• Provide continuous compliance with security requirements and continuous software deployment
• Enhance and simplify security-related reporting and remediation, including historical results of code scans and runtime assessments of common vulnerabilities and exposures (CVEs) and threats
• Facilitate secure application operations, covering deployment and runtime
• Meet DoD/DHS requirements for continuous Authorization to Operate (cATO) designation
• Authorized to run in up to DISA-certified Impact Level (IL)-5 environments
• First system across all DHS components to be designated for cATO
• cATO-designated Software Factory permits the creation of reusable agency-wide DevSecOps CI/CD pipelines
• Support for rapid Certificate to Field (CTF) issuance baked into CI/CD pipelines, for all applications built by the Software Factory
• Replaces the need for traditional time-consuming ATO with repeatable CTF, allowing continuous deployment of software… saving time, money, and effort
The US Coast Guard’s (USCG’s) Command, Control, Communications, Computers, Cyber and Intelligence Service Center (C5ISC) contracted with Karthik Consulting (KC) to collaboratively develop, test, implement, and sustain a Software Factory (SF) solution. USCG dubbed their solution the High Efficiency Rapid Modernization Network (HERMN), which embodies methods for translating commercial practices and DoD requirements into repeatable self-sustaining processes for establishing, growing, operating, and adapting scalable, high-quality, and secure in-house agile software operations.
In addition to the quality and productivity gains realized by automating DevSecOps practices via the USCG SF, KC developed the solution within AWS GovCloud at IL-5 to meet the federal government's new cATO requirements. This provides USCG with an agency-wide solution that significantly reduces the time and costs to deploy new software releases for any application processed through the SF. Furthermore, to improve security and support multi-cloud capabilities plus cloud agnosticism, the SF complies with the DoD DevSecOps Reference Architecture and the Secure Cloud Computing Architecture (SCCA) – and is built on Cloud Native Computing Foundation (CNCF) and Zero Trust (ZT) principles. The KC-built solution leverages various automated security processes to continuously maintain and improve the security posture of both the SF and the applications built through it – thereby streamlining CTF issuance. This includes: a library of baselined container images, auto-refreshed from DoD-approved container repositories; threshold-configurable security gates integrated into code builds; code signing; SBOM generation and tracking; storage and trend analysis of build artifacts.
KC’s solution aligns with and demonstrates the three competencies required per the DOD’s cATO memo:
(1) Continuous Monitoring (CONMON)
The USCG SF conducts various types of scans of each
application as it proceeds through the CI/CD pipelines, such as supply chain (SBOM), static and dynamic vulnerability analysis, code quality, code coverage, 508 compliance, container scans, OpenSCAP scans for STIGs, AWS WAF and NIST SP 800-53 scans.
The solution automatically generates, analyzes, and stores the required artifacts from each step/gate in the pipeline for each build of each branch of each application.
The SF collects, analyzes, and presents the generated artifacts to Security Teams so they can make the determination to issue the CTF for each application, thereby eliminating the need for a laborious RMF-based ATO.
By storing data related to each build’s scans, the Authorizing Official (AO) can view the historical progression of the application over the course of all branches and versions.
The SF employs native AWS and other tools to detect drift between approved baselines and any runtime environment.
(2) Active Cyber Defense
The solution has built-in configurable security gates and thresholds throughout the progressive stages of each CI/CD Pipeline (DEV, TEST, STAGE, and others as configured by the user for each application). Hence, through the execution of these pipelines, the applications proceed through an automatic risk determination based on the AO’s prescribed risk tolerance – resulting in an application being automatically authorized for deployment once it meets the AO’s specified criteria. This ensures that only adequately secure applications are deployed to Production. Additionally, an AO can configure progressively restrictive pipeline gate thresholds as the code is promoted from lower to higher stages (e.g., DEV to TEST).
CI/CD pipelines leverage tools to ensure application compliance with FISMA/RMF standards, CNCF, and DISA STIGs.
Upon drift detection, post deployment, the solution can alert individuals to the potential threats and can also be configured to automatically apply remediation actions.
(3) Secure Software Supply Chain
Take a look at what KC is doing to contribute to global cyber security, agile software development and cloud services.
Felix Martin, 571 435 7632 fmartin@karthikconsulting.com
CAGE: 56GH3
DUNS: 828199880 UEI: FGNNM7KNUPF6
GSA MAS
GSA OASIS Pool 1 and 3
NIH CIO-SP3 8(a) & SB
GSA STARS III 8(a)
Air Force SBEAS
Army RS3
Navy Seaport-NexGen
FAA eFAST