dod enterprise devsecops community of practice · 2021. 3. 11. · • mr. rob vietmeyer, dr. mark...
TRANSCRIPT
UNCLASSIFIED
UNCLASSIFIED
October 8, 2020
DoD Enterprise DevSecOps Community of Practice
UNCLASSIFIED
UNCLASSIFIED
Agenda
2
• DoD Enterprise DevSecOps Reference Design v2.0 Update• Mr. Tom Lam, Dr. Ken Bedford – DoD CIO
• Cloud Native Access Point Reference Design• Mr. Tom Lam, Mr. Matt Lutz – DoD CIO
• Continuous Authorization• Mr. Rob Vietmeyer, Dr. Mark Smiley – DoD CIO
UNCLASSIFIED
UNCLASSIFIED 3
Opening Remarks
UNCLASSIFIED
UNCLASSIFIED
New Documents
4
• Back-to-Basics Acquisition Workforce Memorandum• OUSD(A&S)
• DoDI 5000.87 Operation of the Software Acquisition Pathway Policy• OUSD(A&S)
• Container Hardening Guide v1.1• DISA
UNCLASSIFIED
UNCLASSIFIED
Air Force Chief Software Officer Ask Me Anything
5
The next CSO Ask Me Anything is Thursday, October 15th from 1pm – 3pm EST!
Join from a PC, Mac, iPad, iPhone or Android device:Please click the link below to join the webinar:
https://us02web.zoom.us/j/458527876Or iPhone one-tap :
US: +19292056099,,458527876# or +13017158592,,458527876# Or Telephone:
Dial(for higher quality, dial a number based on your current location):US: +1 929 205 6099 or +1 301 715 8592 or +1 312 626 6799 or +1 669 900 6833 or +1 253 215
8782 or +1 346 248 7799 Webinar ID: 458 527 876
International numbers available: https://us02web.zoom.us/u/kv9xl1MzN
**** If you are on a DoD system blocking Zoom, please click on the link, wait few seconds and you should see “ Open Zoom?" - hit cancel and then select "click here to launch meeting”,” then as this is blocked, you should again see “ Open Zoom?" - hit cancel and then select “join from your browser” and this should work!
? …
October 29, 2020 (0930-1100 EST)
Co-hosted by DoD CIO & OUSD (A&S)
Microsoft Teams Live Event:
• Mr. Pete Ranks, Deputy CIO for Information Enterprise, DoD CIO
• Dr. Jeff Boleng, Senior Advisor for Software Acquisition, USD(A&S)
• Ms. Tory Cuff, Senior Advisor Agile Acquisitions, USD(A&S)
• Mr. Rob Vietmeyer, Software Modernization Lead, DoD CIO
Panelist
https://teams.microsoft.com/l/meetup-join/19%3ameeting_MjQxN2Y5ZWUtZjUzNy00OGIyLTljYmMtYzAzMTM3ZTg5OGU2%40thread.v2/0?context=%7b%22Tid%22%3a%2221acfbb3-32be-4715-9025-1e2f015cbbe9%22%2c%22Oid%22%3a%22a76d4b10-5e78-4b3a-befb-5d66f19ba787%22%2c%22IsBroadcastMeeting%22%3atrue%7d
UNCLASSIFIED
UNCLASSIFIED 7
DoD Enterprise DevSecOps Reference Design v2.0 Update
DoD Software Modernization
Developer leverages
templates to quickly spin up
virtual cloud environments
Developer produces code updates faster
through a continuous
pipeline
Developer uses enterprise services to
deliver secure software at
speed
Better Software Faster
Software Development Outcomes Streamlined Access to Cloud | Push Button Stand Up of Compliant Virtual Cloud | Continuous Code Enhancements | Optimal Reuse of Services
CLOUD
• JEDI− AT-AT
• milCloud 2.0• CVR Transition• Customer Onboarding− NIC Process− PPSM Process− CSSP Process− ServiceNow Pilot
DESIGN PATTERNS
• Infrastructure as Code− Blueprints/templates
development• Compliance as Code− STIG automation
DEVSECOPS / TOOLING
• Enterprise Service Provider Designation/Management− Air Force Platform One
• Enterprise Artifact Repository− Hardened Containers of
Various Tool Suites• RMF/ATO Transformation− Approval to Proceed− Continuous Authorization
ENTERPRISE SERVICES
• Security Infrastructure Services− Cloud Access Points− Cloud Native Access Points− Defensive Cyber Operations
− CSSP Adoption− Cross Domain Services− Identity/Authentication
Services• Migration Services− Contract
• OCONUS/Tactical Services− OCONUS Cloud Strategy− OCONUS BCAP BCA
Developer rapidly accesses
modern cloud services through
seamless onboarding
8
UNCLASSIFIED
UNCLASSIFIED
DevSecOps RD Version 1.0
Table of ContentsIntroductionAssumptions and PrinciplesDevSecOps ConceptsDevSecOps Tools and Activities DoD Enterprise DevSecOps Container ServiceDevSecOps Ecosystem Reference DesignsConclusion
https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf?ver=2019-09-26-115824-583
UNCLASSIFIED
UNCLASSIFIED
DevSecOps RD Version 2.0 - List of planned updates
• Focus on logical design and improve usability• Re-align to current Reference Design template
• Focus on capabilities and allocation, less on specific technologies and products
• Add Responsibilities• Add consistency checklist to assist Program
Managers and Authorizing Officials understand how their DevSecOps platform, processes, and teams align to this DoD Enterprise DevSecOps Reference Design
Soliciting feedback from community for additional updates
UNCLASSIFIED
UNCLASSIFIED 11
Cloud Native Access Point Reference Design
UNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIED
Cloud Native Access Point (CNAP)Background & Purpose
• Authenticated and authorized entities require secure access to cloud resources from anywhere, at any time, from any device.
• AF CNAP was developed & implemented to address the near-term need• Additional patterns are required to provide access to all ranges of entities and types of cloud • CNAP RD describes capabilities & processes; provides logical designs for implementing
secured cloud access • CNAP RD serves as the DoD enterprise-level guidance for the deployment of a CNAP
capability• Target Audience
• Application Developers and Tester• Systems Engineers• Systems Administrators• Security Engineers
UNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIED
CNAP Design Principles
• Seamless and fast access for any authenticated and authorized entity regardless of location
• Security and access controls applied globally• Trust based on DoD approved PKI/MFA• Zero trust fine granular routing and access policies• Full visibility into who is accessing what• Attribution and non-repudiation in logs• Flexible to allow varying implementations with optional component
UNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIED
Access To SaaS – Logical Design
UNCLASSIFIED
UNCLASSIFIEDUNCLASSIFIED
Access to Mission Owner Enclave – Logical Design
UNCLASSIFIED
UNCLASSIFIED
CNAP RD – Review Instructions
When reviewing, answer the following:• Question 1 - Does the Introduction clearly convey the challenge the RD is intended to solve? • Question 2 - Does the RD meet the intended Purpose as defined in Section 1.1?• Question 3 - Does the content of the document cover the Scope as defined in Section 1.3?• Question 4 - Do the logical designs follow the Principles set forth in Section 3.2?• Question 5 - Is the document coherent and organized in a manner that flows well?• Question 6 - Is the writing concise and accurate?When reviewing avoid spending time:• Correcting grammar and spelling• Noting formatting inconsistencies• Noting acronyms that need to be spelled out upon first appearance
Send your CRM by 30 OCT 2020 to: DevSecOps Mail Box, [email protected]
DoD Software Modernization: Continuous Authorization October 2020
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Ability to Fight and Win is Software Dependent
• New software = new capabilities: Capabilities of weapons systems and other critical systems are defined by their software
• Rapidly respond to emerging threats: Response to emerging threats is increasingly determined by the time required to develop and deploy software to the field
• Enable innovation: Modern software practices are critical to effective use of new technologies: cloud computing, artificial intelligence, machine learning, robotics, internet of things
• Challenge: The current approach to software development is a leading source of risk to DoD: it takes too long, is too expensive, and exposes warfighters to unacceptable risk
• Need to accelerate: Improvements in how we acquire software are happening, but adoption has been limited
18Software is a foundational component of the modern militaryDISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Automated Deployment
TECHNICAL COMPONENTS OUTCOMES
DOD SOFTWARE MODERNIZATIONBetter Software Faster
Plug and Play for Rapid Assembly
Continuous Secure Delivery
Global Delivery of Elastic Compute
NON-TECHNICAL COMPONENTS
Business Operations
Must enable internal “services
economy” for reusable software
within DoD
Cyber Risk Management
Must automate cyber testing and authorization at
the pace of software delivery
Operational Testing
Must bridge operational testing with
software development
Acquisition
Must adapt to the unique needs and
capabilities of modern software
developmentC
HA
LLE
NG
ES
WorkforceMust evolve the workforce to address changes in process and technology
Achieving continuous authorization requires the ability to address the technical and non-technical aspects of software modernization: people, process, and platform
What is Continuous Authorization
It’s a… • state in which trustworthiness has been established through assessments &
authorizations of the process, the team, and the platform for managing an applications cyber risk coming out of a software factory
• state of continuous risk determination of application changes through use of DevSecOps control gate pass-fail rules against security automation findings & analysis
• state of idempotence and immutability that provides for consistent, repeatable secure application support infrastructure
