dod enterprise devsecops community of practice · 2021. 3. 11. · • mr. rob vietmeyer, dr. mark...

UNCLASSIFIED

UNCLASSIFIED

October 8, 2020

DoD Enterprise DevSecOps Community of Practice

UNCLASSIFIED

UNCLASSIFIED

Agenda

2

• DoD Enterprise DevSecOps Reference Design v2.0 Update• Mr. Tom Lam, Dr. Ken Bedford – DoD CIO

• Cloud Native Access Point Reference Design• Mr. Tom Lam, Mr. Matt Lutz – DoD CIO

• Continuous Authorization• Mr. Rob Vietmeyer, Dr. Mark Smiley – DoD CIO

UNCLASSIFIED

UNCLASSIFIED 3

Opening Remarks

UNCLASSIFIED

UNCLASSIFIED

New Documents

4

• Back-to-Basics Acquisition Workforce Memorandum• OUSD(A&S)

• DoDI 5000.87 Operation of the Software Acquisition Pathway Policy• OUSD(A&S)

• Container Hardening Guide v1.1• DISA

UNCLASSIFIED

UNCLASSIFIED

Air Force Chief Software Officer Ask Me Anything

5

The next CSO Ask Me Anything is Thursday, October 15th from 1pm – 3pm EST!

Join from a PC, Mac, iPad, iPhone or Android device:Please click the link below to join the webinar:

https://us02web.zoom.us/j/458527876Or iPhone one-tap :

US: +19292056099,,458527876# or +13017158592,,458527876# Or Telephone:

Dial(for higher quality, dial a number based on your current location):US: +1 929 205 6099 or +1 301 715 8592 or +1 312 626 6799 or +1 669 900 6833 or +1 253 215

8782 or +1 346 248 7799 Webinar ID: 458 527 876

International numbers available: https://us02web.zoom.us/u/kv9xl1MzN

**** If you are on a DoD system blocking Zoom, please click on the link, wait few seconds and you should see “ Open Zoom?" - hit cancel and then select "click here to launch meeting”,” then as this is blocked, you should again see “ Open Zoom?" - hit cancel and then select “join from your browser” and this should work!

https://us02web.zoom.us/j/458527876

https://us02web.zoom.us/u/kv9xl1MzN

? …

October 29, 2020 (0930-1100 EST)

Co-hosted by DoD CIO & OUSD (A&S)

Microsoft Teams Live Event:

• Mr. Pete Ranks, Deputy CIO for Information Enterprise, DoD CIO

• Dr. Jeff Boleng, Senior Advisor for Software Acquisition, USD(A&S)

• Ms. Tory Cuff, Senior Advisor Agile Acquisitions, USD(A&S)

• Mr. Rob Vietmeyer, Software Modernization Lead, DoD CIO

Panelist

https://teams.microsoft.com/l/meetup-join/19%3ameeting_MjQxN2Y5ZWUtZjUzNy00OGIyLTljYmMtYzAzMTM3ZTg5OGU2%40thread.v2/0?context=%7b%22Tid%22%3a%2221acfbb3-32be-4715-9025-1e2f015cbbe9%22%2c%22Oid%22%3a%22a76d4b10-5e78-4b3a-befb-5d66f19ba787%22%2c%22IsBroadcastMeeting%22%3atrue%7d

https://teams.microsoft.com/l/meetup-join/19%3ameeting_MjQxN2Y5ZWUtZjUzNy00OGIyLTljYmMtYzAzMTM3ZTg5OGU2%40thread.v2/0?context=%7b%22Tid%22%3a%2221acfbb3-32be-4715-9025-1e2f015cbbe9%22%2c%22Oid%22%3a%22a76d4b10-5e78-4b3a-befb-5d66f19ba787%22%2c%22IsBroadcastMeeting%22%3atrue%7d

UNCLASSIFIED

UNCLASSIFIED 7

DoD Enterprise DevSecOps Reference Design v2.0 Update

DoD Software Modernization

Developer leverages

templates to quickly spin up

virtual cloud environments

Developer produces code updates faster

through a continuous

pipeline

Developer uses enterprise services to

deliver secure software at

speed

Better Software Faster

Software Development Outcomes Streamlined Access to Cloud | Push Button Stand Up of Compliant Virtual Cloud | Continuous Code Enhancements | Optimal Reuse of Services

