What is the 7Rs framework?

AWS's expansion of Gartner's original 6Rs: Retire, Retain, Rehost, Relocate, Replatform, Repurchase, Refactor. We use it as the decision framework for every workload in a portfolio migration. Each application gets a defensible R choice with supporting cost, risk, and effort estimates.

GovCloud or Azure Government?

Depends on the agency's existing commercial investment, required impact levels, and target services. AWS GovCloud (US) for IL2/IL4/IL5 and FedRAMP High; AWS Secret and Top Secret regions for IL6 and above. Azure Government for similar tiers; Azure Government Secret and Top Secret for higher classifications. We design portably where we can and accept the lock-in where it's a better engineering outcome.

Do you build FedRAMP-inheritable landing zones?

Yes. Our landing-zone baselines include org-level SCPs / management-group policies, CMK-backed KMS, centralized logging (CloudTrail Organization, Azure Activity Log export), VPC hub-and-spoke networking, private endpoints for all data services, and a managed egress pattern. Every control maps to NIST 800-53 baseline inheritance.

Can you migrate to IL5?

Yes. Azure Government IL5 and AWS GovCloud with IL5 CC SRG-aligned configurations. We handle the additional DoD-specific controls (e.g., CMMC level 2 inheritance, boundary monitoring, mission owner responsibilities).

How long does a typical migration take?

Wildly variable. A single SaaS-style app: 6-12 weeks. A 50-application portfolio: 12-24 months with waves of 5-8 apps in parallel. A data-center exit: multi-year. We decompose into waves so each wave delivers measurable value on its own.

Do you support Exit from existing cloud too?

Yes. Cloud-to-cloud migrations (e.g., Azure Gov to AWS GovCloud) are procedurally similar to data-center-to-cloud. Sometimes agencies need to repatriate workloads from commercial cloud to GovCloud for compliance reasons.

What about data gravity and egress costs?

We model egress, inter-AZ, and inter-region costs in the business case. Large-data migrations use Snowball Edge or Azure Data Box to avoid transit charges. Live-data migrations reserve bandwidth and use WAN acceleration where appropriate.

Do you handle containerization during migration?

Yes, when it's the right step. Not every workload should be containerized; not every workload should be left VM-based. Decision per workload, documented in the 7Rs analysis.

Can you support TMF-funded migration?

Yes. Business case shaping, milestone decomposition, and financial tracking aligned to TMF reporting. Also USDA Working Capital, VA IT Modernization fund, and agency-specific vehicles.

Fixed-price for scoped migration waves. T&M for long-horizon portfolio migration. Sub to prime. Often blended — fixed-price per wave within a T&M program.

Federal Cloud Migration & FedRAMP Landing Zones

Overview — federal cloud migration beyond the slideware

Every federal agency has a cloud strategy slide deck. Far fewer have a cloud portfolio that actually delivers cost savings, mission agility, and defensible security. The gap is not strategy — it is disciplined execution: a per-workload 7Rs decision, a landing zone that inherits FedRAMP controls, waves that ship every 8-12 weeks, reconciled cutovers, and honest cost reporting to the sponsor. That's the work.

Precision Delivery Federal LLC helps agencies close that gap. We are a SAM.gov registered small business (UEI Y2JVCZXT9HP5, CAGE 1AYQ0, NAICS 541512). Our cloud migration practice is grounded in hands-on engineering, not just advisory slides. We write the Terraform, we build the CI/CD, we author the SSP updates, we run the cutovers at 2 AM.

Our technical stack

Layer	Primary	Alternates	When we use it
Target clouds	AWS GovCloud (US)	Azure Government, Azure Gov IL5, AWS Secret	Per agency / IL requirement.
Landing zone	AWS Control Tower + SCPs	AWS LZA for GovCloud, Azure Landing Zones	Multi-account / multi-subscription baselines.
IaC	Terraform + terragrunt	CloudFormation, Bicep, Pulumi	Terraform default for multi-cloud portability.
Discovery	AWS Application Discovery Service	Azure Migrate, CAST Highlight	Portfolio inventory + dependency mapping.
Data migration	AWS DMS, Snowball Edge	Azure Data Box, AzCopy, rsync at scale	Scale-dependent.
Server migration	AWS MGN (formerly CloudEndure)	Azure Migrate, Carbonite Migrate	Rehost use cases.
Containerization	EKS, ECS	AKS, OpenShift	Replatform to containers when justified.
CI/CD	GitHub Actions, GitLab CI	AWS CodePipeline, Azure DevOps	Federal GitHub or GitLab tenants preferred.
Observability	CloudWatch + Grafana + OpenTelemetry	Azure Monitor, Datadog Government	Unified telemetry across clouds.
FinOps	AWS Cost Explorer + CUR	Azure Cost Management, CloudHealth	Agency-level chargeback and showback.

