Assurance for government digital services on AWS GovCloud with Cisco ThousandEyes for Government

As government agencies modernize their infrastructure and deploy on AWS GovCloud (US) Regions, they face a fundamental challenge in maintaining visibility and performance across the entire user-to-application journey. Digital services have evolved beyond centralized locations to enable flexible, scalable operations that better serve citizens and support remote work capabilities. Applications are now distributed across both cloud and on-premises infrastructure, while users connect from offices, homes, and mobile devices.

When citizens use government websites or staff connect to business-critical applications, these interactions travel through multiple networks, internet service providers (ISPs), content delivery networks (CDNs), and third-party services that agencies don’t directly control. When connectivity problems arise, the root cause could be anywhere along this complex path. Yet government IT teams remain responsible for quickly diagnosing and resolving these issues of the owned and un-owned digital supply chain.

Cisco ThousandEyes for Government is a network intelligence platform, hosted on AWS GovCloud (US), that is in process for the Federal Risk and Authorization Management Program (FedRAMP) Moderate authorization. It will give government organizations a unified view of network paths, application performance, and service dependencies. By correlating network conditions, cloud architecture, and external factors, the platform will help teams identify and resolve performance issues across hybrid and cloud environments—saving time and effort for internal and external IT staff support.

ThousandEyes is expecting to obtain agency authorization for ThousandEyes for Government (FedRAMP Moderate) and have the service generally available in March 2026 on the AWS Marketplace, making it streamlined for government agencies to procure and deploy.

Connecting users to AWS GovCloud (US) applications

Public and private applications hosted on AWS GovCloud (US) can serve internal government employees and external citizens. Monitoring user experiences is critical in both cases, whether it’s a citizen portal for emergency services or mission-critical applications supporting justice, public safety, transportation, and social services. Performance issues can disrupt operations, delay service delivery, and erode public trust.

Connectivity to AWS GovCloud (US) falls into two categories: public and private. Public connectivity uses internet transport through direct internet access or VPN solutions such as Cisco VPNs or AWS Site-to-Site VPN, which also relies on the internet. Private connectivity typically involves AWS Direct Connect for dedicated network connections to AWS.

Public connectivity relies on the internet, which is an extensive and unpredictable network of thousands of independently managed service providers. Service outages could disrupt access to critical AWS GovCloud (US) hosted applications, causing users to experience degradation from packet loss and TCP retransmissions. Although agencies might not control the end-to-end path from users to their AWS GovCloud (US) applications, they remain responsible for ensuring reliable service delivery to citizens and employees. Without deep visibility, identifying and resolving the root causes could become extremely difficult.

Figure 1: End-to-end connectivity

Enterprise Agent deployment and monitoring

ThousandEyes uses three agent types for network visibility—Enterprise Agents¹, Endpoint Agents¹, and Cloud Agents²—to provide visibility across cloud, data center, and end user environments.

Enterprise Agents are lightweight software-based agents that can be deployed by agencies in their data centers, branch offices, or directly on Amazon Elastic Compute Cloud (Amazon EC2) instances within the AWS GovCloud (US) virtual private clouds (VPCs). They perform continuous pro-active bidirectional monitoring, sending and receiving test traffic to measure latency, packet loss, jitter, and throughput in both directions.

When deployed on EC2 instances in AWS GovCloud (US), these agents can continually monitor connectivity across both public internet paths—such as citizens accessing services through their ISPs—and private connections such as AWS Direct Connect. For example, an Enterprise Agent running on a government field office server can test the network path to another agent running on an EC2 instance in AWS GovCloud (US). This agent-to-agent bidirectional testing helps identify whether performance issues stem from the local government network, ISP infrastructure, AWS Direct Connect circuits, or within AWS GovCloud (US) itself.

The following diagram shows the solution architecture with agent-to-agent and agent-to-service testing.

