Air Force SBIR/STTR pushed forward with PaaS project

To reduce costs through cloud use, the Air Force and a small-business partner recently moved a software application to a secure web service platform for government users.

Security was a major concern as the Air Force Small Business Innovation Research/Small Business Technology Transfer (SBIR/STTR) Program worked with Solid State Scientific Corp. to create a cloud environment that looks like the Air Force Network (AFNet), which service members, civilians and contractors use and expensive data centers support.

The small business developed a virtual private cloud architecture in the Amazon Web Services GovCloud with a “robust security posture,” Matthew Shaver of the Information Handling Branch at the Air Force Research Laboratory’s Information Directorate told GCN. Security features include Common Access Card authentication using public-key infrastructure and the Assured Compliance Assessment Solution, an integrated software solution that provides automated network vulnerability scanning, configuration assessment and network discovery. The Defense Information Systems Agency provides the latter to Defense Department customers at no cost.

“Security is of vital importance in any of our operations,” Shaver added.

Solid State Scientific completed the work in two phases over the course of almost three years. The first phase, which had a contract value of $150,000, “was the initial research initiative for a cloud architecture that would provide the trust and security [Air Force] users require in cloud-hosted applications,” he said. It ended with the early development of the virtual private cloud architecture components. Phase II, which cost $750,000, concluded development work and led to the first migration to the cloud, which was the Air Force Doctrine, now known as Doctrine Next. SBIR/STTR funded both phases.

“Some of the early application migrations were simple lift-and-shifts, from the old environment to the new [Platform-as-a-Service],” Shaver explained. “Most of the work in the early stages was building out the platform in order to enable more rapid future application migrations. For example, automating Security Technical Implementation Guideline (STIG) implementation for the virtual environment, and deploying enterprise services/[application programming interfaces] such as scanning, anti-virus, logging, and authentication. Bringing these components into the platform as services has allowed app owners to focus their efforts on high-impact software development initiatives, not the continual configuration and deployment of requisite enterprise services on a case-by-case basis.”

A third phase is now in the works as Solid State Scientific migrates and sustains several applications in the commercial cloud under additional contracts with the Air Force Life Cycle Management Center.

The company is also working to obtain an Authority to Operate (ATO) that would enable it to migrate, at a mission owner’s request, other unclassified applications to its virtual private cloud architecture in the AWS GovCloud environment as a PaaS.

“If the ATO is granted, it would mean more efficient cloud migration of applications,” Shaver said. “Without the PaaS ATO, an ATO per application migration would be required, which would increase overhead as well as time per migration.”

The current timeline seeks the PaaS ATO by mid-August 2019, he added.

The push to the cloud comes from “a recent request by Air Force Headquarters for mission owners to migrate individual apps to the cloud in an effort to decrease sustainment costs,” Shaver said. As data center inventory decreases, so too will IT costs, although Shaver did not have data to illustrate the effect of this migration on data centers.