CLOUD

• JEDI− AT-AT

• milCloud 2.0• CVR Transition• Customer Onboarding− NIC Process− PPSM Process− CSSP Process− ServiceNow Pilot

DESIGN PATTERNS

• Infrastructure as Code− Blueprints/templates

development• Compliance as Code− STIG automation

DEVSECOPS / TOOLING

• Enterprise Service Provider Designation/Management− Air Force Platform One

• Enterprise Artifact Repository− Hardened Containers of

Various Tool Suites• RMF/ATO Transformation− Approval to Proceed− Continuous Authorization

ENTERPRISE SERVICES

• Security Infrastructure Services− Cloud Access Points− Cloud Native Access Points− Defensive Cyber Operations

− CSSP Adoption− Cross Domain Services− Identity/Authentication

Services• Migration Services− Contract

• OCONUS/Tactical Services− OCONUS Cloud Strategy− OCONUS BCAP BCA

Developer rapidly accesses

modern cloud services through

seamless onboarding

8

UNCLASSIFIED

UNCLASSIFIED

DevSecOps RD Version 1.0

Table of ContentsIntroductionAssumptions and PrinciplesDevSecOps ConceptsDevSecOps Tools and Activities DoD Enterprise DevSecOps Container ServiceDevSecOps Ecosystem Reference DesignsConclusion

https://dodcio.defense.gov/Portals/0/Documents/DoD%20Enterprise%20DevSecOps%20Reference%20Design%20v1.0_Public%20Release.pdf?ver=2019-09-26-115824-583

UNCLASSIFIED

UNCLASSIFIED

DevSecOps RD Version 2.0 - List of planned updates

• Focus on logical design and improve usability• Re-align to current Reference Design template

• Focus on capabilities and allocation, less on specific technologies and products

• Add Responsibilities• Add consistency checklist to assist Program

Managers and Authorizing Officials understand how their DevSecOps platform, processes, and teams align to this DoD Enterprise DevSecOps Reference Design

Soliciting feedback from community for additional updates

UNCLASSIFIED

UNCLASSIFIED 11

Cloud Native Access Point Reference Design

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Cloud Native Access Point (CNAP)Background & Purpose

• Authenticated and authorized entities require secure access to cloud resources from anywhere, at any time, from any device.

• AF CNAP was developed & implemented to address the near-term need• Additional patterns are required to provide access to all ranges of entities and types of cloud • CNAP RD describes capabilities & processes; provides logical designs for implementing

secured cloud access • CNAP RD serves as the DoD enterprise-level guidance for the deployment of a CNAP

capability• Target Audience

• Application Developers and Tester• Systems Engineers• Systems Administrators• Security Engineers

UNCLASSIFIED


CNAP Design Principles

• Seamless and fast access for any authenticated and authorized entity regardless of location

• Security and access controls applied globally• Trust based on DoD approved PKI/MFA• Zero trust fine granular routing and access policies• Full visibility into who is accessing what• Attribution and non-repudiation in logs• Flexible to allow varying implementations with optional component

UNCLASSIFIED


Access To SaaS – Logical Design

UNCLASSIFIED


Access to Mission Owner Enclave – Logical Design

UNCLASSIFIED

UNCLASSIFIED

CNAP RD – Review Instructions

When reviewing, answer the following:• Question 1 - Does the Introduction clearly convey the challenge the RD is intended to solve? • Question 2 - Does the RD meet the intended Purpose as defined in Section 1.1?• Question 3 - Does the content of the document cover the Scope as defined in Section 1.3?• Question 4 - Do the logical designs follow the Principles set forth in Section 3.2?• Question 5 - Is the document coherent and organized in a manner that flows well?• Question 6 - Is the writing concise and accurate?When reviewing avoid spending time:• Correcting grammar and spelling• Noting formatting inconsistencies• Noting acronyms that need to be spelled out upon first appearance

Send your CRM by 30 OCT 2020 to: DevSecOps Mail Box, [email protected]

