Case Study

How a Federal Agency Modernized Mission-Critical Networks with Itential

Working with Leidos under the GSM-O II contract, they modernized configuration compliance, automated remediation, and onboarded existing Python and Ansible scripts into governed workflows.

Challenge

Federal regulations keep devices in service longer than in commercial settings – raising the risk of configuration drift, compliance gaps, and security exposure across legacy and modern infrastructure that a small team must manage with limited tooling.

Solution

Leidos selected Itential to modernize how the agency manages configurations automating compliance verification, drift remediation, and reporting across legacy and modern devices through a single governed platform.

Why Itential

Secure, scalable orchestration proven in federal production. On-premises and air-gapped deployment options. Cisco NSO/NED and Kafka integrations. Onboarding for existing Python and Ansible scripts. Granular RBAC – all compliance-aware by design.

The Challenge

Legacy Device Configurations Create Vulnerabilities & Impact Federal Compliance

Federal environments require vendor approvals and strict security controls – so devices remain in service longer than in commercial settings, raising the risk of configuration drift and compliance gaps. The network team knew automation was essential to keep configurations current and policy-aligned. But any solution had to fit a secure federal stack and support an Authority to Operate.

The team was small. Existing automation was limited – Cisco NSO, some Python, some Ansible. They needed a platform that could make immediate, measurable progress under federal constraints and scale beyond the first wins.

To prove the model quickly, they chose three initial use cases: verification and reporting for IP network baseline configuration compliance; verification, remediation, and reporting for interface-description compliance; and read operations for L3 VPN provisioning, with automated writes targeted as the next step.

Three Constraints Unique to Federal Network Operations

Each one shaped which platforms could even be considered – and why most commercial automation tools were off the table.

Strict Vendor Approvals & ATO Required

Federal regulations mean every platform must clear vendor approval and support an Authority to Operate. Tools that work elsewhere often cannot be deployed at all without that foundation.

Small Team, Limited Existing Tooling

A small network team with limited automation in place (NSO, some Python, some Ansible) had to maintain compliance across legacy and modern infrastructure – and find a path that scaled without adding headcount.

Long Device Service Lives, Growing Drift

Devices stay in service longer in federal environments than in commercial ones. The longer they run, the further configurations drift from current policy – and the wider the compliance gap grows.

Over time, we’ve been a little slow to adopt new tools, or even devices due to federal regulations. But to scale our network, our capabilities, we need to rapidly change how we’re working to manage configuration compliance with our team.

Senior Network Engineer

Federal Agency

Federal regulations could not be the reason innovation waited. The team needed a platform secure enough for ATO, proven enough for federal production, and pragmatic enough to onboard the scripts they already ran.

Why Itential

Why Leidos Selected Itential Under GSM-O II

Under the GSM-O II contract, Leidos selected Itential as their infrastructure modernization solution. Itential provides a secure, scalable automation and orchestration platform proven in federal production – with multiple deployments operating under ATO and supporting continuous ATO through built-in evidence and policy enforcement. Six capabilities anchored the decision.

A Federal-Ready Foundation for Configuration Automation

Six capabilities sat at the center of the decision – together giving the agency a federal-grade foundation for compliance automation, remediation, and governed orchestration at scale.

Platform Overview

Out-of-the-Box Integrations Across the Federal Stack

ntegrations with Cisco NSO, Cisco NED, and Kafka – plus autogenerated connectors for bespoke systems – so federal infrastructure can be brought under one orchestration layer without per-system custom integration work.

Compliance Verification & Drift Remediation

Configuration compliance and drift remediation for CLI-based devices and API-driven services, plus automated remediation of non-compliant devices in minutes – closing security gaps as soon as they appear instead of waiting for the next audit cycle.

Onboard Existing Python & Ansible Scripts

The Itential Automation Gateway brings existing Python and Ansible scripts into governed workflows – preserving the value of work the team already did, while extending it with audit, policy, and orchestration.

Granular RBAC & Secure Sharing

Role-based access control and secure sharing so only authorized users can execute change operations – meeting the audit and access-control bar federal compliance requires.

On-Prem & Air-Gapped Deployment

On-premises deployment to support air-gapped and classified environments – the option that makes Itential viable for the parts of the federal network where commercial SaaS cannot operate.

Low-Code Canvas, Reusable Libraries

A low-code workflow canvas to rapidly design end-to-end orchestrations using modular assets – and reusable automation libraries that scale across additional use cases and teams.

The Solution

Three Use Cases Live, A Scalable Foundation in Place

Instead of waiting for a multi-year transformation program, the team picked three high-value compliance use cases and stood them up under ATO – using Itential as the platform that could also bring existing Python and Ansible work into the same governed model.

Baseline Config Compliance

Verification and reporting for IP network baseline configuration compliance – establishing the ground truth that every other compliance and remediation workflow can build on.

Interface-Description Compliance

Verification, remediation, and reporting for interface-description compliance – turning a recurring audit finding into a self-healing workflow.

L3 VPN Provisioning (Reads)

Read operations for L3 VPN provisioning, with automated writes targeted as the next milestone – proving the model on safer reads before extending to higher-stakes changes.

Governed Script Modernization

Existing Python and Ansible scripts onboarded into governed Itential workflows through the Automation Gateway – preserving prior investment while gaining audit, policy enforcement, and orchestration.

Building remediation workflows in Itential was really easy to pick up and seeing what we’ve done with our first few use cases, I can already tell the team will be able to do a lot more as we keep building workflows.

Senior Network Engineer

Federal Agency

The Outcome

What They’ve Achieved & the Roadmap to Network Modernization

With three use cases live and existing scripts onboarded into governed workflows, the team has a federal-ready automation foundation – and a clear roadmap for the next set of mission-critical milestones.

3

Initial Use Cases Live

Baseline configuration compliance, interface-description compliance, and L3 VPN provisioning reads – chosen to deliver compliance value quickly under federal constraints.

Zero

Out-of-Date Config Vulnerabilities

Eliminated vulnerabilities from out-of-date configurations and legacy devices — by automating compliance verification and remediation across multiple device types.

Mins

Remediation for Non-Compliant Devices

Automated remediation in minutes – closing security gaps across legacy and modern device types instead of waiting for the next audit cycle.

5

Roadmap Milestones Identified

L3 VPN writes, brownfield service migration, GMS cloud migration, optical-network automation, and deeper GMS system integration.

A Governed Foundation for Federal Network Modernization

With three compliance use cases in production and existing Python and Ansible scripts brought into governed workflows, the agency has the foundation to extend automation – all on the same platform.

What’s Next

The roadmap builds directly on the same Itential foundation now in production:

Enable L3 VPN provisioning writes to complement the existing read operations.
Migrate a broad range of brownfield services into governed Itential workflows.
Support cloud migration to GMS for enhanced scalability.
Expand automation into the optical transport network and optical layer.
Integrate more deeply with other GMS systems, including ticket management and event streaming.

Each step builds on the same governed orchestration model – increasing delivery speed, strengthening security posture, and sustaining compliance as the modernization program scales.

Keep Learning