Pentagon Will Move Primary Biometrics Systems to Amazon Cloud

Casimiro PT/Shutterstock

The move means at least two of the government's biggest biometrics databases will live in AWS clouds.

The Defense Department wants to make major improvements to its biometric surveillance capabilities, starting with moving its databases and entire operational system to a cloud environment hosted by Amazon Web Services.

The current Automated Biometric Identification System, or ABIS, environment is split between DOD-owned, on-premise systems and AWS-hosted cloud backups. As part of a new pending solicitation, DOD plans to move the main operational environments to the cloud and begin a set of major capability improvements.

A request for information posted Tuesday to beta.SAM.gov outlines the department’s plans for Biometric Enabling Capability Increment 1, the second phase of a program that got its start in 2007 with Increment 0, which resulted in the launch of ABIS v1.2 in 2014. Since that time, the program has upgraded ABIS to version 1.3 and established plans to expand the system with new capabilities and a cloud architecture that enables global access.

The system contains biometric identifiers—including face, fingerprint, iris and others—on more than 18 million people, most of whom are identified enemy combatants.

“DoD ABIS provides 24/7 operational support enabling time-sensitive missions requiring on-demand biometric identification and identity verification of known and/or suspected threat actors worldwide in support of Joint-All-Domain-Operations and Homeland Defense,” according to the draft performance work statement.

The system is set up to provide biometric authentication and identification to troops throughout the world and connect with databases managed by other federal agencies—such as the Homeland Security Department and FBI—as well as international partners. ABIS is built on common standards used by the Army and the rest of the Defense Department, as well as “industry standards for system development and operational procedures.”

The current system is comprised of five separate working environments, including on-premise operational and development environments, operational and disaster testing environments and a “fully functional” cloud-based backup operational environment hosted in an AWS cloud.

ABIS v1.3 also has five subsystems: the ABIS Core that manages all workflow throughout the system; the Search Core, a commercial off-the-shelf product by Morpho Biometric Search Services that matches various biometric markers with stored records; the Examination Tools widget where investigators submit and review searches, powered by commercial tools Athena THEMIS and Lakota Software Solutions’ WHORL; the ABIS Portal, the main user interface; and the System Administration Tools used by IT managers to maintain the system.

The contract outlined in the RFI will be built around two deliverables: ongoing operations and maintenance of ABIS and incremental improvements and rapid deployment of new capabilities, including a wholesale move to the cloud.

The operations and maintenance part of the contract will include general upkeep of the existing system, as well as decommissioning the on-premise parts of ABIS v1.3 that will be moving to a cloud environment as part of the first wave of improvements.

While major improvements are covered under the second directive, the contractor will be expected to keep the current capabilities up-to-date, including developing and implementing a technology refresh plan “to prevent obsolescence and keep pace with technological improvements,” according to the performance work statement.

The secondary development process is being organized through three “capability drops,” with the first covered under the pending solicitation, and subsequent drops planned as change orders to the final contract.

“Though similar to traditional program increments, the capability drops will focus on rapid software development and fielding,” with 18-month cycles from development to deployment, the RFI states.

The first capability drop will consist of a number of new features, including automating sharing between ABIS and the intelligence community’s Identity Intelligence Analytic Resource, or I2AR; the ability to send secure messages across the department’s secure network, the Secret Internet Protocol Router Network, or SIPRNet; and upgrade the system architecture to allow the addition of new, improved commercial matching algorithms as they are developed.

DOD also wants to include a new feature that would store and mark results for people denied access to a military facility that can then be “automatically matched against future submissions” to prevent a persistent adversary from trying multiple locations in search of a weak point.

But the biggest lift will be moving “all on-premise services that support DOD ABIS” to an Impact Level 5-certified cloud environment, namely AWS, and development of a web portal to provide “access to DOD ABIS from anywhere in the world.”

Future capability drops will likely include efforts to integrate facial biometric matching through video surveillance, integrating with DNA databases, incorporating anti-spoofing algorithms and speeding the matching process for all biometrics to less than 2 seconds.  

While the system is currently known as the Automated Biometric Identification System Version 1.3, or ABIS v1.3, the system owners plan to update the name as part of Increment 1, though what that new designation will be “is undetermined at this time.”

The final contract is expected to run for a base one year, with four one-year add-on options.

DOD’s move to place all its biometric data and apps in AWS cloud environment mirrors that of the Homeland Security Department, which earlier this year started the transition from the largely on-premise Automated Biometric Identification System, or IDENT, to the entirely AWS cloud-based Homeland Advanced Recognition Technology, or HART, system.

Editor's Note: This story has been updated to clarify the makers of specific biometric tools.