• state of near real-time visualization of the security posture (e.g., control compliance & effectiveness, change in threat, risk determination, findings to be mitigated, monitoring for malicious activity, and accepted residual risk)
• state of secure rapid delivery of authorized applications through the enablement of cATO
20DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Continuous Authorization Status
• Related DoD efforts: • Navy’s Compile-to-Combat 24 • AF’s Fast-track ATO• DIA’s ATO-in-a-Day• DDS’ Rapid ATO
• Defense Security Authorization Working Group (DSAWG) established to develop guidance:• Key DoD Contributors: DoD CIO, USAF, JAIC, C5ISR• Key External Contributors: MITRE, Security Compass, Dark Wolf Solutions, Epigen Technology, Palo Alto
Networks, SEI
• Products in development: • DoD Continuous Authorization Guide, Draft, 95 pages (Q2 FY21), ~830 commits incorporated• DoD Continuous Authorization Playbook, Draft, 39 pages (Q1 FY21)• DoD DevSecOps Playbook, Draft, 76 pages (Q1 FY21)• DoD DevSecOps Reference Design v1.1 (Q1 FY21)
21
Phase I – Define concepts and approach Phase II – Refine approach through initial implementations
• DevSecOps platforms implementing cATO principles:• USAF Platform One• Defense Intelligence Agency DevOpsSec Program• DISA National Background Investigation Services• Maven Intel program
Oct 2020
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Continuous Authorization
22
System Development and Testing Assess System’s Security Controls
Authorize System Operate System
Traditional Authorization Approach
Continuous Authorization Approach
Authorize System
Authorize Platform, Process, Team
Authorize the DevSecOps Process
Authorize the TeamAuthorize the Platform
Teams that Run the Platform
Teams that Create, Build, Secure and
Operate the Software Product
cATO –Continuously Pen Test, SAST/DAST testing, Continuously Manage Risk, Continuous Monitoring, Continuous Security Control Validation, Continuous Risk Determination, & Continuous Reporting
Deployment Frequency: 30-180 days
Lead Time for Changes: 30-180 days
Time to Restore Service: 7-30 days
Change Failure Rate: 46-60%
Deployment Frequency: Multiple/day
Lead Time for Changes: < 1 day
Time to Restore Service: < 1 hour
Change Failure Rate: 0-15%
Industry Average Performance*(Traditional Development Approach)
cATO Performance Targets*(Industry Elite DevSecOps Performance)
*DORA Accelerate State of DevOps Report, https://services.google.com/fh/files/misc/state-of-devops-2019.pdfDISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
cATO Method: High Level
• Authorize the Platform• Authorize the Team that runs the platform• Authorize the Process to create and monitor the SW Product• Authorize the team that builds the SW Product• Through continuous automated risk determination, enabled by security
automation and continuous monitoring, the SW Product is authorized when it passes all control gate rules and emerges from the pipeline
23DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Continuous Authorization: Overview
24DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
• Platform supports full life-cycle from development through operations
• Platform is developed, operated and maintained as a production system:
• Platform (including development, test, pre-production, and production environments) assessed and authorized using RMF processes
• Platform incorporates continuous monitoring with integrated Tier 2 CSSP support• Continuous monitoring with behavior monitoring/zero trust enforcement
• Platform implements DevSecOps • Integrated cyber testing, monitoring, and event management for both the platform and
components developed and operated on the platform • Automation: automated builds, testing, and deployments using Compliance as Code,
Dynamic & Static App Security Testing, Pen Testing, Risk Determination with Control Gates
• Infrastructure as Code: Reusable infrastructure and documentation, including a set of pre-approved architecture, technology stacks, and control implementations
• Software Factory may support multiple CI/CD pipelines
25
Authorize the Platform Authorize the Platform using Traditional Risk Management Framework practices
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
• Use “standard” RMF process to authorize the Platform leveraging inheritance from the hosting environment and authorized-to-use components (Iron Bank or CSP)
• Use an approved hosting environment, such as a cloud service provider
• Authorize each platform layer to enable swappable layers
• Use IaC to set up the Platform environment (dev, test, staging, prod)
• Use CaC to validate compliance to STIGs for platform components
• Verify control gates are in place; parameters set by app owner
