Our client manages the end-to-end lifecycle for visa applications on behalf of governments across the world. Ippon was brought in to modernize the visa application platform to enable scaling for US federal government use. Ippon adapted the application to make it run within AWS GovCloud and be authorized to receive an Authority To Operate (ATO) from the US federal government. Without these changes, the application would not be usable by what would end up being the largest potential customer for our client: the US State Department.
Our client works with governments from around the world to provide visa and consular services on their behalf to travelers and citizens. Their core expertise, built up in visa processing, enables them to apply their secure processing experience to a wide range of government and citizen services, both abroad and in-country. Harnessing new technology, they support governments in their digital transformation, helping to improve efficiency and enhance customer service.
Our client already provides visa application software for several countries in Europe. Ippon France has modernized the application primarily using open source technologies.
Department of State (DoS) requirements for running an application in AWS GovCloud required a multitude of changes to the existing application. The application was deemed to require FedRAMP High security, which required additional changes. Many open source services and libraries are not Federal Information Processing Standards (FIPS)-compliant, which is a FedRAMP requirement. These new security requirements put strict limitations on which encryption libraries could be used.
Refactoring the application required a joint effort between Ippon France and Ippon USA to implement security changes for the non-production environment in a commercial AWS account and the production environment in AWS GovCloud.
The final step before delivering this new application to the United States DoS is to achieve ATO. The application must adhere to a System Security Plan (SSP) and be audited to achieve ATO.
The basic goal was to change the application infrastructure in order for the existing application to run in AWS GovCloud and be FedRAMP High-compliant. Since the product team in France did not have access to AWS GovCloud, they relied heavily on Ippon USA to identify pipeline and deployment issues. That meant the solution itself depended heavily on communication and collaboration.
The first step involved setting up a completely new AWS GovCloud environment. Ippon built this new environment using Infrastructure as Code (IaC) to ensure repeatability and reduce risk. Commercial AWS accounts were also setup to handle an offline Root Certificate Authority (CA) for signing certificates and for a public-hosted zone (since public-hosted zones are not allowed in GovCloud). The new environment also required a standalone GitLab and custom images that had security software pre-installed.
The most challenging requirement that required the most complex solution was to bring the application into Federal Information Processing Standards (FIPS) compliance. Dependent systems needed to be eliminated in some cases and commercial versions of open source software were required in others. FIPS mode was turned on for the operating systems and for virtual machines, such as the Java Virtual Machine (JVM). The IaC scripts were modified to turn on FIPS and start using FIPS-compliant algorithms for cryptography. The JVM required a special security provider configuration and also had to use an operating system specific keystore.
Prior to the COVID-19 pandemic, the US government processed more than 9 million non-immigrant visas per year. This application is planned to roll out in US embassies and consulates around the world to eventually handle that demand. Our client is paid to reserve premium appointment slots and expedite shipping. The contract lasts ten years (barring extension) and the development costs will be recovered within a few years.