‘Policy comes last’ — How two new programs inform, accelerate DHS’ push to cloud

As the Homeland Security Department moves to the cloud, it wants to build on the efforts of early adopters within the department, and implement best practices at the policy level. It’s also trying to exploit DevSecOps. Two new programs, DHS’ cloud steering group and its Cloud Factory, are integral to that effort, and the department is starting to share more information about how those will work together.

“The idea is to not have 600 independent migrations to the cloud, but to act as an enterprise, get unity of effort, really put a focus on that kind of knowledge management collaboration, where we learn from each other, we help the pathfinders scale up the learning curve to realize benefit, improve cybersecurity posture, cost effectiveness, mission capabilities, and also to scale up repeatable process,” Kshmendra Paul, cloud action officer and deputy director for strategy and mission with DHS, said at the Sept. 18 Red Hat Open First event.

The cloud steering group will be looking at questions like:

  • What does the future-state security architecture look like?
  • Can that be driven into policy in terms of streamlining authority to operate?
  • Can existing projects help understand how to move things forward?

Paul said the goal of the group is to spotlight and accelerate the department’s pushes to the cloud.

But he qualified that, saying that policy changes come last; first, DHS has to do the technical work. That’s where the Cloud Factory comes in. The agency says it’s a highly automated, secure, reliable set of managed services that allow for the dev/ops flow, feedback and innovation of various applications.

“It’s aimed at primarily expressing our requirements at DHS, or our viewpoint from the inside on how to look at end-to-end automation across the DevSecOps lifecycle, being able to drive extreme levels of inheritance of technical controls, to aim at [Authority to Operate] streamlining, to be able to encapsulate some of the network segmentation, network automation areas, to separate the concerns from network modernization, from application development, deployment operations. To be able to demonstrate that capability,” Paul said.

In time, Paul said, it will be come the infrastructure layer for a multi-cloud general support system. In theory, it will be DHS’ path to addressing security issues and segmenting the problem.

Cloud Factory will be going through the ATO process through the fall and winter, Paul said, at which point DHS will start to get initial reports from security personnel, a kind of checklist for fixes and upgrades. He referred to it a POAM — Plan Of Action and Milestones.

After that, DHS will be integrating Cloud Factory with its initial efforts to push to the cloud. Paul said currently the department has 30 programs, or 5 percent of its portfolio, already in the cloud. More than 100 new programs are moving in that direction, and all new development is aimed at the cloud.

“So we’re looking to drive a little bit of convergence that way,” Paul said. “With an initial use of it, we will understand and have a more practical view on the organizational issues, the workforce issues, the internal business model issues to make practical these ideas of inheritance of controls at the technical level and at the programmatic level. And how do we streamline the compliance process to reflect that work?”

“That’s going to require policy changes — again, that’s where the cloud steering group comes in — but the policy part comes last,” Paul added. “The technical work comes first, the piloting, the iteration, it’s got to come bottom up.”

Related Stories


Sign up for breaking news alerts