By Jeff Biala, Program Management Office Director – Appian
By Vani Eswarappa, Sr. Solutions Architect – AWS
By Jason Layman, VP Defense Cloud – SMX
Appian Government Cloud (AGC) is a cloud service offering that has a provisional authorization at Impact Level 5 (IL5). This is the highest level of authorization for unclassified information that can be achieved at the U.S. Department of Defense (DoD).
This provisional authorization allows Appian Government Cloud to accelerate timelines to go live by ensuring mission-critical applications’ underlying infrastructure and backend processes are secure. DoD mission owners can place their focus on the missions at hand, with the confidence their cloud workloads will be managed properly.
Appian Government Cloud (AGC) on Amazon Web Services (AWS) is a powerful combination of the unified Appian low-code platform for change and SMX’s Cloud Assured Managed Services. Appian is an AWS Government Competency Partner with the AWS GovCloud (US) Service Delivery designation that accelerates your business by discovering, designing, and automating processes.
SMX is an AWS Partner with Level 1 Managed Security Service (MSSP) Competency. This means it provides 24/7 security protection and monitoring of essential AWS resources delivered as a fully managed service.
In this post, we will discuss the power of low-code and what it could mean for your agency in the public sector. By reducing the need to build through coding, mission owners can work on accelerated timelines toward implementing new solutions and applications into the fabric of their organizations. The time is now to harness your possibilities through low-code in building applications and workflows with speed, availability, and security.
Appian is a low-code software development platform for building applications and business processes with little to no coding.
- Low-code allows you to program a computer through a visual interface, such as by drawing a workflow diagram. It’s a more intuitive and human way of interacting with a machine than coding.
- Low-code equals high speed and makes it much faster to build, modify, and execute enterprise applications. It delivers increased agility to organizations.
- Low-code platforms allow you to seamlessly orchestrate people, systems, data, bots and artificial intelligence in a single workflow with automation capabilities.
Now, imagine the power and speed of this platform backed by next-generation managed services, like SMX’s Cloud Assured Managed Services, and that’s what the Appian Government Cloud gives you.
Appian Requirements Management
The Appian Requirements Management solution, built on Appian Government Cloud, allows government agencies to simplify and build a single acquisition system.
When government organizations encounter barriers to accurately planning, purchasing, tracking, and deploying the resources they need to accomplish their missions, they risk wasting billions of dollars on delayed acquisitions. Delayed delivery of critical services can impact agency mission objectives. Appian gives federal programs and procurement organizations a new way to modernize their acquisition systems.
With Appian Requirements Management, government agencies can quickly configure the solution to address their specific needs rather than relying on inefficient emails, shared drives, and spreadsheets. Requirements Management improves how contracting and program teams collaborate when defining, reviewing, and finalizing procurement requirements and acquisition strategies.
The solution increases the value and timeliness of government purchases with high-quality requirements packages that include the following:
- Intelligent requirements gathering based on federal regulations and agency policy.
- Automated document creation, filing, collaboration, and approval.
- Robotic process automation (RPA) and artificial intelligence (AI) capabilities to accelerate the delivery of services.
- Low-code data capabilities that automatically integrate data from anywhere
The Appian solution guides program staff through the requirements process for an acquisition package that needs fewer revisions and is immediately actionable by the contracting team. Requirements Management makes sure that requirements fully comply with the FAR/DFARS, agency supplements, and agency policies.
The solution submits the requirements package for review and sends the package to the correct contracting group. Contracting staff are guided through the steps, documents, and approvals needed for acquisition requirements to ensure on-time delivery.
Contracting staff collaborate on the requirements package to ensure all tasks, checklists, and approvals are completed by team members in a timely manner. Requirements Management provides a document management framework that quickly creates documents and forms. Each acquisition process step is recorded and reportable to identify inefficiencies and help organizations better plan and forecast acquisition throughput and workload required to meet program needs.
The solution provides status updates, alerts, reports on how long each step is taking, and Procurement Action Lead Time (PALT). It also provides a single view of acquisition, program, and financial data that increases productivity and improves program outcomes. Users view documents, tasks, correspondence, and metrics from a single dashboard—eliminating the need for users to open multiple applications and windows.
Defined business roles and workflows ensure staff perform their actions in a consistent manner and only access the items they have permission to view. From their dashboard, managers can track department performance, monitor all acquisition activities, and prioritize or reassign assignments based on backlog and workload, supported by real-time reporting and analytics.
