Nuclear Regulatory Commission modernizing applications for the cloud

The Nuclear Regulatory Commission is changing several of its applications for a move to the cloud. Jonathan Feibus, NRC’s chief information security officer, called it a “fairly exciting time” for the agency.

He oversees internal applications for purposes such as productivity, desktop operating systems, timekeeping and budgeting. Personnel, agency records and reporting to various agencies are also dealt with using applications.

“We’ve recently moved to a number of cloud applications for productivity apps like the office suite, like email,” Feibus said on Federal Monthly Insights — Application Services Month. “We’ve been testing a lot of our modeling software in the cloud so that we don’t have to purchase single-use machines for here and we’ve got a little bit more flexibility by doing it in the cloud.”

Jonathan Feibus, Chief Information Security Officer and Deputy Director at U.S. Nuclear Regulatory Commission

The modeling software is used in licensing processes to see into different circumstances such as nuclear decay, fire modeling or groundwater seepage. The data from those licensing processes comes from a variety of sources including licensees and test cases.

Before moving to the cloud, Feibus said his office would typically buy a single-use machine or continually run modeling data through it for several days or weeks. By putting it into the cloud, NRC can change the parameters of the machine that it’s working on so we can change how quickly or how slowly or how inexpensively we can get the modeling data back.

“So it gives us a bit more flexibility for how we design the test cases. It gives us a bit more flexibility for how we operate them,” Feibus said on Federal Drive with Tom Temin. “And by using FedRAMP cloud we have a lot of security that’s already in place for us so it ends up being a bit less expensive for us than having to purchase, secure and maintain single-use machines.”

In a cloud service-level agreement, Feibus said the first step is making sure an office or agency understands what they are being charged for in the cloud and how those rates go up and down. He also said to make sure to budget appropriately for the amount of work needed, the trade-offs for having the fiscal infrastructure to manage that locally, and maintenance costs.

“Instead of messaging, you’re looking for process time and memory spikes,” he said. “It’s a lot like when in the mainframe days when we were looking at time-sharing and how much we were paying for each process that was being run.”

Licensing for the modeling software is done with a virtual license manager, a process manager and a governance process for people to make sure that they’re using resources appropriately for the task at hand. NRC has usage agreements from the Department of Energy to use its labs for supercomputing when needed. But Feibus said that for this type of application it wasn’t a good fit.
Feibus said NRC went through open competition to select a cloud provider and decided against looking for software as a service. He said this was because the modeling software used by the agency is not available in the public domain as a service.

“It was between platform or infrastructure as a service, and because we wanted to be able to flexibly move between platforms, infrastructure took the day there for our requirements,” he said. “And then we had a number of requirements surrounding the amount of data, the number of processors, the amount of memory and storage that could be ramped up or down, and we did a competition to figure out which was the supplier that was going to be the best value for our needs.”

As for the geographical distribution of clouds across time zones and users in multiple locations, Feibus said that speaks to the “beauty” of FedRAMP: built-in redundancy.

“The cloud implementation does require that there be an alternate processing site,” he said.
“So that’s managed by a cloud supplier. So that’s not something that we specifically need to pay attention to,” he said.

His office is running out of four data centers across country, though which one at any given time he cannot say. But Feibus expressed no concerns as to the security of connections between data centers.

“That’s one of the FedRAMP requirements,” he said. “We on an ongoing basis review their updates and any vulnerabilities, what they need to resolve. We are as comfortable with that cloud implementation as we would have been if it were in our data center.”