• Verify dashboards are in place and contain all necessary information
• Verify operations are in place, including CSSP
26
Authorize the Platform Authorize the Platform using Traditional Risk Management Framework practices
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
DevSecOps Lifecycle CI/CD Control Gates
27
Source: DoD Enterprise DevSecOps Reference Design, Version 1.0, 12 August 2019
DevSecOps Lifecycle
FeedbackLoops
control gaterisk
determination
control gate testing
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
• Move from compliance-driven risk management to data-driven risk management
• Default to structured data, not documents. Documents generated on-demand from machine-readable and human-readable data
• Support risk response decisions, security status information, and ongoing insight into security control effectiveness
• Information security continuous monitoring (ISCM): ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions
• Process adaptable to differences in component/change risk, urgent mission needs, and AO’s risk tolerance
• Transparency and repeatability: • All parties (developers, operations, security, senior officials) can access the information they
need, when they need it• Repeatable, deterministic process: All parties understand required and optional steps;
outcomes are consistent and predictable
• Enforced configuration and change management on code, artifacts, images, containers, executables through control gate enforcement and least privilege management
• ChatOps: Project collaboration for real-time interactive coordination among team members – developers, testers, administrators, cyber security monitors
28
Authorize the ProcessUsing an SEI Process Assessment Approach Focus on Outcomes, Performance, and Measurement
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
• Validate the automated process of building the SW• Validate the automated workflow of building the SW• Verify that the control gates are in place with
appropriate parameters for performing AO’s risk determination
• Verify resulting dashboard of security posture• Verify key practices are performed:
• Security control compliance & effectiveness• Use CaC to validate compliance to STIGs for
platform components• Monitoring threat landscape• Monitoring risk tolerance thresholds • Monitoring for malicious behavior
29
Authorize the ProcessUsing an SEI Process Assessment Approach Focus on Outcomes, Performance, and Measurement
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Authorize the Team
• Building the team:• Create a hiring practice in line with the DoD Cyber Workforce Framework (DCWF)• Include members with cyber assessment and cyber monitoring experience• Create a DevSecOps, risk management, and continuous authorization training plan including refresher
training, team table-top exercises, and development of knowledge, skills, and abilities• Collect hiring and training metrics to ensure team members across the program office are indoctrinated into
the organizational DevSecOps and continuous authorization culture
• Authorizing the team:• Review program office personnel certification requirements, i.e., education, training, experience, against
current staffing• Interview critical team roles to assess their knowledge of the program office's DevSecOps continuous
authorization process and their understanding of the AO's risk tolerance• Perform an integrated table-top exercise to ensure the individual teams work collaboratively to maintain the
continuous authorization process• Monitor on-going team performance against the outcome metrics established for the program
30
Computers perform repetitive tasks - people solve problemsAll team members are responsible for outcomes and relentlessly pursuing continuous improvement
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Authorize the Team
• Teams are checked against cyber & software workforce role certification / education / experience requirements (as per DoDD 8140, and the DoD Cyber Workforce Framework (DCWF) )
• Interview the Teams for knowledge of the DevSecOps processes• Team exhibits DevSecOps culture• Validate Training
• Developers trained on developing secure code and tool security findings• Cybersecurity people trained on dashboards, machine-generated artifacts, and establishing
control gate rule parameters• Testers trained on security test tools (e.g., code coverage)• ISSO, ISSM, Ops, assessors, AO trained on dashboards
31DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
32
Continuous Risk Monitoring Continuous Risk Determination
• Key points• Translation of AO’s risk tolerance into a set of CI/CD control gate pass/fail rules based