Appian Requirements Management leads to better acquisition outcomes by:
- Increasing staff productivity and reducing costs by following proven federal acquisition best practices.
- Optimizing federal acquisition processes and reducing PALT.
- Evaluating acquisition processes to identify and resolve bottlenecks and inefficiencies.
- Improving collaboration between program teams and contracting officers.
- Tracking all requirements as they progress through acquisition phases.
The Appian solution eliminates the need to move data and provides zero-code application integration. Requirements Management integrates with other systems that use the Purchase Request Data Standard (PRDS) and any other data standard.
Appian is also integrated with federal financial systems such as SAM.gov, PSCTool.us, and USASpending.gov. The platform allows agencies to leverage current IT investments and extend the capabilities of their legacy systems.
With Appian, you can leave your data where it belongs. The platform allows customers to tap into any data repository without forcing the import of data into the application environment. This provides no-code integration with databases, web services, and applications, such as DocuSign, Office 365, SharePoint, Oracle, and SAP.
Appian allows agencies to deploy secure, scalable, seamless applications in an IL5 cloud, with full mobile and offline capabilities. That means government employees can perform all contract management and requirements management functions from any location with Appian mobile apps. Acquisition and program executives have complete, secure access to procurement information and activity status—anytime, anywhere.
Appian Government Cloud’s Security Features
For years, doing business with the DoD has meant putting substantial time and effort into navigating hosting in its highly regulated network. Securing the cloud should not dominate conversations and outweigh discussion about mission.
Before Appian Government Cloud (AGC), DoD customers had to wait to leverage their Appian solutions as they went through a lengthy authorization process to make sure the applications and their underlying infrastructure were secure. With AGC, the go-live timeline is accelerated, and as a result DoD customers can focus more on their mission knowing that Appian has done the heavy lifting by pre-authorizing a significant portion of the system.
AGC resides in a virtual private cloud (VPC) within AWS GovCloud (US) IL5, utilizing Federal Information Processing Standards (FIPS)-validated GovCloud endpoints.
The AGC accreditation boundary consists of management services (powered by SMX Cloud Assured Managed Services) and each customers’ Appian instances in AWS GovCloud (US). It’s a three-tier application made up of redundant web servers, application servers, and databases.
The AGC architecture is segmented within separate, non-routable-by-default VPCs. The AGC customer environments are built in single-tenant VPCs, and clients do not share VPCs, meta structure accounts (AWS accounts), cloud-native compute, storage, databases, or network instances.
Figure 1 – Figure 1 – Appian Government Cloud architecture on AWS.
AGC runs on AWS GovCloud (US) and delivers dedicated, single-tenant environments (development, test, and production) to each customer. It follows a private cloud deployment model where cloud services and infrastructure are dedicated solely to a specific organization or agency.
AGC and mission owners share responsibility over security controls. The full list of security controls covered under the AGC provisional authorization can be found in the AGC Customer Responsibility Matrix (available by request via email@example.com).
The controls covered under the provisional authorization establish an in-depth architecture for securing the low-code platform. They cover critical components such as physical security, disaster recovery, media protection, infrastructure patching, data protection, and continuous monitoring. AGC operates these controls at different architecture layers (including physical, network, transport, and session layers) to provide a fault tolerant environment and an enhanced security posture.
AGC architecture reduces the operational burden for DoD mission owners and provides a secure enclave for mission-critical applications. AGC architecture can be reused across DoD agencies to save time, money, and resources, and to allow agencies to more intently focus on their operating mission.
How it Works
Once a customer purchases Appian Government Cloud, the Appian team works to stand up the environments needed. Depending on the application(s) being designed, Appian works with the customer to properly size the infrastructure (all included in the Appian licensing model) and configure according to IL4 or IL5 standards, depending on customer needs.
Each environment is isolated in its own VPC, set up under an AWS GovCloud (US) account that is specific to that customer. Once the customer instance is ready for use, the customer is free to develop their applications and perform the last mile of connecting their AGC customer environment to the DoD network.
The unified Appian low-code platform and SMX Cloud Assured Managed Services meet the requirements of IL5 and class-leading service-level agreements (SLAs).
AGC, utilizing SMX Cloud Assured Managed Services, includes the following services:
- High availability for the production environment.
- Five-minute recovery time objective (RTO) and 15-minute recovery point objective (RPO) service levels.
- Log streaming.
