Air Force’s game-changing approach to cloud accreditation

The Air Force’s Platform One software development effort isn’t just changing the way the service develops applications. It’s also transforming how airmen and civilians access those programs.

The unit simplified, without losing any security rigor, how applications connect to the cloud.

Nicolas Chaillan, the Air Force’s chief software officer, said the new approach is all about making it easier to access secure software in the cloud.

Nicolas Chaillan is the Air Force’s chief software officer. (Photo courtesy AFCEA)

“We created the first cloud native access point and got it accredited. By itself, it’s game changing because it enables the team to connect to the cloud directly without going through a cloud access point that is hosted on the Defense Department Information Network (DoDIN),” Chaillan said on Ask the CIO. “That enables the team, particularly outside of the DoDIN, like partners and vendors, to connect to the Platform One stack without having to go through the cloud access point on premise and have to virtual private network on NIPRNet to connect. Things like that are game changing for the department.”

Along with the Defense Department’s chief information officer’s office and the Defense Information Systems Agency, the Air Force created the cloud native access point as a pathfinder to prove this approach.

Chaillan said the Air Force deployed it in a way that it can scale across DoD and deploy it on any cloud.

The Air Force tested it with Platform One and the F-35 and Ground Based Strategic Deterrent (GBSD) teams.

“I think that is demonstrating that the more we move to the cloud, the more we have to be on the cloud without having to bring anyone back to the DoDIN, even more so if they already are not on the DoDIN, which is actually reducing the attack surface and cyber risks,” he said. “It’s up and running now. We have dozens of options to allow teams to connect with a thick end point or zero client and a virtual desktop interface, and we have capability with the zero trust enforcement to enable teams to use both government furnished equipment but also bring your own device, mobile and desktop. We can assess the state of the device, who they are in the organization and white list access to what they should have access to.”

The native cloud access point also helps the Air Force move to a zero trust environment where the device and role of the user offer more security and flexibility than a traditional VPN.

“The goal is to scale and that will depend on the lessons learned. The prime concern of Cyber Command, NSA, DoD CIO and others is there are no cyber issues,” Chaillan said. “Once we demonstrate that the cyber posture can be improved, my hope is this becomes part of the accepted way to connect to the cloud and update the cloud security guide to reflect that as well.”

The cloud access point pathfinder also builds upon the Air Force’s Fast Track Authority to Operate (ATO) policy issued in 2019. The new process gives authorizing officials the discretion to make decisions based on several factors: the cybersecurity baseline, an assessment or penetration test and ensuring there is a continuous monitoring strategy for the system.

Anyone can be a software factory

Chaillan said the native cloud access point becomes more important as the Air Force and its partners develop more software-as-a-service.

The Air Force has more than 20 software factories in the United States, including well-known ones like Kessel Run in Boston, Mass., or Kobayashi Maru in Los Angeles, California. Through Platform One, program offices feel empowered to become a software factory by embracing the culture and tools.

“The key for us is to make sure each one understands their mission focus and they piggyback on the work by Platform One so they can simply focus on building mission software and not a custom dev/sec/ops platform pipeline,” he said.

The Defense Department CIO recently designated Platform One as an enterprise service for all of the military services and agencies to use.

Dana Deasy, the DoD CIO, said on Thursday, Platform One sets standards and removes some of the non-technical obstacles so services and agencies can digitally transform more quickly.

“People become fixated on the cloud aspect of this, but if you really dig under the covers of this, the Air Force truly has matured this vision that I’ve been an advocate for a long time around dev/sec/ops. They have a done a lot of work around the entire software development process and various tools and techniques that we are advocating as part of our agile workforce,” Deasy said. “When we announced [Platform] One, while people picked up on the word cloud, the big message there was we actually, for the first time, had designated a cloud across DoD that could be used for a common way of doing dev/sec/ops.”

Chaillan said the Air Force also is talking to civilian agencies, including the Veterans Affairs Department, the IRS, the Justice Department and many others. He said the other agencies can use the containers, code and contract vehicle, which includes 55 basic ordering agreements so users can acquire services, licenses and cloud services within 30 days.

In July, the Air Force opened up the basic ordering agreements by releasing a solicitation to bring in up to 25 more vendors to provide dev/sec/ops services. Bids are due Aug. 10.

Chaillan said more than 45 programs across all services and agencies are using Platform One tools and capabilities.

He said Platform One is a critical enabler to help the Air Force, and DoD more broadly, move from one big release to a smaller iterative process to release new capabilities.

“I think we bring more security, more real-time visibility instead of seeing an assessment every year or whenever, they are able to see continuously the cyber posture and reporting,” Chaillan said. “I think that transparency and access to the data has been critical to convince the cyber community and the rest of the DoD community to jump on this. I actually believe this is way more secure. Incremental change by definition is going to be smaller and less impactful and the ability to update fast, fail fast and learn fast is critical.”

Platform One has helped save DoD programs more than 100 years of development time in the first year of use.

“By moving these programs to dev/sec/ops, we see an 18-month savings over the five-year life of a program. It’s pretty amazing,” he said.