DoD Software Modernization: Continuous Authorization October 2020

DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited

Ability to Fight and Win is Software Dependent

• New software = new capabilities: Capabilities of weapons systems and other critical systems are defined by their software

• Rapidly respond to emerging threats: Response to emerging threats is increasingly determined by the time required to develop and deploy software to the field

• Enable innovation: Modern software practices are critical to effective use of new technologies: cloud computing, artificial intelligence, machine learning, robotics, internet of things

• Challenge: The current approach to software development is a leading source of risk to DoD: it takes too long, is too expensive, and exposes warfighters to unacceptable risk

• Need to accelerate: Improvements in how we acquire software are happening, but adoption has been limited

18Software is a foundational component of the modern militaryDISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited

Automated Deployment

TECHNICAL COMPONENTS OUTCOMES

DOD SOFTWARE MODERNIZATIONBetter Software Faster

Plug and Play for Rapid Assembly

Continuous Secure Delivery

Global Delivery of Elastic Compute

NON-TECHNICAL COMPONENTS

Business Operations

Must enable internal “services

economy” for reusable software

within DoD

Cyber Risk Management

Must automate cyber testing and authorization at

the pace of software delivery

Operational Testing

Must bridge operational testing with

software development

Acquisition

Must adapt to the unique needs and

capabilities of modern software

developmentC

HA

LLE

NG

ES

WorkforceMust evolve the workforce to address changes in process and technology

Achieving continuous authorization requires the ability to address the technical and non-technical aspects of software modernization: people, process, and platform

What is Continuous Authorization

It’s a… • state in which trustworthiness has been established through assessments &

authorizations of the process, the team, and the platform for managing an applications cyber risk coming out of a software factory

• state of continuous risk determination of application changes through use of DevSecOps control gate pass-fail rules against security automation findings & analysis

• state of idempotence and immutability that provides for consistent, repeatable secure application support infrastructure

• state of near real-time visualization of the security posture (e.g., control compliance & effectiveness, change in threat, risk determination, findings to be mitigated, monitoring for malicious activity, and accepted residual risk)

• state of secure rapid delivery of authorized applications through the enablement of cATO

20DISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited

Continuous Authorization Status

• Related DoD efforts: • Navy’s Compile-to-Combat 24 • AF’s Fast-track ATO• DIA’s ATO-in-a-Day• DDS’ Rapid ATO

• Defense Security Authorization Working Group (DSAWG) established to develop guidance:• Key DoD Contributors: DoD CIO, USAF, JAIC, C5ISR• Key External Contributors: MITRE, Security Compass, Dark Wolf Solutions, Epigen Technology, Palo Alto

Networks, SEI

• Products in development: • DoD Continuous Authorization Guide, Draft, 95 pages (Q2 FY21), ~830 commits incorporated• DoD Continuous Authorization Playbook, Draft, 39 pages (Q1 FY21)• DoD DevSecOps Playbook, Draft, 76 pages (Q1 FY21)• DoD DevSecOps Reference Design v1.1 (Q1 FY21)

21

Phase I – Define concepts and approach Phase II – Refine approach through initial implementations

• DevSecOps platforms implementing cATO principles:• USAF Platform One• Defense Intelligence Agency DevOpsSec Program• DISA National Background Investigation Services• Maven Intel program

Oct 2020


Continuous Authorization

22

System Development and Testing Assess System’s Security Controls

Authorize System Operate System

Traditional Authorization Approach

Continuous Authorization Approach

Authorize System

Authorize Platform, Process, Team

Authorize the DevSecOps Process

Authorize the TeamAuthorize the Platform

Teams that Run the Platform

Teams that Create, Build, Secure and

Operate the Software Product

cATO –Continuously Pen Test, SAST/DAST testing, Continuously Manage Risk, Continuous Monitoring, Continuous Security Control Validation, Continuous Risk Determination, & Continuous Reporting

Deployment Frequency: 30-180 days

Lead Time for Changes: 30-180 days

Time to Restore Service: 7-30 days

Change Failure Rate: 46-60%

Deployment Frequency: Multiple/day

Lead Time for Changes: < 1 day

Time to Restore Service: < 1 hour

Change Failure Rate: 0-15%

Industry Average Performance*(Traditional Development Approach)

cATO Performance Targets*(Industry Elite DevSecOps Performance)

