Professional Documents
Culture Documents
DoDEnterpriseDevSecOps SourceDiagrams
DoDEnterpriseDevSecOps SourceDiagrams
DevSecOps
Reference Design • Specific CNCF Kubernetes Tools & Technologies
• Specific Architecture Requirements
CNCF
Kubernetes
DoD Enterprise
DevSecOps
Reference Design • Additional Reference Designs
DevSecOps DevSecOps …
Strategy Fundamentals
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
Guidebooks Playbooks
DoD Enterprise DoD Enterprise DoD Enterprise
DevSecOps DevSecOps DevSecOps
Future Reference Designs
Reference Design Reference Design Reference Design
• Executive Summary • Industry Recognized Best Practices (Pending Interest, Time & Money)
• Guiding Principles • Standardized Nomenclature
Low Code-No Code Legacy …
• Governance Processes • Technology Tool & Activity Mappings Modernization
• SMART Performance Metrics
DoD Enterprise
DevSecOps
Reference Design • Specific CNCF Kubernetes Tools & Technologies
• Specific Architecture Requirements
CNCF
Kubernetes
(this document)
DoD Enterprise
DevSecOps
Reference Design • Additional Reference Designs
DevSecOps DevSecOps …
Strategy Fundamentals
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
Guidebooks Playbooks
DoD Enterprise DoD Enterprise DoD Enterprise
DevSecOps DevSecOps DevSecOps
Future Reference Designs
Reference Design Reference Design Reference Design
• Executive Summary • Industry Recognized Best Practices (Pending Interest, Time & Money)
• Guiding Principles • Standardized Nomenclature
Low Code-No Code Legacy …
• Governance Processes • Technology Tool & Activity Mappings Modernization
• SMART Performance Metrics
DoD Enterprise
DevSecOps
Reference Design • Specific CNCF Kubernetes Tools & Technologies
• Specific Architecture Requirements
CNCF
Kubernetes
(this document)
DoD Enterprise
DevSecOps
• Additional Reference Designs
Reference Design
DevSecOps DevSecOps …
Strategy Fundamentals
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
Guidebooks Playbooks
DoD Enterprise DoD Enterprise DoD Enterprise
DevSecOps DevSecOps DevSecOps
Future Reference Designs
Reference Design Reference Design Reference Design
• Executive Summary • Industry Recognized Best Practices (Pending Interest, Time & Money)
• Guiding Principles • Standardized Nomenclature
Low Code-No Code Legacy …
• Governance Processes • Technology Tool & Activity Mappings Modernization
• SMART Performance Metrics
DoD Enterprise
DevSecOps
Reference Design • Specific CNCF Kubernetes Tools & Technologies
• Specific Architecture Requirements
CNCF
Kubernetes
DevSecOps DevSecOps …
Strategy Fundamentals
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
Guidebooks Playbooks
DoD Enterprise DoD Enterprise DoD Enterprise
DevSecOps DevSecOps DevSecOps
Future Reference Designs
Reference Design Reference Design Reference Design
• Executive Summary (Pending Interest, Time & Money)
• Guiding Principles
Low Code-No Code Legacy …
• Governance Processes Modernization
(this document)
DoD Enterprise
DevSecOps
Reference Design • Specific CNCF Kubernetes Tools & Technologies
• Specific Architecture Requirements
(this document) CNCF
Kubernetes
DoD Enterprise
DevSecOps
• Additional Reference Designs
Reference Design
DevSecOps DevSecOps …
Strategy Fundamentals
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
Guidebooks Playbooks
DoD Enterprise DoD Enterprise DoD Enterprise
DevSecOps DevSecOps DevSecOps
Future Reference Designs
Reference Design Reference Design Reference Design
• Executive Summary • Industry Recognized Best Practices (Pending Interest, Time & Money)
• Guiding Principles • Standardized Nomenclature
Low Code-No Code Legacy …
• Governance Processes • Technology Tool & Activity Mappings Modernization
• SMART Performance Metrics
DoD Enterprise
DevSecOps
