Skip to main content
ASM Cheatsheet
Case Study 5

Government Agency Modernization

Federal government department (anonymized)3-year transformation

Challenge: Legacy system modernization

Background

Agency: Federal government department (anonymized)
Project: Legacy system modernization
Timeline: 3-year transformation
Constraints: Zero downtime tolerance, strict compliance requirements

The Modernization Challenge

The agency needed to:

  • Migrate 200+ legacy applications to cloud
  • Maintain 99.9% uptime during transition
  • Ensure FedRAMP compliance throughout
  • Preserve security posture during migration

ASM-Enabled Migration Strategy

Phase 1: Legacy Asset Discovery and Mapping

# Comprehensive legacy system inventory
AGENCY_DOMAINS="agency.gov,portal.agency.gov,services.agency.gov"
LEGACY_DIR="legacy_assessment_$(date +%Y%m%d)"

mkdir -p "$LEGACY_DIR"/{discovery,analysis,mapping,compliance}
cd "$LEGACY_DIR"

# Government-specific discovery approach
for domain in $AGENCY_DOMAINS; do
    echo "Discovering legacy assets for: $domain"
    
    # Passive discovery (no active scanning of .gov)
    amass enum -passive -d "$domain" -timeout 30 -o "discovery/${domain}_assets.txt"
    
    # Certificate transparency
    curl -s "https://crt.sh/?q=%.${domain}&output=json" | \
    jq -r '.[].name_value' | sort -u > "discovery/${domain}_ct.txt"
    
    # DNS enumeration
    dnsrecon -d "$domain" -t std > "discovery/${domain}_dns.txt"
done

# Consolidate findings
cat discovery/*_assets.txt discovery/*_ct.txt | sort -u > discovery/all_legacy_assets.txt
echo "Legacy assets discovered: $(wc -l < discovery/all_legacy_assets.txt)"

Phase 2: Security Posture Assessment

# Assess current security posture
httpx -l discovery/all_legacy_assets.txt -tech-detect -status-code -title > analysis/current_posture.txt

# Identify security concerns
grep -iE "(http://|ftp://)" analysis/current_posture.txt > analysis/unencrypted_services.txt
grep -iE "(admin|login|portal)" analysis/current_posture.txt > analysis/admin_interfaces.txt
grep -oE "tech:\[[^]]*\]" analysis/current_posture.txt | sort | uniq -c > analysis/technology_inventory.txt

# FedRAMP compliance check
cat > compliance/fedramp_assessment.md << EOF
# FedRAMP Compliance Assessment

## Current State Analysis
- **Total Assets:** $(wc -l < discovery/all_legacy_assets.txt)
- **Unencrypted Services:** $(wc -l < analysis/unencrypted_services.txt)
- **Admin Interfaces:** $(wc -l < analysis/admin_interfaces.txt)

## Compliance Gaps Identified
1. Unencrypted data transmission on $(wc -l < analysis/unencrypted_services.txt) services
2. Exposed administrative interfaces requiring additional controls
3. Legacy technologies requiring security updates

## Remediation Priority
1. **High:** Implement encryption for all data transmission
2. **Medium:** Secure administrative access controls  
3. **Low:** Update legacy technology stack
EOF