CASE STUDY

Enterprise-Scale DevSecOps for DoD ISR

Since 2017 Volant has worked with the Department of Defense to build, deploy and sustain a robust collaboration environment and cloud-hosted software development tools (DevTools) on the unclassified network (35k+ users and 4k+ projects) and the Secret Internet Protocol Router Network (SIPRNet) network.

The DoD should embrace DevSecOps (not just DevOps) and provide policy supported processes, certified libraries, tools, and a toolchain reference implementation to produce “born secure” software.
— Defense Innovation Board Federal Advisory Committee

Over the past several years, recurring technical tasks involving backup, recovery, deployment and upgrades to the delivered solution been automated by leveraging the APIs and native capabilities of the cloud platforms to increase efficiency and reliability. The successful delivery of these automation features to the DI2E Framework combined with our experience supporting the automation and streamlining of security accreditation processes has enabled Volant to become a key government partner in helping to shape the vision for the emerging Enterprise Scale DevSecOps for DoD ISR initiative.

The Challenge

The environment currently supports much of the tooling and automation necessary for DoD and IC system developers to leverage iterative DevOps software methods in which development and deployment to operations are treated as a continuous process. For example, many development teams using long-standing DI2E Framework provided capabilities (e.g., Jenkins, Nexus) have been successful with continuous delivery of improved functionality based on direct interaction and feedback from end users. However, based on lessons learned derived from work done on securing the government software supply chain, the government has determined that the existing solution needs to support a full DevSecOps environment. This reflects the importance of integrating security directly into the DevOps cycle rather than “bolting security on” at the end of the deployment process. The key challenge is to ensure security is included at all stages of the software development and deployment process via an established and maintained DevSecOps toolchain. Once this DevSecOps toolchain is deployed to the our environment, the streamlining and automation of the end-to-end Risk Management Framework (RMF) based accreditation process can be realized thereby reducing the time to verify individual security controls and shortening the overall time to deploy secure software in support of the mission.

Features of our solution include:

COTS based
Tailored Workflows
Secure

Approach

Volant’s approach is to enhance and extend the existing deployed Orchestrated DevOps Pipeline (Figure Above) by introducing Opencontrol based capabilities built to streamline the security accreditation process. Opencontrol combines technical work done by the government (18f.gsa.gov) and commercial vendors (Docker, Redhat, etc.) to integrate the RMF security cycle with DevOps to arrive at an integrated DevSecOps toolchain. Based on the Volant team’s direct experience, Opencontrol has been selected to be a core component of the overall DevSecOps toolchain based on several key attributes:

• Technology neutral
• Application testing matched to the technology
• Serves the Developer and the Accreditor
• Works with existing human and DevOps processes

Opencontrol also helps unify stakeholder participation throughout the entire DevSecOps toolchain. It creates opportunity for continuous collaboration and provides a means to implement, track, and monitor security related controls throughout the entire DevOps process.