UNCLASSIFIED / APPROVED FOR PUBLIC RELEASEUNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

Platform One: DoD Enterprise DevSecOps Services

Mr. Thomas PetrilloChief Information Officer / G6

PEO Simulation, Training and Instrumentation

3 June 2020

2

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

• Central repository for the source code to create hardened and evaluated

container

• Includes various source code open-source products and infrastructure as

code used to harden Kubernetes distributions

• https://repo1.dsop.io/dsop/

Repo One: DoD Centralized Container Source Code Repository (DCCSCR)

3

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

Iron Bank: DoD Centralized Artifacts Repository (DCAR)

• DoD repository of digitally signed, binary container images

• Hardened IAW the Container Hardening Guide coming from Iron Bank

• DoD-wide reciprocity across classifications

• https://ironbank.dsop.io/

4

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

DevSecOps Platform (DSOP)

• Collection of−approved, hardened Cloud Native Computer Foundation (CNCF)-compliant Kubernetes distributions

− infrastructure as code playbooks

−hardened containers that implement a DevSecOps platform compliant with the DoD Enterprise

DevSecOps Reference Design

• Source code is hosted on Repo One

• Kubernetes CNCF-compliant currently supported:

− OpenShift 4.x

−Kubernetes upstream

−VMWare PKS Essential

−Rancher Federal RKE

• Includes mandated containers of the Reference Design

− Elasticsearch Fluentd, and Kibana (EFK)

−Sidecar Container Security Stack (SCSS)

5

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

Platform One Enterprise Services

• Party Bus: Platform One Shared Enterprise Environments (Multi-Tenant) (for

Development, Test and Production)

• Big Bang: Platform One Dedicated DevSecOps Environments

• Custom Development Services

• Cloud Native Access Point (CNAP)

• Continuous Integration / Continuous Delivery (CI/CD) with Infrastructure as

Code (IaC)

• DevSecOps Managed Tools

• Cybersecurity/Pen-testing Services

• Training/On-Boarding Options

−DAU, 1-day Intro to DevSecOps, 3-day Workshop, 6-week full on-boarding, 2-month full

on-boarding and customized training option

6

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

DevSecOps Basic Ordering Agreements (BOAs) – Contract Vehicles

• Acquisition and bulk purchasing of DevSecOps tools, services and talent

• DoD Contracting Officers and Acquisition workforce can receive training to

leverage the DevSecOps BOAs

7

UNCLASSIFIED / APPROVED FOR PUBLIC RELEASE

DevSecOps Playbook

Overview Skills required Types of Work

• Help in Day-to-

Day Job

• Red Team

• Blue Team

• Security Engineering

• Operations

• Secure Development

• Security Science

• Security Testing

• Continuous response

• Compliance

Operations

• Consulting

• Code Development

• Threat analysis

• Penetration Testing

• Event Detection &

Correlation

• Big Data Analytics

STORE ARTIFACTS

SCALE

MONITOR

SECURE

TEST

BUILD“Continuous Integration & Continuous Delivery”

Orchestration

DoD Enterprise DevSecOps

Technology Stack

(Exemplar)PLAN

&DEVELOP

DEPLOY &

OPERATE

Container and Container Management