Reference Design • Specific CNCF Kubernetes Tools & Technologies
• Specific Architecture Requirements
CNCF
Kubernetes
DoD Enterprise
DevSecOps
(this document) Reference Design
• Utilization of AWS Managed Services
DRAFT AWS • Specific Infrastructure as Code (IaC) Usage Requirements
DevSecOps DevSecOps Managed
Strategy Fundamentals Service
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
Guidebooks Playbooks
DoD Enterprise DoD Enterprise DoD Enterprise
DevSecOps DevSecOps DevSecOps
Future Reference Designs
Reference Design Reference Design Reference Design
• Executive Summary • Industry Recognized Best Practices (Pending Interest, Time & Money)
• Guiding Principles • Standardized Nomenclature
Low Code-No Code Legacy …
• Governance Processes • Technology Tool & Activity Mappings Modernization
• SMART Performance Metrics
DoD Enterprise
DevSecOps
Reference Design • Specific CNCF Kubernetes Tools & Technologies
• Specific Architecture Requirements
CNCF
Kubernetes
DoD Enterprise
DevSecOps
(this document) Reference Design • Utilization of multiple Kubernetes clusters
DRAFT
• Continuous reconciliation across clusters
DevSecOps DevSecOps Multi-Cluster
Strategy Fundamentals CNCF K8s
Guide
Topic Topic
Topic Topic
Topic
Specific Topic
Specific
Specific Specific
Specific
Playbooks Specific
Playbooks
Playbooks Playbooks
Guidebooks Playbooks
DoD Enterprise DoD Enterprise DoD Enterprise
DevSecOps DevSecOps DevSecOps
Future Reference Designs
Reference Design Reference Design Reference Design
• Executive Summary • Industry Recognized Best Practices (Pending Interest, Time & Money)
• Guiding Principles • Standardized Nomenclature
Low Code-No Code Legacy …
• Governance Processes • Technology Tool & Activity Mappings Modernization
• SMART Performance Metrics
An architectural approach that attempts to Collection of DevSecOps CI/CD pipelines,
exploit the advantages of cloud architecture, where each pipeline is dedicated to unifying
on bare metal or in a Cloud agnostic manner; a conscious people, automated processes, and relevant
focus on how the architecture is designed and deployed, tools to create artifacts in support of a specific
over where it is deployed. program(s) and/or mission set(s).
BOTH/AND
CSP Managed Cloud Software
Service Native Factory
Supply Chain
Software
Monitor
Control Gate
Legend
Risk Determination
Feedback Loop
Compliance, Effectiveness, ThreatCon, Malicious Detection
Continuous Build
Release &
Plan Develop Build Test Deploy Operate
Deliver
Cyber Security Automation (Scanning, Testing, & Validating)
Monitor
Continuous Integration
Release &
Plan Develop Build Test Deploy Operate
Deliver
Cyber Security Automation (Scanning, Testing, & Validating)
Monitor
Continuous Delivery
Release &
Plan Develop Build Test Deploy Operate
Deliver
Cyber Security Automation (Scanning, Testing, & Validating)
Monitor
Continuous Deployment
Release &
Plan Develop Build Test Deploy Operate
Deliver
Cyber Security Automation (Scanning, Testing, & Validating)
Monitor
Continuous Operations
Release &
Plan Develop Build Test Deploy Operate
Deliver
Cyber Security Automation (Scanning, Testing, & Validating)
Monitor
Release &
Plan Develop Build Test Deploy Operate
Deliver
Cyber Security Automation (Scanning, Testing, & Validating)
Monitor
SYSTEM
UNIT ACCEPTANCE
INTEGRATE
TEST TEST
TEST
PEN
SAST DAST
TEST
… … …
STAGE: STAGE: STAGE:
DEVELOPMENT SYSTEM TEST PRE-PRODUCTION
CODE/
SCRIPTS Release
Package
IDE
IDE CODE
IDE REPO
LOCAL
ARTIFAC
T
REPO
CODE/
SCRIPTS Release
PIPELINE Package
DEV TEST
ENVIRONME 1 ENVIRONME
NT NT
IDE
IDE CODE
IDE REPO
LOCAL
ARTIFAC
T
PIPELINE
DEV TEST
REPO ENVIRONME 3 ENVIRONME
NT NT
SOFTWARE FACTORY
DS
A
DS NT
N
CO
FE
CONTAINS
DE
*
1.. 1..* REF DESIGN
SPECIFIC
ENVIRONMEN HOSTED IN SOFTWARE USES ARTIFACT
T FACTORY 1..* 1 REPOSITORY
1.
