search menu icon-carat-right cmu-wordmark

Creating a Roadmap that Supports a Secure Move to the Cloud for the Army

Created April 2022

The SEI helped the Army Evaluation Center (AEC) assess how it can move its systems to cloud-based technologies, and what it must do to address operational test and engineering activities (OT&E) to support those systems and manage technological and cyber risks. To handle this type of technology shift, the AEC needs to transform from an OT&E approach that requires direct access to hardware and software, to one that evaluates systems that the AEC indirectly accesses through a cloud provider. To do so, the SEI helped shape each phase of the product lifecycle, from acquisition to operations and support.

Test and Engineering Challenges in Cloud Computing

The United States Army Evaluation Center (AEC) is charting a course to support the Army’s adoption of cloud computing so that it can modernize its systems and use the latest technologies at lower costs. These technologies enable faster scaling to support evolving needs, and they can be used by personnel without geographical limitation – including by warfighters at the tactical edge.

One of the biggest challenges of moving to the cloud is that cloud-computing customers usually don’t have direct control or observation over cloud-computing technologies because these technologies are provided by a cloud provider. Moving to the cloud means that the AEC must figure out how it can mitigate security risks and support systems running on technology that it has only indirect access to.

These challenges become even more complicated by the fact that the AEC must address the rigorous cybersecurity standards outlined by recent Department of Defense (DoD) policies. For example, the DoD’s Cybersecurity Test and Evaluation Guidebook has expanded its emphasis on cybersecurity in recent updates, which affects how organizations acquire, test, and support their computing systems to prioritize security.

Thanks to the SEI’s expertise in cybersecurity and software engineering, the AEC engaged the SEI to help chart a roadmap to assess how it can successfully deploy cloud-computing capabilities while meeting the rigorous cybersecurity demands of the DoD.

Securely Moving to the Cloud

To help the AEC plan for the testing and evaluation it will need to conduct for adopting and supporting cloud technologies, the SEI performed detailed reviews of the AEC’s operational test and engineering (OT&E) activities. The SEI identified the impacts that moving to cloud technology would have on OT&E. One of the bigger challenges is transforming from an OT&E approach that gathers information from direct access to hardware and software, to one that evaluates systems that are only available indirectly through a cloud provider. This transformation requires careful planning from the beginning of the product lifecycle to ensure all necessary information for OT&E is available and accessible.

Although the focus on OT&E activities occurs primarily in the latter phases of that lifecycle, support for testing and engineering efforts must begin with information gathering at the beginning of the acquisition process. For that reason, the SEI reviewed each phase of the lifecycle, from acquisition to operations and support.

The SEI conducted training and workshops to explain its findings to the AEC, and to begin to establish the communications and preparation it needs to make sure it can fully support OT&E activities. As an expert in software engineering, cybersecurity, and cloud computing, the SEI outlined the risks involved in moving to the cloud, the responsibilities the AEC will need to adopt, and a roadmap that identifies how the AEC can assess risks and mitigate them.

The SEI’s support begins with a plan that helps the AEC gather all necessary information during acquisition of cloud technologies. The SEI developed a list of key questions for product managers to ask cloud providers, and examples of information they must gather to support OT&E activities later on. This way, the AEC can be sure that it has everything it needs from the cloud provider when its testing and engineering efforts begin, and it can ensure that it successfully addresses the DoD’s requirements for managing technology and cyber risks.

Learn More

A Method for Assessing Cloud Adoption Risks

May 09, 2022 Blog Post
Christopher J. Alberts

The move to a cloud environment provides significant benefits. Realizing these benefits, however, requires organizations to manage associated organizational and technical risks...

read

Cloud Security Best Practices Derived from Mission Thread Analysis

September 02, 2021 Technical Report
Timothy Morrow, Vincent LaPiana, Donald Faatz, Angel Luis Hueca, Nathaniel Richmond

This report presents practices for secure, effective use of cloud computing and risk reduction in transitioning applications and data to the cloud, and considers the needs of limited-resource...

read

Operational Test & Evaluation (OT&E) Roadmap for Cloud-Based Systems

September 02, 2019 White Paper
Carol Woody, Christopher J. Alberts, John Klein, Charles M. Wallen

This paper provides an overview of the preparation and work that the AEC needs to perform to successfully transition the Army to cloud...

read

Three Federal Government/DoD Cloud Transition Issues and How to Prevent Them

July 18, 2019 Webcast
Eileen Wrubel, Timothy Morrow, Dale Alleshouse

This webcast addressed a few of the causes for cloud transition issues, as well as identified some practices that will assist organizations as they plan to transition assets and capabilities to the...

watch

Overview of Risks, Threats, and Vulnerabilities Faced in Moving to the Cloud

July 11, 2019 Technical Report
Timothy Morrow, Kelwyn Pender, Carrie Lee (U.S. Department of Veteran Affairs), Donald Faatz

This report, updated in October 2020, examines the changes to risks, threats, and vulnerabilities when applications are deployed to cloud...

read

Best Practices for Security in Cloud Computing

October 25, 2018 Podcast
Donald Faatz, Timothy Morrow

Don Faatz and Tim Morrow, researchers with the SEI's CERT Division, outline best practices that organizations should use to address the vulnerabilities and risks in moving applications and data to cloud...

learn more

Risks, Threats, and Vulnerabilities in Moving to the Cloud

October 18, 2018 Podcast
Donald Faatz, Timothy Morrow

Tim Morrow and Donald Faatz outline the risks, threats, and vulnerabilities that organizations face when moving applications or data to the...

learn more

12 Risks, Threats, & Vulnerabilities in Moving to the Cloud

March 04, 2018 Blog Post
Timothy Morrow

Organizations continue to develop new applications in or migrate existing applications to cloud-based services. The federal government recently made cloud-adoption a central tenet of its IT modernization...

read