monitoring and logging of API activity within accounts and provides an audit trail for
assessment and incident response. To further secure the environment, VPN clients and servers
were configured to allow access only to Citrix VDIs via thin clients with Personal Identity
Verification (PIV) card authentication.

Results and Benefits:
The new cloud-based IT environment provides our client’s engineers with the secure and
isolated development environment required to maintain and enhance the Navy’s classified
missile systems. Leveraging AWS’s vast suite of managed services, CTAC and our client were
able to establish a fully isolated and self-contained IT infrastructure that duplicated the
capabilities of their corporate environment and migrated all users, workflows, applications, and
systems seamlessly to the new environment. The migrated workflows ensured that no classified
information could be accidentally commingled with corporate or unclassified data. The new
environment and its extensible infrastructure as code also provided our client with the future
capabilities of provisioning secure, isolated environments for upcoming classified work and
clients up to DoD IL5. CTAC’s solution provided our client with the enhanced capability of
scalability by providing top-tier engineering and development to the military’s most securely
classified systems.

About the Partner:
For 30 years, CTAC has built a team of people, and a business around them, who know what it
means to put our client’s mission first. We constantly invest in that team to ensure that we stay
at the cutting edge of technology, so our clients are never getting yesterday’s solution today. Our
approach combines deep knowledge of the federal space, application of up-to-date industry best
practices and a constantly evolving commitment to technical excellence to meet our clients where
they are. That means answering the ask and digging deeper. It means showing up and staying
connected. It means getting it done and getting it right.

CTAC is an Advanced AWS Partner and an AWS Public Sector Solutions Provider with the
differentiator of having achieved three AWS competencies: Government, DevOps, and Public
Safety and Disaster Response. As a testament to our commitment as an AWS partner, our staff
currently hold over 50 AWS Accreditations and over 45 Specialty, Professional, Associate, and
Foundational AWS certifications. This ensures our Migration, Platform as a Service (PaaS),
Infrastructure Support, Modernization, Resale, and DevOps teams are up to date in both
education and experience designing, modernizing and deploying cloud-based solutions in AWS.