Figure 2: Cisco ThousandEyes Agents architecture

Beyond bidirectional agent-to-agent tests, Enterprise Agents can run agent-to-server tests to monitor one-way performance toward a target service—useful for AWS Managed Services, such as Amazon API Gateway endpoints, Amazon Simple Storage Service (Amazon S3) buckets, and load balancers through Elastic Load Balancing.

Monitoring AWS GovCloud (US) services and dependencies

Cisco ThousandEyes for Government will continuously monitor from Layer 3 through Layer 7, providing visibility from basic IP connectivity (Layer 3) up through application performance (Layer 7). This unified view can help government IT teams correlate network-level issues with application performance so they can understand how underlying network issues cause slow service or disrupt employee and citizen-facing services.

The platform automatically maps both underlay paths (the physical network infrastructure such as routers and switches) and overlay paths (virtualized network layers such as VPCs and subnets within AWS). In AWS GovCloud (US), the platform delivers insight into how traffic moves between Availability Zones, across Amazon Virtual Private Cloud (Amazon VPC) peering connections, and through AWS Transit Gateway and AWS Cloud WAN.

The screenshot below shows the Layer 7 performance dashboard, which makes day-to-day operations much easier by consolidating your application metrics, traffic patterns, and performance trends into a single view.

Figure 3: Layer 7 application performance

The following network map visualizes BGP (Border Gateway Protocol) routing paths at Layer 3, showing how traffic flows between different autonomous systems and network endpoints.

Figure 4: Layer 3 BGP route map

Cisco ThousandEyes for Government correlates critical dependencies that government applications rely on, including DNS resolution chains (how domain names are translated to IP addresses), CDNs, and DDoS protection services. It also monitors BGP routing, which directs internet between networks worldwide. When BGP routing changes occur—whether due to ISP maintenance, network failures, or malicious route hijacking—ThousandEyes for Government quickly identifies how connectivity to AWS GovCloud (US) Regions is affected.

Real-time visibility and incident response

Cisco ThousandEyes for Government provides hop-by-hop path visualization that maps network device and connection between users and AWS GovCloud (US) applications. This visualization capability is vital for government IT teams because it shows the sequence of routers, switches, and network segments that data packets traverse, including infrastructure owned by ISPs, cloud providers, and third-party services outside agency control.

The path visualization displays real-time performance metrics for each network hop, including latency introduced at each point, packet loss percentages, and network utilization levels. When citizens experience slow load times accessing a benefits portal hosted on AWS GovCloud (US), the visualization helps the user quickly pinpoint whether the bottleneck originates with an ISP router experiencing congestion, an overloaded AWS Availability Zone, or within the agency’s own infrastructure. This is illustrated in the following screenshot.

Figure 4: Hop-by-hop path visualization

This granular visibility becomes particularly valuable during incidents because government IT teams can quickly determine responsibility and engage the appropriate parties for resolution. If the path visualization shows packet loss occurring at an ISP-owned router, teams can contact that ISP with specific technical details rather than spending time troubleshooting internal systems.

Conclusion: A unified foundation for government services

Cisco ThousandEyes for Government is in process for FedRAMP Moderate authorization. Once authorized, it will be available in the AWS Marketplace, providing agencies with a FedRAMP Moderate authorized network intelligence solution for visibility across their digital supply chain and helping optimize application performance for citizen services.

Learn more about Cisco ThousandEyes for Government by visiting the official webpage. To learn more about Cisco and AWS, visit Cisco Solutions on AWS.

Cisco ThousandEyes for Government and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. The delivery timeline of this product and its features is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver the product or any feature set forth in this document.

1. The Enterprise Agents and Endpoint Agents are customer-deployed agents that facilitate secure data transfer between customer systems and the ThousandEyes for Government environment. These agents have been reviewed and assessed as part of this authorization.

2. Cloud Agents are optional and only enabled if specifically instructed by the customer. Cloud Agents are not included in ThousandEyes’ FedRAMP authorization boundary or assessment. Use of Cloud Agents does not fall under ThousandEyes for Government’s expected authorization and may result in data flows outside the FedRAMP-authorized environment.