AWS GovCloud (U.S.): An SMB Migrates to ITAR Compliant Cloud

A small and medium-sized business (SMB) researches, designs, develops, and tests commercial GPS receivers. When a leading DoD Prime contractor approached them about a potential contract for military GPS/GNSS receivers, they were interested in this opportunity. The SMB wanted to expand its market and collaborate with a reputable partner. However, the prime made ITAR compliance a prerequisite for the collaboration. The prime also suggested that the SMB migrate its instances, data centers, and operations to AWS GovCloud (U.S.), which the prime was already using to meet the ITAR data residency and sovereignty requirements. The SMB hired us to help them with the technical aspects of ITAR compliance and AWS GovCloud migration.

Objectives

  • To help the SMB achieve ITAR compliance and secure a contract with the DoD Prime contractor.
  • To assist the SMB in migrating their instances, data centers, and operations to AWS GovCloud (U.S.) with minimal disruption and cost.
  • To provide the SMB with the best practices and solutions for using AWS GovCloud (U.S.) to improve their performance, scalability, and security.
  • To train the SMB’s staff on how to use and manage AWS GovCloud (U.S.) resources and services effectively.

Challenges

  • The migration process encountered hurdles as some third-party applications used by the SMB didn’t align with the AWS GovCloud (U.S.) security standards. They couldn’t be migrated into the new tenant. Hence, there was a need to re-engineer or refactor the applications to meet tenant’s security requirements. This time-consuming and costly process required careful planning and lots of testing.
  • The SMB’s existing EC2 instances and data centers had to be migrated to AWS GovCloud (U.S.) without losing data, functionality, or causing disruptions. However, the data backups, transfers, encryption, and verification that every migration involves made it hard to guarantee this. 
  • The SMB lacked trained personnel with expertise in AWS GovCloud services as well as the identification and classification of ITAR data. Commercial GPS’s data and ITAR-controlled data would often intersect, making it difficult to separate them. The employees had to be trained on ITAR compliance and how to use AWS GovCloud before and during the migration process. There was a need to ensure that the ITAR data wasn’t accessed or viewed by unauthorized parties. This posed a challenge in balancing the training needs with the operational demands and deadlines.
  • The SMB’s large non-US citizen workforce complicated access and authorization for ITAR compliance. Stringent IAM controls were required to restrict the viewing of ITAR data to only cleared personnel. However, the SMB lacked existing identity management infrastructure to support fine-grained, least-privilege access policies across all systems. Ensuring separation of duties while avoiding productivity impacts proved extremely difficult, given the reliance on external contractors for critical operations and engineering functions. Implementing air-tight role definitions, access governance processes, and access reviews introduced complex obstacles during the transition.

The Solution

  • Our team assessed the SMB’s application components and environment to create a migration plan. We prepared and provisioned AWS GovCloud (U.S.) with the necessary compliance by following a phased approach to reduce risks and downtime.  
  • Automation was necessary since the migration had to be done within strict timelines. Cleared Systems used AWS CloudFormation to automate the deployment and configuration of AWS GovCloud resources. This reduced the complexity and effort of migrating the SMBs legacy infrastructure to the cloud.
  • We conducted regular cross-checks throughout the migration to ensure the orchestration was secure and failure-proof. Cleared Systems leveraged AWS security services such as AWS KMS, AWS Secrets Manager, and AWS Certificate Manager to encrypt and manage the SMB’s sensitive data and credentials during and after migration. We also enabled phased scalability to provide control over cost and maintenance, enhancing the security and compliance of their AWS GovCloud environment.
  • Cleared Systems designed and implemented a disaster recovery approach and business continuity plan. Our team deployed AWS CloudTrail and Amazon CloudWatch to monitor and log AWS GovCloud activities and events, providing visibility and accountability for the SMB’s resources and actions as required by ITAR. We also provisioned notification mechanisms and auto-alerts like Amazon SNS for optimal team coordination.
  • We continue to offer ongoing support, leveraging regular audits, security checks/readouts, and auto-notifications to prioritize resiliency. Cleared Systems continues to provide training and guidance to the SMB staff on AWS GovCloud (U.S.) ’s services and compliance standards. This ensures they can use the tenant to identify, classify, and properly handle ITAR-controlled data.

Project Outcome

  • By migrating its instances, GPS/GNSS data, and operations to AWS GovCloud (U.S.), the SMB achieved ITAR and FedRAMP compliance for its cloud environment. Thus, they can securely store and process ITAR-controlled data and access new business opportunities in the government sector.
  • By fulfilling the requirements to move operations and instances to AWS GovCloud, the SMB, and the DoD prime, they collaborated to produce military GPS/GNSS receivers. The two used AWS GovCloud tenants for secure and compliant cloud services to share and process ITAR-controlled data. Cleared Systems significantly impacted clients’ businesses as they gained agility, scalability, profits, enhanced security, cost savings, and more.

Share in Social Media

case studies

See More Case Studies

microsoft 365 GCC High

What is GCC High? For ITAR & CMMC 2.0

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?
1

Schedule an initial meeting

2

Arrange a discovery and assessment call

3

Tailor a proposal and solution

How can we help you?