on security automation findings that control promotion to the next CI/CD phase• CI/CD security findings that exceed the risk threshold trigger an event to involve
ISSM, assessor or AO then put on the backlog for remediation scheduling in future sprint
• Continuous validation of security configuration hardening and implementation of controls
• Use of IaC to create a consistent, secure, and repeatable instance of application support infrastructure
• Execution of SW Product within a secure authorized Platform based on the DoD CIO Enterprise DevSecOps Reference Design
• SW product is under continuous monitoring and visualization of security posture by security team, assessor, and AO through the security visualization dashboards
through the execution of these practices the SW Product has been through an automatic risk determination based on the AO’s prescribed risk tolerance resulting in the SW Product automatically authorized for use
Result: continuous risk analysis, risk determination, and authorization
control gates risk tolerance checks
Security Posture Visualization
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Risk Management Framework (RMF)Process for Continuous Authorization
33
34
Current RMF Process vs New RMF Process
• Comparing current and new RMF processes• For Application Authorization• For Platform Authorization
• New process still adheres to RMF, but implementation of steps interpreted differently using automation
• Key points:• Move away from snapshot in time towards auto-generated content displayed in a
dashboard showing risk posture in real-time• Extensive utilization of SW reuse, reciprocity, & inheritance from underlying
infrastructure, platform, SW Factory, and authorized-to-use functional components• Authorize Platform, Process, and Team• Automated risk analysis and comparison to AO’s risk tolerance leads to automated risk
determination and continuous authorization
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Shift to Real-Time Understanding of Risk
• Today’s implementation of RMF is more a snapshot in time
• Initial authorization• periodic sampling of security control compliance• periodic reassessments to ensure within acceptable residual
risk (AO’s risk tolerance)• reliance on manual interpretation of security findings• little continuous monitoring (as defined in 800-137) and
visualization of status• DevSecOps environment will move DoD to near real-time
• translation of risk tolerance to control gate checks• continuous security automation analysis of security findings
(threat actions & vulnerabilities) against risk tolerance• continuous aggregation of security findings into visualization of
security posture and residual risk• security status always available for review and security event
triggers are reviewed within agreed to timeframes with AO
35
control gates risk tolerance checks
Near Real-Time Security Posture Visualization
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
A Little Shift in RMF Roles & Responsibilities
• Establish PMO as a trusted agent of the AO through the process and team authorizations and oversight
• Assessors still have the role of • reviewing security posture dashboards on residual risk & trends• reviewing findings that may exceed the AO risk tolerance and PMO risk reduction
alternatives & providing risk assessments & authorization recommendations
• Need to determine who will perform assessments and authorizations of shared platforms, processes, and teams
• Current RMF assessors• Independent assessors
36DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Assessment & Authorization Walk-Through
• determine security categorization
• determine AO’s risk tolerance
• translate to possible security findings, severity, & CI/CI phases
• develop control gate pass / fail rules and trigger approach & notifications
• setup platform for monitoring of app & develop feedback loops
• establish metrics, security backlog, & POA&M approach
• establish visualization dashboard and security posture reviews
• establish IaC for building secure infrastructure support enclaves
• run application through the pipeline
• once all control gates passed and feedback loops established app authorized for use
37
complianceeffectivenesschange in threatmalicious detection
automatic risk determination
feedback
security automation (scanning, testing, validation)
continuous risk determination & CI/CD stage code promotionAOs risktolerance
Static Code Analysispass / fail on severity
of findings
can either break the build or pass the build with X days to fix
translation to
possible security findings
threats?vulnerabilities?mission assets?