Federal use cases

Data-center exit — shuttering a government data center and migrating workloads to GovCloud in waves.
Commercial-to-GovCloud repatriation — workloads built in commercial AWS / Azure moved to GovCloud for compliance.
IL5 build-out for DoD mission systems — Azure Government IL5 landing zones supporting DoD components. DoD page.
VA modernization cloud target — landing zone for VA modernization workstreams. VA page.
USDA mission cloud — mixed SaaS + PaaS + IaaS consolidation. USDA page.
FedRAMP-high for HHS workloads — CMS and NIH program migrations.
Cloud-native greenfield for SBIR pilots — new capabilities built natively in GovCloud.
EPA environmental data platform migration.
DOI / BLM geographic data platform migration.
DHS component IT consolidation. DHS page.

Reference architectures

1. FedRAMP High landing zone in AWS GovCloud

Organization with accounts for: Management, Log Archive, Audit, Security Tooling, Network, Shared Services, and per-workload Workload accounts (Dev/Test/Prod). SCPs enforce region restrictions (GovCloud-only), deny root actions, and require KMS encryption on all data services. CloudTrail Organization Trail lands in the Log Archive account S3 with MFA-delete; AWS Config aggregator surfaces drift. Networking: Transit Gateway hub-and-spoke, PrivateLink for data services, egress through a centralized inspection VPC with AWS Network Firewall. Every workload account inherits these controls; the SSP references the landing zone baseline directly.

2. Azure Government IL5 landing zone

Management Group hierarchy: Root → Platform → Landing Zones → Decommissioned. Azure Policy enforces IL5 baseline: region restrictions, CMK requirements, private endpoints, Defender for Cloud. Bastion-only access. Networking via vWAN with regional hubs and Azure Firewall Premium. Log Analytics workspace with Sentinel for SOC integration.

3. Hybrid data-center-to-cloud wave

A data-center with 200 applications gets decomposed into 25 waves of ~8 applications each. Wave 1: low-risk static content sites (rehost). Wave 2: stateless web apps (replatform to ECS). Wave 3-5: data-heavy apps (replatform with RDS migration). Wave 6+: higher-risk tier-1 systems (refactor using strangler-fig patterns — see our legacy modernization capability).

Delivery methodology

Mobilize (2-4 weeks) — stakeholder alignment, governance model, CCB formation.
Discover (4-8 weeks) — portfolio inventory, dependency mapping, business criticality rating.
Decide (2-4 weeks) — 7Rs decision per app, wave plan, landing zone design.
Land (4-6 weeks) — build the landing zone, CI/CD, shared services.
Migrate (ongoing, wave-by-wave) — 8-12 week waves, each ending with a measurable closeout.
Optimize — rightsizing, RI/SP purchases, Graviton/ARM evaluation, architecture improvements.
Retire — formal decommissioning of source systems; ATO boundary updates.

Engagement models

Fixed-price landing zone — bounded 8-12 week build with defined deliverables.
Fixed-price per wave — predictable per-wave pricing for migration factories.
T&M migration program — for long-horizon portfolios.
TMF, WCF, and agency modernization funds — shape the business case + deliver.
Sub to prime — landing-zone and migration specialist inside a prime's team.

Maturity model

Level 1 — Ad hoc cloud usage: scattered accounts, no central governance.
Level 2 — Managed landing zone: multi-account org, baseline SCPs, central logging.
Level 3 — Productized landing zone: self-service account vending, reusable IaC modules, SSP-inheritance documented.
Level 4 — FinOps-integrated: chargeback, rightsizing, committed-use planning.
Level 5 — Platform engineering: internal developer platform with paved paths for compliant deployment.

Deliverables catalog

Portfolio inventory (CSV + dependency graph).
7Rs decision matrix.
Wave plan with dependencies.
Landing zone IaC (Terraform modules).
SCPs / Azure Policy baselines.
Shared services (logging, monitoring, backup).
Per-app migration runbooks.
Reconciliation and validation reports.
Cutover plans + rollback playbooks.
SSP updates and ATO package inputs.
Decommissioning checklists.
Cost model + realized-savings reports.