.* 1
DE
1..
PL
OY
*
IS AN S CONTAINS
PRODUCTION TO
ENVIRONMENT 1.
.* 1..*
PRE- CONTAINS
HO
IS AN PIPELINE TOOL
ST
PRODUCTION
1 1..*
ENVIRONMENT ED 1
IN
IS AN TEST PRODUCES
ENVIRONMENT
1..*
1
REF DESIGN
SPECIFIC
IS AN DEVELOPMENT DEFENDS CYBER
ENVIRONMENT APPLICATION
RESILIENCY
APPLICATION
S APPLICATIONS
APP FRAMEWORK
REF DESIGN
• Compliance, Effectiveness
INTERCONNECT
• ThreatCon, Malicious Detect
REF DESIGN
PLATFORM / SOFTWARE FACTORY
REF DESIGN
SPECIFIC
LOGGING
REF DESIGN
REF DESIGN
RE REF DESIGN
FUTU
REF DESIGN
SPECIFIC
INFRASTRUC
HOSTING ENVIRONMENTS
INTERCONNECT
TURE
• Compliance, Effectiveness
• ThreatCon, Malicious Detect
REF DESIGN
REF DESIGN
SPECIFIC
PLATFORM / SOFTWARE FACTORY
REF DESIGN
SPECIFIC
• Service Mesh Mandate
• Locally Centralized Artifact Repository
CI/CD PIPELINES INTERCONNECT
• IaC Defined SW Factory
• DevSecOps Tools
REF DESIGN
REF DESIGN
SPECIFIC
• CNCF Certified Kubernetes (K8s)
ENVIRONMENTS INTERCONNECT
• Dev, Test, Integration
REF DESIGN
REF DESIGN
SPECIFIC
• Cloud Native Access Point Utilization
INTERCONNECT
INFRASTRUC
HOSTING ENVIRONMENTS
TURE
Guest OS Guest OS
Hypervisor
x86 Server
CAC SOFTWARE
Developmental Test
(Dev, Test,
The System Was Built Right
Integration, & Pre-Production)
Continuous Monitoring
Sidecar Container Security Stack (SCSS) DoD Enterprise Cloud
Security Sidecar Container Program Managed Services Security Sidecar Supportive DoD
Enterprise Services
Legend
Hosting DoD Cloud DoD Data Center(s) Bare Metal Server(s) DoD Provided Enterprise Service
Environment
DoD Provided, Program Instantiated
• Define CI/CD Processes & Tasks • Build the Software Factory
• Select Tools • Automate the Workflows
Software Factory
Phases
NODE
Container Container
Application N O D E Application
Container Container Container
Container Engine Container
Libraries Container
Libraries
Application Application
Orchestrator Container
Engine Application
Libraries
Application
Libraries
Node Operating System
Libraries Libraries
Application Sidecar
Container Container
Shared State
Storage Network
Mission Program Application Platform
Subsystem 1
Application
Logging
YES
Security
Monitoring
Incident
YES Incident
Data Detected? Detected?
