Creating a Roadmap that Supports a Secure Move to the Cloud for the Army
Created April 2022
The SEI helped the Army Evaluation Center (AEC) assess how it can move its systems to cloud-based technologies, and what it must do to address operational test and engineering activities (OT&E) to support those systems and manage technological and cyber risks. To handle this type of technology shift, the AEC needs to transform from an OT&E approach that requires direct access to hardware and software, to one that evaluates systems that the AEC indirectly accesses through a cloud provider. To do so, the SEI helped shape each phase of the product lifecycle, from acquisition to operations and support.
Test and Engineering Challenges in Cloud Computing
The United States Army Evaluation Center (AEC) is charting a course to support the Army’s adoption of cloud computing so that it can modernize its systems and use the latest technologies at lower costs. These technologies enable faster scaling to support evolving needs, and they can be used by personnel without geographical limitation – including by warfighters at the tactical edge.
One of the biggest challenges of moving to the cloud is that cloud-computing customers usually don’t have direct control or observation over cloud-computing technologies because these technologies are provided by a cloud provider. Moving to the cloud means that the AEC must figure out how it can mitigate security risks and support systems running on technology that it has only indirect access to.
These challenges become even more complicated by the fact that the AEC must address the rigorous cybersecurity standards outlined by recent Department of Defense (DoD) policies. For example, the DoD’s Cybersecurity Test and Evaluation Guidebook has expanded its emphasis on cybersecurity in recent updates, which affects how organizations acquire, test, and support their computing systems to prioritize security.
Thanks to the SEI’s expertise in cybersecurity and software engineering, the AEC engaged the SEI to help chart a roadmap to assess how it can successfully deploy cloud-computing capabilities while meeting the rigorous cybersecurity demands of the DoD.
Securely Moving to the Cloud
To help the AEC plan for the testing and evaluation it will need to conduct for adopting and supporting cloud technologies, the SEI performed detailed reviews of the AEC’s operational test and engineering (OT&E) activities. The SEI identified the impacts that moving to cloud technology would have on OT&E. One of the bigger challenges is transforming from an OT&E approach that gathers information from direct access to hardware and software, to one that evaluates systems that are only available indirectly through a cloud provider. This transformation requires careful planning from the beginning of the product lifecycle to ensure all necessary information for OT&E is available and accessible.
Although the focus on OT&E activities occurs primarily in the latter phases of that lifecycle, support for testing and engineering efforts must begin with information gathering at the beginning of the acquisition process. For that reason, the SEI reviewed each phase of the lifecycle, from acquisition to operations and support.
The SEI conducted training and workshops to explain its findings to the AEC, and to begin to establish the communications and preparation it needs to make sure it can fully support OT&E activities. As an expert in software engineering, cybersecurity, and cloud computing, the SEI outlined the risks involved in moving to the cloud, the responsibilities the AEC will need to adopt, and a roadmap that identifies how the AEC can assess risks and mitigate them.
The SEI’s support begins with a plan that helps the AEC gather all necessary information during acquisition of cloud technologies. The SEI developed a list of key questions for product managers to ask cloud providers, and examples of information they must gather to support OT&E activities later on. This way, the AEC can be sure that it has everything it needs from the cloud provider when its testing and engineering efforts begin, and it can ensure that it successfully addresses the DoD’s requirements for managing technology and cyber risks.
September 02, 2021 Technical Report
This report presents practices for secure, effective use of cloud computing and risk reduction in transitioning applications and data to the cloud, and considers the needs of limited-resource...read
September 02, 2019 White Paper
This paper provides an overview of the preparation and work that the AEC needs to perform to successfully transition the Army to cloud...read
July 18, 2019 Webcast
This webcast addressed a few of the causes for cloud transition issues, as well as identified some practices that will assist organizations as they plan to transition assets and capabilities to the...watch
July 11, 2019 Technical Report
This report, updated in October 2020, examines the changes to risks, threats, and vulnerabilities when applications are deployed to cloud...read
October 25, 2018 Podcast
Don Faatz and Tim Morrow, researchers with the SEI's CERT Division, outline best practices that organizations should use to address the vulnerabilities and risks in moving applications and data to cloud...learn more
October 18, 2018 Podcast
Tim Morrow and Donald Faatz outline the risks, threats, and vulnerabilities that organizations face when moving applications or data to the...learn more
March 04, 2018 Blog Post
Organizations continue to develop new applications in or migrate existing applications to cloud-based services. The federal government recently made cloud-adoption a central tenet of its IT modernization...read