*DORA Accelerate State of DevOps Report, https://services.google.com/fh/files/misc/state-of-devops-2019.pdfDISTRIBUTION STATEMENT A: Approved for public release: Distribution unlimited

cATO Method: High Level

• Authorize the Platform• Authorize the Team that runs the platform• Authorize the Process to create and monitor the SW Product• Authorize the team that builds the SW Product• Through continuous automated risk determination, enabled by security

automation and continuous monitoring, the SW Product is authorized when it passes all control gate rules and emerges from the pipeline


Continuous Authorization: Overview


• Platform supports full life-cycle from development through operations

• Platform is developed, operated and maintained as a production system:

• Platform (including development, test, pre-production, and production environments) assessed and authorized using RMF processes

• Platform incorporates continuous monitoring with integrated Tier 2 CSSP support• Continuous monitoring with behavior monitoring/zero trust enforcement

• Platform implements DevSecOps • Integrated cyber testing, monitoring, and event management for both the platform and

components developed and operated on the platform • Automation: automated builds, testing, and deployments using Compliance as Code,

Dynamic & Static App Security Testing, Pen Testing, Risk Determination with Control Gates

• Infrastructure as Code: Reusable infrastructure and documentation, including a set of pre-approved architecture, technology stacks, and control implementations

• Software Factory may support multiple CI/CD pipelines

25

Authorize the Platform Authorize the Platform using Traditional Risk Management Framework practices


• Use “standard” RMF process to authorize the Platform leveraging inheritance from the hosting environment and authorized-to-use components (Iron Bank or CSP)

• Use an approved hosting environment, such as a cloud service provider

• Authorize each platform layer to enable swappable layers

• Use IaC to set up the Platform environment (dev, test, staging, prod)

• Use CaC to validate compliance to STIGs for platform components

• Verify control gates are in place; parameters set by app owner

• Verify dashboards are in place and contain all necessary information

• Verify operations are in place, including CSSP

26

Authorize the Platform Authorize the Platform using Traditional Risk Management Framework practices


DevSecOps Lifecycle CI/CD Control Gates

27

Source: DoD Enterprise DevSecOps Reference Design, Version 1.0, 12 August 2019

DevSecOps Lifecycle

FeedbackLoops

control gaterisk

determination

control gate testing


• Move from compliance-driven risk management to data-driven risk management

• Default to structured data, not documents. Documents generated on-demand from machine-readable and human-readable data

• Support risk response decisions, security status information, and ongoing insight into security control effectiveness

• Information security continuous monitoring (ISCM): ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions

• Process adaptable to differences in component/change risk, urgent mission needs, and AO’s risk tolerance

• Transparency and repeatability: • All parties (developers, operations, security, senior officials) can access the information they

need, when they need it• Repeatable, deterministic process: All parties understand required and optional steps;

outcomes are consistent and predictable

• Enforced configuration and change management on code, artifacts, images, containers, executables through control gate enforcement and least privilege management

• ChatOps: Project collaboration for real-time interactive coordination among team members – developers, testers, administrators, cyber security monitors

28

Authorize the ProcessUsing an SEI Process Assessment Approach Focus on Outcomes, Performance, and Measurement


• Validate the automated process of building the SW• Validate the automated workflow of building the SW• Verify that the control gates are in place with

appropriate parameters for performing AO’s risk determination

• Verify resulting dashboard of security posture• Verify key practices are performed:

• Security control compliance & effectiveness• Use CaC to validate compliance to STIGs for

platform components• Monitoring threat landscape• Monitoring risk tolerance thresholds • Monitoring for malicious behavior

29

Authorize the ProcessUsing an SEI Process Assessment Approach Focus on Outcomes, Performance, and Measurement


Authorize the Team

• Building the team:• Create a hiring practice in line with the DoD Cyber Workforce Framework (DCWF)• Include members with cyber assessment and cyber monitoring experience• Create a DevSecOps, risk management, and continuous authorization training plan including refresher

training, team table-top exercises, and development of knowledge, skills, and abilities• Collect hiring and training metrics to ensure team members across the program office are indoctrinated into

the organizational DevSecOps and continuous authorization culture

• Authorizing the team:• Review program office personnel certification requirements, i.e., education, training, experience, against

current staffing• Interview critical team roles to assess their knowledge of the program office's DevSecOps continuous

authorization process and their understanding of the AO's risk tolerance• Perform an integrated table-top exercise to ensure the individual teams work collaboratively to maintain the

continuous authorization process• Monitor on-going team performance against the outcome metrics established for the program