andseverity Dynamic Code Analysis
pass / fail on severity of findings
Bill of Materials (dependencies)pass / fail on severity
of findings
Container Security Scanningpass / fail on severity
of findings
Red-teaming / AA / CVPArisk feedback
threat
securitycontrolbaseline
missionassuranceanalysis
control gates &feedback
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Aligning Continuous Authorization with Traditional ATO requirements and reporting
38
Development Dashboard Compliance Dashboard Event/Incident Dashboard
Structured Data 800-53/CCI Mapping & SAR/POAM Generation & CCORI Compliance
Technology Research Need: Can the traditional ATO documentation and artifacts be generated from the data collected by the cATOplatforms
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
Summary
Continuous Authorization• Objective: Enable DoD to achieve elite DevSecOps performance and maintain the Department’s
technological advantage over near-peer adversaries • Significant evolution for traditional practices
• Accredit platform, process, people rather than product/system/application• Accredited platform supports full-lifecycle – development through operations • Platform maintained as an operational system with integrated CSSP/Defensive cyber operations • Maximized use of automation and real-time data driven risk management • Immutability of production environment: maximum use of Infrastructure and Compliance as Code
• Next Steps• Release draft documentation for DoD review and publication• Determine feasibility and approach to align cATO approach with RMF and eMASS• Develop assessment criteria to evaluate initial implementations • Identify early adopters
39DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited
QUESTIONS?
UNCLASSIFIED
UNCLASSIFIED
Next DevSecOps CoP Meeting
41
• Date/Time: Thursday, November 12, 2020 from 1:00 PM until 4:00 PM ET
• Theme is TBD
UNCLASSIFIED
UNCLASSIFIED 42
Closing Remarks
UNCLASSIFIED
UNCLASSIFIED
Contact Information
43
MilSuite Site https://www.milsuite.mil/book/groups/dod-enterprise-devsecops
Air Force Site https://software.af.mil/
DevSecOps Mailbox [email protected]
Nicolas Chaillan Air Force [email protected]
Jeff Boleng OUSD(A&S) [email protected]
Rob Vietmeyer DoD CIO [email protected]
Ana Kreiensieck DoD CIO [email protected]
Drew Malloy DISA [email protected]
UNCLASSIFIED
UNCLASSIFIED
QUESTIONS?
Backups
45
Continuous Monitoring Activities
46
Security Status MonitoringSecurity Control Assessment
Security Status Reporting
Risk Tolerance Monitoring
Continuous Authorization
• Manual risk assessment of sprint backlog
• DevSecOps automated tool sprint assessments STIG (Compliance as Code), SAST, DAST, & pen testing
• Ops Incident analysis with feedback to DevSec
• DevSec review of assessment findings
• Review security status: Tier II & III SIEM event log monitoring, control compliance/effectiveness, Analysis of cyber metrics and risk score
• Review risk tolerance threshold monitoring: Review of change request impact analysis, Review of cyber findings, Review of threat landscape
• Manual review of app security designs
• Impact of risk to mission• Development of course of actions• Automated compliance checking
and reporting
• Ongoing risk score/posture
• Tolerance threshold trend data
• Backlog list of security stories
• Cybersecurity metrics: non-compliance, vulnerabilities, incidents, Sec issues on backlog
• Change in threat
• Provide tolerance guidance
• Assess based on time/event trigger
• People certified for maintaining cATO
• Process certified & accredited
• Approve entry to continuous authorization
DevSecOps
DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited