DoDEnterpriseDevSecOps SourceDiagrams

DoD Enterprise
DevSecOps
Reference Design • Specific CNCF Kubernetes Tools & Technologies
• Specific Architecture Requirements
CNCF
Kubernetes
DoD Enterprise
DevSecOps
Reference Design • Additional Reference Designs
DevSecOps DevSecOps …
Strategy Fundamentals
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
Guidebooks Playbooks
DoD Enterprise DoD Enterprise DoD Enterprise
DevSecOps DevSecOps DevSecOps
Future Reference Designs
Reference Design Reference Design Reference Design
• Executive Summary • Industry Recognized Best Practices (Pending Interest, Time & Money)
• Guiding Principles • Standardized Nomenclature
Low Code-No Code Legacy …
• Governance Processes • Technology Tool & Activity Mappings Modernization
• SMART Performance Metrics
DoD Enterprise
DevSecOps
CNCF
Kubernetes
(this document)
DoD Enterprise
DevSecOps
Reference Design • Additional Reference Designs
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
DoD Enterprise
DevSecOps
CNCF
Kubernetes
(this document)
DoD Enterprise
DevSecOps
• Additional Reference Designs
Reference Design
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
DoD Enterprise
DevSecOps
CNCF
Kubernetes
• Industry Recognized Best Practices

• Standardized Nomenclature
• Technology Tool & Activity Mappings DoD Enterprise
• SMART Performance Metrics DevSecOps
Reference Design
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
• Executive Summary (Pending Interest, Time & Money)
• Guiding Principles
• Governance Processes Modernization
(this document)
DoD Enterprise
DevSecOps
(this document) CNCF
Kubernetes
DoD Enterprise
DevSecOps
Reference Design
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
DoD Enterprise
DevSecOps
CNCF
Kubernetes
DoD Enterprise
DevSecOps
(this document) Reference Design
• Utilization of AWS Managed Services
DRAFT AWS • Specific Infrastructure as Code (IaC) Usage Requirements
DevSecOps DevSecOps Managed
Strategy Fundamentals Service
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
DoD Enterprise
DevSecOps
CNCF
Kubernetes
DoD Enterprise
DevSecOps
(this document) Reference Design • Utilization of multiple Kubernetes clusters
DRAFT
• Continuous reconciliation across clusters
DevSecOps DevSecOps Multi-Cluster
Strategy Fundamentals CNCF K8s
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
An architectural approach that attempts to Collection of DevSecOps CI/CD pipelines,
exploit the advantages of cloud architecture, where each pipeline is dedicated to unifying
on bare metal or in a Cloud agnostic manner; a conscious people, automated processes, and relevant
focus on how the architecture is designed and deployed, tools to create artifacts in support of a specific
over where it is deployed. program(s) and/or mission set(s).
An architectural approach that accepts CSP lock-in to

exploit CSP managed services and technologies
to create cybersecurity hardened raw ingredients where
further value-add activities occur further down the
software supply chain.
BOTH/AND
CSP Managed Cloud Software
Service Native Factory
Supply Chain
Software
TECH FORCE PROGRAM/

HARDWARE IAAS PAAS SAAS
MULTIPLIERS MISSION
DoD Digital Big Data AI/ML Quantum

Sensors IoT 5G …
Modernization Strategy
Continuous Operations
Continuous Deployment
Continuous Delivery
Continuous Integration
Continuous Build
Release &
Plan Develop Build Test Deploy Operate
Deliver
Cybersecurity Automation (Scanning, Testing, & Validating)
Monitor
Control Gate
Legend
Risk Determination
Feedback Loop
Compliance, Effectiveness, ThreatCon, Malicious Detection
Continuous Build
Release &
Deliver
Cyber Security Automation (Scanning, Testing, & Validating)
Monitor
Continuous Integration
Release &
Deliver
Monitor
Continuous Delivery
Release &
Deliver
Monitor
Continuous Deployment
Release &
Deliver
Monitor
Continuous Operations
Release &
Deliver
Monitor
Release &
Deliver
Monitor
SYSTEM
UNIT ACCEPTANCE
INTEGRATE
TEST TEST
TEST
PEN
SAST DAST
TEST
… … …
STAGE: STAGE: STAGE:
DEVELOPMENT SYSTEM TEST PRE-PRODUCTION
CODE/
SCRIPTS Release
Package
IDE
IDE CODE
IDE REPO
PIPELINE INTEGRATIO RELEASE