30

Computers perform repetitive tasks - people solve problemsAll team members are responsible for outcomes and relentlessly pursuing continuous improvement


Authorize the Team

• Teams are checked against cyber & software workforce role certification / education / experience requirements (as per DoDD 8140, and the DoD Cyber Workforce Framework (DCWF) )

• Interview the Teams for knowledge of the DevSecOps processes• Team exhibits DevSecOps culture• Validate Training

• Developers trained on developing secure code and tool security findings• Cybersecurity people trained on dashboards, machine-generated artifacts, and establishing

control gate rule parameters• Testers trained on security test tools (e.g., code coverage)• ISSO, ISSM, Ops, assessors, AO trained on dashboards


32

Continuous Risk Monitoring Continuous Risk Determination

• Key points• Translation of AO’s risk tolerance into a set of CI/CD control gate pass/fail rules based

on security automation findings that control promotion to the next CI/CD phase• CI/CD security findings that exceed the risk threshold trigger an event to involve

ISSM, assessor or AO then put on the backlog for remediation scheduling in future sprint

• Continuous validation of security configuration hardening and implementation of controls

• Use of IaC to create a consistent, secure, and repeatable instance of application support infrastructure

• Execution of SW Product within a secure authorized Platform based on the DoD CIO Enterprise DevSecOps Reference Design

• SW product is under continuous monitoring and visualization of security posture by security team, assessor, and AO through the security visualization dashboards

through the execution of these practices the SW Product has been through an automatic risk determination based on the AO’s prescribed risk tolerance resulting in the SW Product automatically authorized for use

Result: continuous risk analysis, risk determination, and authorization

control gates risk tolerance checks

Security Posture Visualization


Risk Management Framework (RMF)Process for Continuous Authorization

33

34

Current RMF Process vs New RMF Process

• Comparing current and new RMF processes• For Application Authorization• For Platform Authorization

• New process still adheres to RMF, but implementation of steps interpreted differently using automation

• Key points:• Move away from snapshot in time towards auto-generated content displayed in a

dashboard showing risk posture in real-time• Extensive utilization of SW reuse, reciprocity, & inheritance from underlying

infrastructure, platform, SW Factory, and authorized-to-use functional components• Authorize Platform, Process, and Team• Automated risk analysis and comparison to AO’s risk tolerance leads to automated risk

determination and continuous authorization


Shift to Real-Time Understanding of Risk

• Today’s implementation of RMF is more a snapshot in time

• Initial authorization• periodic sampling of security control compliance• periodic reassessments to ensure within acceptable residual

risk (AO’s risk tolerance)• reliance on manual interpretation of security findings• little continuous monitoring (as defined in 800-137) and

visualization of status• DevSecOps environment will move DoD to near real-time

• translation of risk tolerance to control gate checks• continuous security automation analysis of security findings

(threat actions & vulnerabilities) against risk tolerance• continuous aggregation of security findings into visualization of

security posture and residual risk• security status always available for review and security event

triggers are reviewed within agreed to timeframes with AO

35

control gates risk tolerance checks

Near Real-Time Security Posture Visualization


A Little Shift in RMF Roles & Responsibilities

• Establish PMO as a trusted agent of the AO through the process and team authorizations and oversight

• Assessors still have the role of • reviewing security posture dashboards on residual risk & trends• reviewing findings that may exceed the AO risk tolerance and PMO risk reduction

alternatives & providing risk assessments & authorization recommendations

• Need to determine who will perform assessments and authorizations of shared platforms, processes, and teams

