Tackling RMF

w/DevSecOps
Jennifer Rekas
jrekas@mitre.org
March 2019

The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is
not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or
viewpoints expressed by the author. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED.
Approved for Public Release; Distribution Unlimited. Public Release Case Number 19-0841
Agenda

 Brief Reminder of What DevSecOps Is and Where

Information Security Fits

 Brief Case Study

 Tidbits from Other Sponsors

Common SDLC Pattern

DevOps is about automating as much

of the SDLC as possible to reduce
delivery time, improve
quality/security, and reduce re-
work/fix cost

Image source: https://www.mountaingoatsoftware.com/presentations/an-introduction-to-scrum

What To Do? DevSecOps

Enabled by

Automation
Culture / Mindset Technology
Development, Security, and and
Operations are one team
Processes
Image sources: https://www.peakgrantmaking.org/blog/process-automation-new-black/
https://martinfowler.com/bliki/DevOpsCulture.html
What Is the “Enabling”?

🤝🤝 Collaboration Between Stakeholders

🛣🛣 Infrastructure as Code
⚙ Automation of Processes
🔍🔍 Continuous Monitoring of applications and
infrastructure
Different Model

Image source: IBM Research, Software Defined Environments

IBM Federal Cloud Innovation Center
Culture - Align the people to
DevSecOps
Developers Operations Include
Security!

Image sources: https://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr/6-Spock_Scotty_Little_bit_weird,

http://www.fanpop.com/clubs/star-trek-the-next-generation/images/9406774/title/lieutenant-worf-photo
 What about Security (IA)?

Defined Good Results

DevSecOps

Image source: https://www.sans.org/security-resources/posters/appsec/secure-devops-toolchain-swat-checklist-60

How One Government Agency Did It
(and other tidbits)
“ATO-in-a-Day”
aka “ATO at Hello”
aka “Continuous ATO
 Enterprise Strategy: Agile SDLC -> Need security processes to meet speed

 Defined security “playbook” and maturity model

 RMF Policy Interpretation

 How Can We Use Automation Output to Meet the Requirements? How can we
maximize inheritance of controls?

 Tailored security rigor and body of evidence requirements based on risk level

 Provide Unclassified PAAS that meets ~80% of required security controls

 Focus on supply chain – custom dependency checking of products moving low

to high

 Embed security DevOps engineer with enterprise DevOps team

 Risk mgt staff (security assessors) culture change

PaaS Compared

Customization; higher costs; slower time to value

Larger Job Pool More Complex
Standardization; lower costs; faster time to value
Image source: https://www.oreilly.com/library/view/the-enterprise-cloud/9781491907832/ch01.html
System Eligibility

• Basic Criteria:
• Leverage the provided PaaS Microservice Architecture
• Build and deliver using the provided enterprise DevSecOps
Pipeline
• Utilize APIs only for data calls

• Utilizing the enterprise provided resourcing = Inherit more than

80% of controls from common control provider

• “ATO-in-a-Day” applies to unclassified, Category 1-Minimum

Viable Product applications (actually ATO in 30 days or less)

• TS/SCI applications may take an additional 30 days

DevSecOps Tool Selection Example

Security
inspec ZAP

Agile Source Build Artifact Testing Configuration

Continuous Provisioning Mgt & Deploy
PM Code Mgt Tools Integration Repository Framework

+ + + + + + +

Logging & Monitoring

Integrated Security
Assessment
Questions?

16