Technology comparison — honest tradeoffs

Option	Strengths	Weaknesses	Federal fit
AWS GovCloud	Broadest FedRAMP-High services, strong IL5, mature partners.	Region lag behind commercial, pricing premium.	Very high — default choice for many agencies.
Azure Government	Deep DoD IL5/IL6 footprint, strong M365 integration.	Fewer services vs commercial, pricing premium.	Very high — DoD and M365-heavy agencies.
Oracle Gov Cloud	Oracle DB lift-and-shift, JWICS / DoD niches.	Smaller ecosystem.	Medium — Oracle-heavy portfolios.
Google Public Sector	Assured Workloads, data analytics strength.	Limited FedRAMP-High services.	Medium — analytics-focused.
IBM Cloud for Government	IBM legacy integration.	Smaller ecosystem.	Low-medium.
On-prem Kubernetes (OpenShift)	Full sovereign control.	Ops burden on agency.	Case-by-case.

Federal compliance mapping

Landing zones are designed so the workload's SSP inherits most baseline controls. Representative coverage:

AC-2, AC-3, AC-6 — SSO (Login.gov, agency IdP), SCP / policy-enforced least privilege, break-glass procedures.
AU-2, AU-6, AU-12 — CloudTrail Organization Trail / Azure Activity Log with immutable storage, centralized SIEM forwarding.
SC-7 — centralized ingress/egress inspection, private endpoints for data services.
SC-12, SC-13, SC-28 — KMS / Key Vault with CMKs, TLS 1.3 everywhere, at-rest encryption mandated by policy.
CP-9, CP-10 — cross-account backups, DR runbooks tested at least annually.
CM-2, CM-3, CM-8 — IaC as the authoritative configuration, drift detection, automated inventory.
IR-4, IR-5, IR-6 — GuardDuty / Defender for Cloud / Sentinel integrated with the agency SOC.

Sample technical approach — 50-app portfolio migration

A federal agency wants to exit a leased data center within 24 months. Portfolio: 50 applications, mix of .NET / Java / LAMP / COBOL, ranging from static content sites to a mission-critical case-management system.

Weeks 1-8: Mobilize + discover. Application Discovery Service agents on every VM; dependency graph built. Business criticality tier assigned per app; ATO status documented; data classification recorded.

Weeks 9-12: Decide. 7Rs decisions. 6 apps → retire (no longer used). 4 apps → retain (SaaS already). 18 apps → rehost via MGN. 14 apps → replatform (containerize or RDS). 6 apps → refactor (strangler-fig). 2 apps → repurchase (switch to SaaS equivalent).

Weeks 13-18: Land. FedRAMP High landing zone built. CI/CD factory for MGN cutovers. Shared services operational.

Weeks 19+: Migrate in waves of 8 apps, running 3 waves in parallel. Each wave: 6 weeks plan → 4 weeks build → 2 weeks cutover + validate. Rehost waves go first for velocity and confidence; replatform and refactor waves interleaved.

Month 24: final decommissioning. Data center terminated. Realized savings: TBD, reported monthly to the sponsor against the original business case.

Related capabilities, agencies, vehicles, insights

Capabilities: Cloud Infrastructure, Cybersecurity & DevSecOps, Legacy Modernization, Data Engineering.
Agencies: DoD, VA, USDA, DHS, HHS, Treasury.
Vehicles: TMF, GSA MAS, SEWP, SBIR.
Insights: The 7Rs in federal, Landing zone SSP inheritance, GovCloud vs Azure Government.
Resources: FedRAMP landing zone reference, Migration wave-plan template.
Case studies: SAMHSA production ML (confirmed PP).

Federal cloud migration, 7Rs done right.

Overview — federal cloud migration beyond the slideware

Our technical stack

Federal use cases

Reference architectures

1. FedRAMP High landing zone in AWS GovCloud

2. Azure Government IL5 landing zone

3. Hybrid data-center-to-cloud wave

Delivery methodology

Engagement models

Maturity model

Deliverables catalog

Technology comparison — honest tradeoffs

Federal compliance mapping

Sample technical approach — 50-app portfolio migration

Related capabilities, agencies, vehicles, insights

Waves that actually land.

Federal cloud migration, 7Rs done right.

Overview — federal cloud migration beyond the slideware

Our technical stack

Federal use cases

Reference architectures

1. FedRAMP High landing zone in AWS GovCloud

2. Azure Government IL5 landing zone

3. Hybrid data-center-to-cloud wave

Delivery methodology

Engagement models

Maturity model

Deliverables catalog

Technology comparison — honest tradeoffs

Federal compliance mapping

Sample technical approach — 50-app portfolio migration

Related capabilities, agencies, vehicles, insights

Cloud Infrastructure

Cybersecurity & DevSecOps

Legacy Modernization

Waves that actually land.