Monitoring
Development
Process Waterfall Agile DevSecOps
Application
Architecture Monolithic n-Tier Microservice
Deployment &
Packaging Physical Virtual Container
Hosting
Infrastructure Server Data Center Cloud Multicloud
Data
Management Silo Data Warehouse Data Lake
Data
Interchange Proprietary XML JSON
Cybersecurity
Posture Firewall, + SIEM, + Zero Trust
IDE
Code
Repository
Build Build
Tool Process
Software Factory
Security
Test(s) SAST/DAST
Dev Environment Tests
Test (Notional/Partial List)
Tool(s) Unit
Test
Artifact
Repository Publish Run Automated Run Automated
Artifacts Test Suite Test Suite
Container
Registry
Build Security
CI/CD Security Container Image Test(s)
Orchestrator Scan
Container Test
Security Scan Tool(s)
Deploy to Deploy to
Release & Deliver
Test Env Integration Env
DoD Test Integration Production
Applications Environment Environment Environment
Tools
Security Security
Test(s) Scan
Software Factory
Workflows
Code
Build Artifacts CNCF Kubernetes Deploy Scale
Repository 3rd Party
Services
Tool
Pipeline Integration
Test Deliver Logging Monitor
Control
•
ing
Applications Applications
Applications
Software Factory
(DoD Enterprise DevSecOps Containers)
Container Orchestration
(OCI Compliant Containers,
CNCF Certified Kubernetes)
Hosting Environment
(DoD Cloud, Data Center, or Bare Metal)
Quality
Set
2.0 Fundamentals 2.1
Document
2.0 Tools & Activities Guidebook 2.1
Update 2
2.0 Reference Design: CNCF K8s 2.1
DevSecOps
IDE
Code
Repository
Build Build
Tool Process
Software Factory
Security
Test(s) SAST/DAST
Dev Environment Tests
Test (Notional/Partial List)
Tool(s) Unit
Test
Artifact
Repository Publish Run Automated Run Automated
Artifacts Test Suite Test Suite
Container
Registry
Build Security
CI/CD Security Container Image Test(s)
Orchestrator Scan
Container Test
Security Scan Tool(s)
Deploy to Deploy to
Release & Deliver
Test Env Integration Env
AWS Managed Service
Container Orchestration
Applications
Software Factory
(DoD Enterprise DevSecOps Containers)
• Compliance, Effectiveness
• ThreatCon, Malicious Detect
REF DESIGN
• AWS EventBridge
REF DESIGN
SPECIFIC
PLATFORM / SOFTWARE FACTORY
• AWS CloudEvents
LOGGING INTERCONNECT • AWS Security Hub
• Log Aggregation & Storage
• Log Analysis & Display
REF DESIGN
REF DESIGN
SPECIFIC
• AWS App Mesh
• AWS Elastic Container Registry (ECR)
CI/CD PIPELINES INTERCONNECT
• IaC Defined SW Factory
• DevSecOps Tools
REF DESIGN • AWS Elastic Kubernetes Service (EKS)
REF DESIGN
SPECIFIC
• AWS CodePipeline
• AWS CodeBuild
ENVIRONMENTS INTERCONNECT • AWS CodeCommit
• Dev, Test, Integration
REF DESIGN
• AWS CloudFormation
REF DESIGN
SPECIFIC
• Cloud Native Access Point, and/or
INTERCONNECT • BCAP Connected VDSS
INFRASTRUC
HOSTING ENVIRONMENTS
TURE
Joint App
DoD Test Integration Production
Applications Environment Environment Environment
Software
Factory
Tools
Security Security
Test(s) Scan
Workflows
DoD Code
Build Artifacts CNCF Kubernetes Deploy Scale
Cloud Repository 3rd Party
Tool
or Pipeline Integration
Test Deliver Logging Monitor
Control
CSP
w/PA
Cloud DevSecOps Services Cloud Container Services Cloud Operations Services
APPLICATION
S APPLICATIONS DoD Enterprise DevSecOps
APP FRAMEWORK
Reference Design:
Multi-Cluster CNCF Kubernetes
CONTINUOUS MONITORING
• Compliance, Effectiveness
• ThreatCon, Malicious Detect
REF DESIGN
REF DESIGN
SPECIFIC
PLATFORM / SOFTWARE FACTORY
REF DESIGN
SPECIFIC
• Continuous Reconciliation Mandate
CI/CD PIPELINES INTERCONNECT
• IaC Defined SW Factory
• DevSecOps Tools
REF DESIGN
REF DESIGN
SPECIFIC
• Multi-Cluster CNCF Kubernetes
ENVIRONMENTS INTERCONNECT
• Dev, Test, Integration
REF DESIGN
REF DESIGN
SPECIFIC
• Secure Supply Chain Provenance Mandate
INTERCONNECT
INFRASTRUC
HOSTING ENVIRONMENTS
TURE
Manifests
Reconciliation Day 2
Loop Reconciliation
K8s
Clusters
Control
Plane
Cluster Creation
& Enforcement
GLOBAL CONTROL PLANE Supply Chain Process
Active
Connections
Workload
K8s Cluster
Services
Active
Connections
Workload
K8s Cluster
Services
Pathway to DevSecOps Reference Design