Customer Stories / General Public Services
Using Innovative Documentation-as-Code Approach for the Georgia Department of Human Services System Security Plan
Learn how the State of Georgia Department of Human Services (GA DHS) piloted a new documentation-as-code approach to developing and maintaining its System Security Plan (SSP) securely and collaboratively.
Aligns
with NIST 800-171 Revision 2 standards
Maps
110 NIST security controls to AWS infrastructure and application
16 weeks
to complete system security plan instead of average 6 months
Reduction of errors
in SSPs by enabling audit and version control
Overview
The Georgia Department of Human Services (DHS) piloted an innovative documentation-as-code approach to developing and maintaining its system security plan (SSP) and related security documentation, such as policies, procedures, and standards for the AWS-based Document Imaging System (DIS). The state collaborated alongside AWS Professional Services to use the GitLab open-source tool that served as a repository for version control and for tracking security controls required to meet federal compliance requirements. The DIS application uses over 30 AWS services, including Amazon CloudWatch and Amazon CloudTrail. The SSP documentation tracks 110 security controls, categorized into 14 control families as part of the NIST 800-171 Revision 2 standards to protect controlled unclassified information in nonfederal systems and organizations.
Like many state agencies, the Georgia Department of Human Services handles controlled unclassified information (CUI) that requires compliance with stringent federal security controls. For certain applications, DHS has to prepare a system security plan (SSP), a document that demonstrates specifically how the application meets security requirements for CUI. DHS had been creating its SSPs using static Word documents or PDFs, a laborious process that took an average of 6 months to document changes and updates.
DHS had been migrating its on-premises applications to Amazon Web Services (AWS) as part of a large state cloud-transformation initiative. Working alongside AWS Professional Services, which helps organizations to achieve their desired business outcomes using AWS, DHS developed an innovative documentation-as-code approach to creating SSPs. The strategy provides full traceability for changes, eases collaboration, and provides a repeatable framework for other agencies as they create and maintain similar documentation.
This engagement with AWS is a testimony to our partnership and collaboration to drive successful business outcomes for our agency’s mission. I would like to thank the AWS team for providing technical knowledge, right resources, and innovative technology to develop the DIS SSP and meet our security and compliance requirements.”
Sreeji Vijayan
CIO Georgia DHS and Deputy Commissioner, Office of Information Technology
Opportunity | Collaborating with AWS Professional Services Team to Innovate the Creation of SSPs for Georgia DHS
The state of Georgia had launched a large-scale digital transformation in 2020, and the migration of on-premises applications to the cloud required updated SSPs. One such application was DHS’s Document Imaging System (DIS), which converts paper records to electronic files. DHS had used more than 30 AWS services to build the architecture for DIS, which went live in April 2022 and features a user-friendly workflow to document and track security controls. For example, its logging and monitoring layer relies upon Amazon CloudWatch, which collects and visualizes near-real-time logs, metrics, and event data in automated dashboards to streamline infrastructure and application maintenance.
DIS uses AWS CloudTrail to monitor and record account activity across the AWS infrastructure, giving organizations control over storage, analysis, and remediation actions. It also monitors the security of the overall architecture using AWS Config, which continually assesses, audits, and evaluates the configurations and relationships of an organization’s resources on AWS, on premises, and on other clouds.
A special publication by the National Institute of Standards and Technology (NIST), NIST SP 800-171, details the complex requirements for handling CUI, including the mandate that organizations provide an SSP to show how they are complying. “Sometimes a federal partner provides you with a template that’s a locked document or spreadsheet, and you have to find ways to share that document or move it around to get the inputs that you need,” says Shirlan Johnson, DHS’s chief information security officer. “Writing these collaborative documents can be quite a daunting activity.”
In July 2022, DHS hired a new assistant deputy commissioner, Christopher Apsey, who recognized the cloud migration initiative as an opportunity to change how DHS generates SSPs. Apsey suggested that the agency implement an innovative strategy that he had developed while in the US Army’s Cyber Center of Excellence. “The underlying thought was rather than email a Word document back and forth, like how most documents are written in a business setting, let’s instead apply software development methods,” Apsey says. “It did change the scope of the project, and we hadn’t planned for it. The team, led by Rajeev Shirguppi as the ProServe Engagement Manager, were eager and willing to try something different."
“AWS was instrumental in helping the SSP writers. They were very involved in technical debugging at the onset, so we could make the process as seamless as possible.”
Christopher Apsey
Assistant Deputy Commissioner, DHS
Solution | Creating Visibility into 118 Issues and 37 Merge Requests in SSP Creation
In late 2022, the DHS security team, the DIS application team, and AWS Professional Services began working on the SSP using the new methodology. The teams had just 16 weeks to create the SSP because DIS had already been deployed to the cloud. “AWS Professional Services was instrumental in helping the SSP writers,” says Apsey. “They were very involved in technical debugging at the onset, so we could make the process as seamless as possible.”
Together, DHS and AWS Professional Services carefully reviewed each of the 110 controls within 14 control families—such as access control and incident response—detailed in NIST 800-171. The teams mapped each requirement to the DIS architecture built on AWS. To write the SSP, the teams used a markup language called AsciiDoc, a plain-text, lightweight writing tool that translates to many different desired output formats. They posted the AsciiDoc text in GitLab, an open-source code repository for DevOps projects. DHS created a user interface that presents the SSP in a web format for nontechnical users. “This innovative approach is similar to version control in software development, in terms of the speed at which code is normally developed and changes are documented and tracked,” says Johnson. “If we can bring this approach into the SSP world, we will improve how quickly things can be updated and tracked by orders of magnitude compared with the traditional way it’s been done.”
To update and change the SSP, DHS uses GitLab workflow, a development strategy that uses branches to make changes instead of working in the core document. Only authorized personnel can write, review, or approve changes. “Because it’s a security document, audit trails are important,” says Apsey. “The document updates dynamically as changes are made. You can see who made a change, why they made it, when it was made, and everyone who approved the change inherently in the protocol.” As part of the documentation-as-code project, the team collaborated on 118 issues and 37 merge requests in the GitLab repository for the SSP document to provide revision history and tracking. “An SSP is a living document,” says Johnson. “There is that initial uplift of creating it, but that is not the final destination. It has to be continually updated for the life cycle of the particular system that the document represents.”
Outcome | Replicating the Documentation-as-Code Approach across Other Agencies
DHS expects that other state agencies in Georgia and across the country will replicate its documentation-as-code approach. The agency plans to provide federal regulators with near-real-time access to its SSPs rather than having to send a copy of an SSP every quarter, although the option exists to output the SSP as a PDF. “There are opportunities down the road to make our SSPs a much more dynamic living document, not just for the teams who have to maintain it but also for those who need to verify it,” says Johnson. “AWS Professional Services really did an awesome job on this project, coming in cold, jumping into something new, and helping us to deliver a great product.”
About the State of Georgia Department of Human Services
The Georgia Department of Human Services provides over two million Georgia residents with human service programs with mission-critical systems, including integrated eligibility, child welfare, and a document imaging system.
AWS Services Used
Amazon CloudWatch
Observe and monitor resources and applications on AWS, on premises, and on other clouds.
AWS CloudTrail
Track user activity and API usage on AWS and in hybrid and multicloud environments.
AWS Config
Assess, audit, and evaluate configurations of your resources.
AWS Professional Services
Helping you achieve your desired business outcomes with AWS.
Get Started
Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.