DEV TEST
ENVIRONME n ENVIRONME
N& D
PRE- ARTIFAC
NT NT T
PRODUCTION
ENVIRONMENT REPO
LOCAL
ARTIFAC
T
REPO
CODE/
SCRIPTS Release
PIPELINE Package
DEV TEST
ENVIRONME 1 ENVIRONME
NT NT
IDE
IDE CODE
IDE REPO
PIPELINE INTEGRATIO RELEASE

DEV TEST D
ENVIRONME 2 ENVIRONME
N&
PRE- ARTIFAC
NT NT T
PRODUCTION
ENVIRONMENT REPO
LOCAL
ARTIFAC
T
PIPELINE
DEV TEST
REPO ENVIRONME 3 ENVIRONME
NT NT
SOFTWARE FACTORY
KEY: PROCESS FLOW CONTROL GATE PIPELINE CONTROL

ENVIRONMENT REF DESIGN
SPECIFIC SPECIFIC
CYBER 1 DEVSECOPS CYBER
RESILIENCY ECOSYSTEM RESILIENCY
S
DEFEN IN 1
DS
A
DS NT
N
CO
FE
CONTAINS
DE
*
1.. 1..* REF DESIGN
SPECIFIC
ENVIRONMEN HOSTED IN SOFTWARE USES ARTIFACT
T FACTORY 1..* 1 REPOSITORY
1.
.* 1
DE
1..
PL
OY
*
IS AN S CONTAINS
PRODUCTION TO
ENVIRONMENT 1.
.* 1..*
PRE- CONTAINS
HO
IS AN PIPELINE TOOL
ST
PRODUCTION
1 1..*
ENVIRONMENT ED 1
IN
IS AN TEST PRODUCES
ENVIRONMENT
1..*
1
REF DESIGN
SPECIFIC
IS AN DEVELOPMENT DEFENDS CYBER
ENVIRONMENT APPLICATION
RESILIENCY
APPLICATION
S APPLICATIONS
APP FRAMEWORK
REF DESIGN
CONTINUOUS MONITORING REF DESIGN SPECIFIC
• Compliance, Effectiveness
INTERCONNECT
• ThreatCon, Malicious Detect
REF DESIGN
PLATFORM / SOFTWARE FACTORY
REF DESIGN
SPECIFIC
LOGGING
• Log Aggregation & Storage INTERCONNECT

• Log Analysis & Display
REF DESIGN
CI/CD PIPELINES REF DESIGN SPECIFIC
• IaC Defined SW Factory INTERCONNECT

• DevSecOps Tools
REF DESIGN
ENVIRONMENTS REF DESIGN SPECIFIC
• Dev, Test, Integration

INTERCONNECT
RE REF DESIGN
FUTU
REF DESIGN
SPECIFIC
INFRASTRUC
HOSTING ENVIRONMENTS
INTERCONNECT
TURE
• Cloud with DoD PA or ATO

• Other DoD Approved Env
APPLICATION
S APPLICATIONS DoD Enterprise DevSecOps
APP FRAMEWORK
Reference Design:
CNCF Certified Kubernetes
CONTINUOUS MONITORING
REF DESIGN
REF DESIGN
SPECIFIC
• Sidecar Container Security Stack (SCSS)

LOGGING INTERCONNECT
• Log Aggregation & Storage
REF DESIGN
REF DESIGN
SPECIFIC
• Service Mesh Mandate
• Locally Centralized Artifact Repository
CI/CD PIPELINES INTERCONNECT
• IaC Defined SW Factory
• DevSecOps Tools
REF DESIGN
REF DESIGN
SPECIFIC
• CNCF Certified Kubernetes (K8s)
ENVIRONMENTS INTERCONNECT
REF DESIGN
REF DESIGN
SPECIFIC
• Cloud Native Access Point Utilization
INTERCONNECT
INFRASTRUC
TURE

VM11 VM1n
Applications Applications
Guest OS Guest OS
Hypervisor
x86 Server
CAC SOFTWARE
DISA STIG AND CAC DEVELOPMENT PIPELINE

RELEASE
STIG D
PRIORITIES FOR
DEVELOPMENT AUTOMATION DEVELOP BUILD TEST RELEASE ARTIFAC
T
PROCESS REPO
Control Gate(s) Goal
Developmental Test
(Dev, Test,
The System Was Built Right
Integration, & Pre-Production)
Operational Test The Right System Was Right

(Pre-Production, Production)
Continuous Monitoring
Sidecar Container Security Stack (SCSS) DoD Enterprise Cloud
Security Sidecar Container Program Managed Services Security Sidecar Supportive DoD
Enterprise Services
DoD Centralized Artifact

Policy Enforcement Artifact Repository
Repository (DCAR)
Service Mesh Proxy Service Mesh
DoD Common Log & Telemetry
Logging Agent Log Storage & Retrieval
Analysis Service
Runtime Defense Runtime Behavior Analysis (AI)
CVE Service/Host Based
Vulnerability Management
Security
Legend
Hosting DoD Cloud DoD Data Center(s) Bare Metal Server(s) DoD Provided Enterprise Service
Environment
DoD Provided, Program Instantiated
• Define CI/CD Processes & Tasks • Build the Software Factory
• Select Tools • Automate the Workflows
Software Factory
Phases
• Operate & Maintain the

Software Factory
• Verify the Tool Integrations
• Monitor the Software Factory
• Test the Pipeline Workflows
Tools & Processes
• Gather Feedback for Improvement
NODE
NODE
Container Container
Application N O D E Application
Container Container Container
Container Engine Container
Libraries Container
Libraries
Application Application
Orchestrator Container
Engine Application
Libraries
Application
Libraries
Node Operating System
Libraries Libraries

Container Engine

CONTAINER GROUP (POD)
Application Sidecar
Container Container
Shared State
Storage Network
Mission Program Application Platform
Subsystem 1
Application
Logging
Compute & Storage Continuous Mission Program

Monitoring Improvement Change Management
Network Log Aggregated Log Mission Program

Monitoring Aggregation Logs Analysis Incident Management
YES
Security
Monitoring
Incident
YES Incident
Data Detected? Detected?
Monitoring
Subsystem n DoD Common

Log
Filter Security Services
(Logs/Telemetry Analysis)
Application
Lifecycle Years or Months Months or Weeks Weeks or Days Days or Hours
Development
Process Waterfall Agile DevSecOps
Application
Architecture Monolithic n-Tier Microservice
Deployment &
Packaging Physical Virtual Container
Hosting
Infrastructure Server Data Center Cloud Multicloud
Data
Management Silo Data Warehouse Data Lake
Data
Interchange Proprietary XML JSON
Cybersecurity
Posture Firewall, + SIEM, + Zero Trust
30-years ago 15-years ago Present Day Future

Tools Workflows CM V
(Based on DoD Enterprise
DevSecOps Hardened Containers) CM C
IDE
Code
Repository
Build Build
Tool Process
Software Factory
Security
Test(s) SAST/DAST
Dev Environment Tests
Test (Notional/Partial List)
Tool(s) Unit
Test
Artifact
Repository Publish Run Automated Run Automated
Artifacts Test Suite Test Suite
Container
Registry
Build Security
CI/CD Security Container Image Test(s)
Orchestrator Scan
Container Test
Security Scan Tool(s)
Deploy to Deploy to
Release & Deliver
Test Env Integration Env
DoD Test Integration Production
Applications Environment Environment Environment
Tools
Security Security
Test(s) Scan
Software Factory
Workflows
Build Unit Publish Deploy to Deploy to Release & Deploy to

SAST
App Test Artifact(s) Test Pre-Prod Deliver Production

(Notional/Partial List)
Code
Build Artifacts CNCF Kubernetes Deploy Scale
Repository 3rd Party
Services
Tool
Pipeline Integration
Test Deliver Logging Monitor
Control
DevSecOps Services Container Services Operations Services

• Use a source code repo for all production artifacts
• Use trunk-based development methods
•
Continuous
Shift left on security

Delivery
• Implement test automation

• Implement continuous integration
• Support test data management
• Implement continuous delivery
• Automate the deployment process
Architecture
• Use loosely coupled architecture

• Architect for empowered teams
• Adopt a Likert scale survey to measure cultural change progress

Cultural
• Encourage and support continuous learning initiatives

• Support and facilitate collaboration among and between teams
• Provide resources and tools that make work meaningful
• Support or embody transformational leadership
• Gather and implement customer feedback

& Process
Product
• Make the flow of work visible through the value stream

• Work in small batches
• Foster and enable team experimentation
ment
•
ing
Have a lightweight change approval process

