Microsoft Azure Human Resources Management Enterprise Services Bus (HRMESB) Continuity of Services Support – Cybersecurity and Zero Trust Maturity for the Department of Health and Human Services (HHS)

Task 1: POA&M Resolution Support

Cloud7Works led a methodical resolution effort to address long-standing POA&Ms and enhance HHS’s compliance posture.

Key Outcomes:

  • Assessed and resolved 71 legacy POA&Ms.

  • Developed and executed prioritized remediation plans.

  • Closed critical vulnerabilities.

  • Enabled CSPM capabilities using Microsoft Defender for Cloud, mapped to NIST 800-53 R5 controls.

  • Supported a successful Cyber Security Assessment (CSA) with zero critical or high findings.

  • Closed a low-severity CSA item related to VM hardening and vulnerability auto-remediation.

  • Collaborated with HHS VAPT team for compliance and vulnerability scans.

Task 2: Disaster Recovery Strategy 

Cloud7Works introduced a scalable, resilient disaster recovery architecture leveraging IaC principles.

Actions Taken:

  • Analyzed HHS’s DR region configuration and identified coverage gaps.

  • Delivered and presented a formal Disaster Recovery Plan.

  • Built Terraform configurations enabling toggle-based DR deployment via environment variables.

  • Validated the DR architecture through successful test deployments.

Task 3: Azure API Implementation and Deployment 

A modernized API solution is planned to be deployed to replace legacy VM-based SFTP processes and streamline automation.

Implementation Highlights:

  • Developed a secure API Container App as a modern replacement for VM-based SFTP.

  • Refactored file-watch and transmission logic into dedicated Azure Function Apps, following separation-of-concerns best practices.

  • Integrated CI/CD pipelines using GitHub Actions, with:

      • Pytest for test automation.

      • OWASP ZAP for dynamic application security testing (DAST).

      • SonarQube CE for static application security testing (SAST).

  • Migrated to SFTP on Blob, an Azure-managed service, allowing decommissioning of legacy VMs.

  • Created parameterized Terraform scripts enabling complete Azure infrastructure deployment (HRMESB and SonarQube) in under 60 minutes.

  • Secured Terraform state in Azure Blob Storage via Entra Authentication (no plaintext secrets).

  • Centralized logging and monitoring for all resources via Azure Log Analytics Workspace.

Task 4: Zero Trust Architecture Design

Cloud7Works designed a future-ready Zero Trust roadmap aligned with EO 14028.

Impact Achieved:

  • Delivered a Zero Trust Architecture design projected to increase HHS’s maturity score from 1.53 to 3.00 upon full implementation.

  • Delivered a compliant Zero Trust architecture roadmap aligned with Executive Order 14028 and NIST 800-53 R5.

  • Collaborated with OCIO, VAPT, and the HHS Zero Trust Working Group to harmonize responsibilities and eliminate overlaps across security disciplines.

  • Strengthened access control by assigning a single user-managed identity per environment, replacing subscription-level permissions.

Task 5: Project Management & Reporting 

Agile delivery and disciplined communication were foundational to successful project execution.

Project Oversight:

  • A dedicated Project Manager oversees all planning, risk management, deliverables, and cross-team coordination.

  • Agile methodology is employed to enable incremental development, adaptive planning, and continuous stakeholder feedback.

  • Jira is the system of record for backlog management, sprint tracking, and user story documentation.

  • Agile ceremonies (daily stand-ups, sprint planning, reviews) are held consistently to foster collaboration and rapid issue resolution.

Stakeholder Engagement:

  • Twice-weekly touchpoints with the HHS Point of Contact (POC) to prioritize tasks, review risks, and address blockers.

  • Weekly collaboration meetings with partner teams to align technical and business needs.

Reporting & Compliance:

  • Weekly and monthly reports are delivered, including:

      • Project milestones

      • Risk and issue logs

      • Velocity and productivity metrics

      • Forecasts for upcoming deliverables

  • Reporting ensures transparency and compliance with HHS oversight requirements.