Employing DevOps in Classified Environments (Part 2)
This is the second part of a three-part blog series focused on employing DevOps in classified environments. As mentioned in the first blog, the solution involves aspects of people, processes and technology, this week we’ll be talking about processes.
Most process challenges associated with employing DevOps in classified environments are not unique to the classification level of the system. What is unique are the processes involved with introducing tooling and software to classified environments. It is industry best practice to ensure that software installed on our networks has been thoroughly vetted, scanned and tested for security vulnerabilities before being deployed and made operational. The DoD doesn’t view this as a best practice, but as a hard and fast requirement.
DoD Instruction 8510.01, DoD Risk Management Framework (RMF) for DoD Information Technology (IT) establishes the requirements for all DoD Information Systems and Platform IT to implement security controls derived from the National Institute of Science and Technology (NIST) Special Publication (SP) 800-53A, Security and Privacy Controls for Federal Information Systems and Organizations. Software must be granted some form of an authority to operate (ATO) before it can be installed on DoD systems. The ATO can come in the form of an interim authority to test (IATT) or operate (IATO) for systems under development. If being developed under a system with an existing ATO, a system can be granted a certificate to field.
Regardless of the approval path, documented prior approval is required which can be a lengthy and resource intensive process. Once granted approval to be installed, a continuous monitoring program must be utilized to ensure security controls remain effective and software changes don’t introduce new vulnerabilities. In addition to security requirements, utilizing templated environments, tool chains and workflows is a foundation of DevOps methodology and critical when deploying code across multiple classification networks. The mantra, “workflows, not technologies” encourages focus on the mission objective and uses the best current technology available to solve the problem. If the workflow is correct, new and improved technologies can continue to be leveraged as they emerge.
How to overcome these challenges: As mentioned above, the data is classified but the systems are not. Build low; promote to high and ensure tools and software are available at all classification levels. Ascolta has a proven track record of successfully navigating the RMF process by obtaining certificates to field and ATOs for third party tools and software. Our full-stack development team brings expertise in architecture, development, integration and delivery and is underpinned by a strong security focus. Ascolta’s development philosophy allowed for development of a sound continuous integration/continuous delivery pipeline. Additionally, by utilizing templated environments, tool chains and workflows we were able to seamlessly deploy solutions developed in our unclassified Customer Integration Lab (CIL) to Air Force test environments and ultimately deploy to classified weapons systems.
Stay tuned for next week’s blog where we’ll address technology.