- 24x7x365 support for priority 1 and 2 cases.
- Dedicated VPC.
The customer is responsible for the Secure Cloud Computing Architecture (SCCA), which has the following four components:
- Boundary Cloud Access Point (BCAP).
- Virtual Datacenter Security Stack (VDSS).
- Virtual Datacenter Managed Services (VDMS).
- Trusted Cloud Credential Manager (TCCM).
Appian meets many of the SCCA functional requirements, but there are shared and customer responsibilities that are detailed in the system security plan (SSP). Combine AGC with your SCCA’s resources, an identity provider for DoD Common Access Card (CAC) integration such as GFUD, and your DoD-approved cybersecurity service provider (CSSP), and you’ll be off and running with your Appian development team to deliver on your mission.
Figure 2 – Appian Government Cloud platform architecture.
As shown above, Appian Government Cloud features include:
- Built on top of the AGC management plane (1).
- Each customer gets their own AWS GovCloud (US) account for which Appian environments are created (2).
- Dev/test/prod each in their own VPC (3).
- Each VPC is connected through your provided SCCA (4) to the DoD Information Network (DoDIN) (5).
The architecture leverages multiple AWS Availability Zones (AZs), which addresses load balancing as well as high availability. It includes redundant Unified Threat Management (UTM), remote desktop (RD) gateways supporting the multi-factor authentication (MFA) solution, Active Directory Federation Service (ADFS), domain controllers, ELK stack, Trend Micro Deep Security Manager, certificate authority (CA) servers, YubiKey Server for Hard Token MFA, Nessus, and databases that support Data Server Manager (DSM).
In addition, automation is supported via Jenkins and an in-house tool, Opterra, that leverages Terraform for infrastructure as code (IaC) deployment to deliver a pre-approved AGC solution templated customer platform.
The Appian environment runs in separate VPCs for each operating environment. Within the boundary, secure workspaces are used for the management plane within the environment. Managed services personnel are authenticated into the environment via a remote gateway solution into the workspaces. The workspaces provide the DoD standards required to access and manage the systems in the environment.
AGC primarily uses AWS services in scope at the IL5 level for the vast majority of services in this management stack to start a more secure baseline for the environment. The managed service stack supports other customers with these functions in these ways. Because of Appian’s endpoint approach, this will pose no additional risks to the current customers.
SMX Cloud Assured Managed Services deliver a majority of the DoD IL5 technical and non-technical controls, minimizing the customer responsibility burden due to SMX’s accreditation to support the environment and deploy the AGC solution within the constraints of the Provisional Authority to Operate (PATO).
Major components of the Appian low-code solution include:
- Remote gateway solution – performs three key boundary translations:
- Credential – From: PKI smartcard To: Kerberos token
- Protocol – From: HTTP To: RDP
- Port – From: 443 To: 3389
- CA servers leveraged to verify access.
- User prompted for YubiKey PIN.
- Provides access to Amazon WorkSpaces. Virtual desktop infrastructure (VDI)-based solution hardware token to username, password to accomplish workspace login.
- Specific STIG compliance and elevated logging of systems is applied at the WorkSpaces level which is in boundary.
- Solution provides a hardware-based FIPS 140-2 compliant MFA solution.
- Endpoints provide a unique, dedicated secure way to pass management functions to customer environments without opening access and vulnerable points in traditional routing.
- AWS cloud-native services for vulnerability scanning, patch management, backup, session access, security log lake, AWS Lambda-based alerting, and change detection notification.
- ServiceNow integration for automatic ticket generation.
Low-code is playing a critical role in helping business and organizations become future-proof. Low-code equals high speed, and this speed is what’s needed to keep up with the pace of innovation along with the mandate to do more with less. By leveraging the Appian low-code platform, government agencies can discover, design, and automate mission-critical enterprise applications.
With Appian Government Cloud, AWS, SMX, and Appian come together to accelerate agency security authorizations, or Authority to Operate (ATO). Bringing the power of low-code to the DoD, its mission owners, and their domains means reducing time spent on manual tasks and increasing security. Through a shared responsibility model, AGC helps IT practitioners build, deploy, and manage their IL5-compliant cloud applications with confidence.
Appian customer success and development teams can lead application design and deployments and provide the expertise needed to rapidly achieve ATO.
To go deeper, download the Appian Government Cloud Security and Availability whitepaper, or find out more about SMX Cloud Assured Managed Services.