• Current RMF assessors• Independent assessors


Assessment & Authorization Walk-Through

• determine security categorization

• determine AO’s risk tolerance

• translate to possible security findings, severity, & CI/CI phases

• develop control gate pass / fail rules and trigger approach & notifications

• setup platform for monitoring of app & develop feedback loops

• establish metrics, security backlog, & POA&M approach

• establish visualization dashboard and security posture reviews

• establish IaC for building secure infrastructure support enclaves

• run application through the pipeline

• once all control gates passed and feedback loops established app authorized for use

37

complianceeffectivenesschange in threatmalicious detection

automatic risk determination

feedback

security automation (scanning, testing, validation)

continuous risk determination & CI/CD stage code promotionAOs risktolerance

Static Code Analysispass / fail on severity

of findings

can either break the build or pass the build with X days to fix

translation to

possible security findings

threats?vulnerabilities?mission assets?

andseverity Dynamic Code Analysis

pass / fail on severity of findings

Bill of Materials (dependencies)pass / fail on severity

of findings

Container Security Scanningpass / fail on severity

of findings

Red-teaming / AA / CVPArisk feedback

threat

securitycontrolbaseline

missionassuranceanalysis

control gates &feedback


Aligning Continuous Authorization with Traditional ATO requirements and reporting

38

Development Dashboard Compliance Dashboard Event/Incident Dashboard

Structured Data 800-53/CCI Mapping & SAR/POAM Generation & CCORI Compliance

Technology Research Need: Can the traditional ATO documentation and artifacts be generated from the data collected by the cATOplatforms


Summary

Continuous Authorization• Objective: Enable DoD to achieve elite DevSecOps performance and maintain the Department’s

technological advantage over near-peer adversaries • Significant evolution for traditional practices

• Accredit platform, process, people rather than product/system/application• Accredited platform supports full-lifecycle – development through operations • Platform maintained as an operational system with integrated CSSP/Defensive cyber operations • Maximized use of automation and real-time data driven risk management • Immutability of production environment: maximum use of Infrastructure and Compliance as Code

• Next Steps• Release draft documentation for DoD review and publication• Determine feasibility and approach to align cATO approach with RMF and eMASS• Develop assessment criteria to evaluate initial implementations • Identify early adopters


QUESTIONS?

UNCLASSIFIED

UNCLASSIFIED

Next DevSecOps CoP Meeting

41

• Date/Time: Thursday, November 12, 2020 from 1:00 PM until 4:00 PM ET

• Theme is TBD

UNCLASSIFIED

UNCLASSIFIED 42

Closing Remarks

UNCLASSIFIED

UNCLASSIFIED

Contact Information

43

MilSuite Site https://www.milsuite.mil/book/groups/dod-enterprise-devsecops

Air Force Site https://software.af.mil/

DevSecOps Mailbox [email protected]

Nicolas Chaillan Air Force [email protected]

Jeff Boleng OUSD(A&S) [email protected]

Rob Vietmeyer DoD CIO [email protected]

Ana Kreiensieck DoD CIO [email protected]

Drew Malloy DISA [email protected]

https://www.milsuite.mil/book/groups/dod-enterprise-devsecops

https://software.af.mil/

mailto:[email protected]






UNCLASSIFIED

UNCLASSIFIED

QUESTIONS?

Backups

45

Continuous Monitoring Activities

46

Security Status MonitoringSecurity Control Assessment

Security Status Reporting

Risk Tolerance Monitoring

Continuous Authorization

• Manual risk assessment of sprint backlog

• DevSecOps automated tool sprint assessments STIG (Compliance as Code), SAST, DAST, & pen testing

• Ops Incident analysis with feedback to DevSec

• DevSec review of assessment findings

• Review security status: Tier II & III SIEM event log monitoring, control compliance/effectiveness, Analysis of cyber metrics and risk score

• Review risk tolerance threshold monitoring: Review of change request impact analysis, Review of cyber findings, Review of threat landscape

• Manual review of app security designs

• Impact of risk to mission• Development of course of actions• Automated compliance checking

and reporting

• Ongoing risk score/posture

• Tolerance threshold trend data

• Backlog list of security stories

• Cybersecurity metrics: non-compliance, vulnerabilities, incidents, Sec issues on backlog

• Change in threat

• Provide tolerance guidance

• Assess based on time/event trigger

• People certified for maintaining cATO

• Process certified & accredited

• Approve entry to continuous authorization

DevSecOps