Option A Option B
COTS DoD Authorized
Container Orchestration Container Service
Applications Applications
Software Factory Software Factory

(DoD Enterprise DevSecOps Containers) (DoD Enterprise DevSecOps Containers)
Container Orchestration Container Service (DoD PA)

(OCI Compliant Containers, (OCI Compliant Containers,
CNCF Certified Kubernetes) CNCF Certified Kubernetes)
Hosting Environment Hosting Environment

(DoD Cloud, Data Center, or Bare Metal) (DoD Cloud)
Mission Program Responsibility & Managed Components

Hosting Environment Provider Responsibility & Managed Components
Shared Responsibility Model
Applications
Software Factory
(DoD Enterprise DevSecOps Containers)
Container Orchestration
(OCI Compliant Containers,
CNCF Certified Kubernetes)
Hosting Environment
(DoD Cloud, Data Center, or Bare Metal)

Hosting Environment Provider Responsibility & Managed Components
Problems
Quality
SECURE SOFTWARE DETECTS AND STABLE SOFTWARE PERFORMS
RESISTS CYBERATTACKS, Security Stability WELL WITHOUT BREAKING OR
OFFERING THE WARFIGHTER A Resilient CRASHING, & DYNAMICALLY
QUANTIFIED DEGREE OF CYBER Software Se SCALES TO MATCH DEMAND
y
ilit s Pr curi
SURVIVABILITY a b
St blem
ob t
lem y
o
Pr s
Quality
QUALITY SOFTWARE MAXIMIZES

USER REQUESTED FEATURE
SETS AND MINIMIZES
FUNCTIONAL DEFECTS
2.0 Strategy Guide 2.1
Set
2.0 Fundamentals 2.1
Document
2.0 Tools & Activities Guidebook 2.1
Update 2
2.0 Reference Design: CNCF K8s 2.1
DevSecOps
-- Reference Design: AWS CSP w/IaC 1.0
2.0 Playbook - DevSecOps 2.1

Industry Contribution
“DoD should modify its processes to mimic industry’s

best practices rather than try to contract for and
maintain customized software.”
(Defense Innovation Board, Software is Never Done, May 2019)
Tools Workflows CM V
(Based on DoD Cloud IaC Baselines &
DevSecOps Hardened Containers) CM C
IDE
Code
Repository
Build Build
Tool Process
Software Factory
Security
Test(s) SAST/DAST
Test (Notional/Partial List)
Tool(s) Unit
Test
Artifact
Repository Publish Run Automated Run Automated
Artifacts Test Suite Test Suite
Container
Registry
Build Security
CI/CD Security Container Image Test(s)
Orchestrator Scan
Container Test
Security Scan Tool(s)
Deploy to Deploy to
Release & Deliver
Test Env Integration Env
AWS Managed Service
Container Orchestration
Applications
Software Factory
(DoD Enterprise DevSecOps Containers)
AWS EKS Control Plane

(CNCF Certified Kubernetes)
Amazon Web Services

Hosting Environment Provider Responsibility & IaC Provisioned Managed Components
APPLICATION
APP FRAMEWORK
Reference Design:
AWS Managed Services
REF DESIGN
• AWS EventBridge
REF DESIGN
SPECIFIC
• AWS CloudEvents
LOGGING INTERCONNECT • AWS Security Hub
REF DESIGN
REF DESIGN
SPECIFIC
• AWS App Mesh
• AWS Elastic Container Registry (ECR)
• DevSecOps Tools
REF DESIGN • AWS Elastic Kubernetes Service (EKS)
REF DESIGN
SPECIFIC
• AWS CodePipeline
• AWS CodeBuild
ENVIRONMENTS INTERCONNECT • AWS CodeCommit
REF DESIGN
• AWS CloudFormation
REF DESIGN
SPECIFIC
• Cloud Native Access Point, and/or
INTERCONNECT • BCAP Connected VDSS
INFRASTRUC
TURE

COCOM App
User Service Specific App
Joint App
DoD Test Integration Production
Applications Environment Environment Environment
Software
Factory
Tools
Security Security
Test(s) Scan
Workflows
Build Unit Publish Deploy to Deploy to Release & Deploy to

