Challenge
Our client already provides visa application software for several countries in Europe. Ippon France has modernized the application primarily using open-source technologies. Department of State (DoS) requirements for running an application in AWS GovCloud required a multitude of changes to the existing application. The application was deemed to require FedRAMP High Security, which required additional changes. Many open-source services and libraries are not Federal Information Processing Standards (FIPS)-compliant, which is a FedRAMP requirement. These new security requirements put strict limitations on which encryption libraries could be used.
Refactoring the application required a joint effort between Ippon France and Ippon USA to implement security changes for the non-production environment in a commercial AWS account and the production environment in AWS GovCloud. The final step before delivering this new application to the United States Department of State is to achieve ATO. The application must adhere to a System Security Plan (SSP) and be audited to achieve ATO.
Solution
The basic goal was to change the application infrastructure for the existing application to run in AWS GovCloud and be FedRAMP High-compliant. Since the product team in France did not have access to AWS GovCloud, they relied heavily on Ippon USA to identify pipeline and deployment issues. That meant the solution itself depended heavily on communication and collaboration.
The first step involved setting up a completely new AWS GovCloud environment. Ippon built this new environment using Infrastructure as Code (IaC) to ensure repeatability and reduce risk. Commercial AWS accounts were also set up to handle an offline Root Certificate Authority (CA) for signing certificates and for a public-hosted zone (since public-hosted zones are not allowed in GovCloud). The new environment also required a standalone GitLab and custom images that had security software pre-installed.
The most challenging requirement that required the most complex solution was to bring the application into compliance with Federal Information Processing Standards (FIPS). Dependent systems needed to be eliminated in some cases, and commercial versions of open-source software were required in others. FIPS mode was turned on for the operating systems and virtual machines, such as the Java Virtual Machine (JVM). The IaC scripts were modified to turn on FIPS and start using FIPS-compliant algorithms for cryptography. The JVM required a special security provider configuration and also had to use an operating system-specific keystore.
Benefits
Prior to the COVID-19 pandemic, the US government processed more than 9 million non-immigrant visas per year. This application is planned to roll out in US embassies and consulates around the world to eventually handle that demand. Our client is paid to reserve premium appointment slots and expedite shipping. The contract lasts ten years (barring extensions), and the development costs will be recovered within a few years.
COMPANY DETAIL
Our client works with governments from around the world to provide visa and consular services on their behalf to travelers and citizens. Their core expertise, built up in visa processing, enables them to apply their secure processing experience to a wide range of government and citizen services, both abroad and in-country. By harnessing new technology, they support governments in their digital transformation, helping to improve efficiency and enhance customer service.
Contact Us
We appreciate your interest in Ippon. Share with us how we can contribute to your success.