SAST
App Test Artifact(s) Test Pre-Prod Deliver Production

(Notional/Partial List)
DoD Code
Build Artifacts CNCF Kubernetes Deploy Scale
Cloud Repository 3rd Party
Tool
or Pipeline Integration
Test Deliver Logging Monitor
Control
CSP
w/PA
Cloud DevSecOps Services Cloud Container Services Cloud Operations Services
APPLICATION
APP FRAMEWORK
Reference Design:
Multi-Cluster CNCF Kubernetes
REF DESIGN
REF DESIGN
SPECIFIC
• Immutable Infrastructure via IaC

LOGGING INTERCONNECT
REF DESIGN
REF DESIGN
SPECIFIC
• Continuous Reconciliation Mandate
• DevSecOps Tools
REF DESIGN
REF DESIGN
SPECIFIC
• Multi-Cluster CNCF Kubernetes
ENVIRONMENTS INTERCONNECT
REF DESIGN
REF DESIGN
SPECIFIC
• Secure Supply Chain Provenance Mandate
INTERCONNECT
INFRASTRUC
TURE

CODE REPOSITORY
(source of truth)
Manifests
Reconciliation Day 2
Loop Reconciliation
K8s
Clusters
Control
Plane
Cluster Creation
& Enforcement
GLOBAL CONTROL PLANE Supply Chain Process
Active
Connections
Workload
K8s Cluster
Services
REGIONAL MANAGEMENT CLUSTER
Active
Connections
Workload
K8s Cluster
Services
Pathway to DevSecOps Reference Design
Evaluation & Publish Approved

Lessons
Differentiation Draft Ref Design
Learned
Community Define Execute SW Mod SSG

Proposal Interconnects Pilot Briefing
Pathway to DevSecOps Reference Design
Evaluation & Publish Approved

Lessons
Differentiation Draft Ref Design
Learned
Community Define Execute SW Mod SSG

Proposal Interconnects Pilot Briefing

DoDEnterpriseDevSecOps SourceDiagrams

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DoDEnterpriseDevSecOps SourceDiagrams

Uploaded by

Copyright:

Available Formats

DoD Enterprise

• Industry Recognized Best Practices

An architectural approach that accepts CSP lock-in to

TECH FORCE PROGRAM/

DoD Digital Big Data AI/ML Quantum

PIPELINE INTEGRATIO RELEASE

PIPELINE INTEGRATIO RELEASE

KEY: PROCESS FLOW CONTROL GATE PIPELINE CONTROL

CONTINUOUS MONITORING REF DESIGN SPECIFIC

• Log Aggregation & Storage INTERCONNECT

CI/CD PIPELINES REF DESIGN SPECIFIC

• IaC Defined SW Factory INTERCONNECT

ENVIRONMENTS REF DESIGN SPECIFIC

• Dev, Test, Integration

• Cloud with DoD PA or ATO

• Sidecar Container Security Stack (SCSS)

• Cloud with DoD PA or ATO

DISA STIG AND CAC DEVELOPMENT PIPELINE

Operational Test The Right System Was Right

DoD Centralized Artifact

• Operate & Maintain the

Node Operating System

Node Operating System

Compute & Storage Continuous Mission Program

Network Log Aggregated Log Mission Program

Subsystem n DoD Common

30-years ago 15-years ago Present Day Future

Build Unit Publish Deploy to Deploy to Release & Deploy to

Dev Environment Tests

DevSecOps Services Container Services Operations Services

Shift left on security

• Implement test automation

• Use loosely coupled architecture

• Adopt a Likert scale survey to measure cultural change progress

• Encourage and support continuous learning initiatives

• Gather and implement customer feedback

• Make the flow of work visible through the value stream

Have a lightweight change approval process

Software Factory Software Factory

Container Orchestration Container Service (DoD PA)

Hosting Environment Hosting Environment

Mission Program Responsibility & Managed Components

Mission Program Responsibility & Managed Components

QUALITY SOFTWARE MAXIMIZES

-- Reference Design: AWS CSP w/IaC 1.0

2.0 Playbook - DevSecOps 2.1

“DoD should modify its processes to mimic industry’s

AWS EKS Control Plane

Amazon Web Services

Mission Program Responsibility & Managed Components

• Cloud with DoD PA or ATO

User Service Specific App

Build Unit Publish Deploy to Deploy to Release & Deploy to

Dev Environment Tests

• Immutable Infrastructure via IaC

• Cloud with DoD PA or ATO

REGIONAL MANAGEMENT CLUSTER

Evaluation & Publish Approved

Community Define Execute SW Mod SSG

Evaluation & Publish Approved

Community Define Execute SW Mod SSG

You might also like