rvlsoft - Fotolia
The Department of Defense has launched a major new effort to publish security standards and best practices for government DevSecOps and potentially enterprise IT as well, SearchITOperations has learned.
The effort is led by Nicolas Chaillan, chief software officer for the U.S. Air Force, and co-lead for the Enterprise DevSecOps Initiative in the office of the Department of Defense (DoD) CIO. Chaillan said he has invited more than two dozen companies and open source entities to participate in seven subgroups within the project, including Microsoft, Red Hat, VMware, StackRox, Pivotal, D2iQ, The Linux Foundation, The Cloud Native Computing Foundation, Sysdig, Rancher and Splunk.
"[The Department of Defense] usually has a different process, where, for example, Red Hat can create security guidance for RHEL or OpenShift -- it's usually one company, one product," Chaillan said. "This will be the whole Kubernetes ecosystem and community -- all the Kubernetes distros, vendors and cloud providers we work with."
The Cloud Native Computing Foundation, StackRox, Sysdig and Rancher confirmed this week that they are participating in the project, which hasn't been publicly announced prior to this report and as of yet, has no formal name. Other companies Chaillan cited couldn't immediately be reached for comment.
National Institute of Standards and Technology (NIST) fellow Ronald S. Ross is also participating as a co-lead with Chaillan, with plans to add DevSecOps guidance to existing NIST SP 800-160 systems security engineering standards, and to publish new volumes that establish a DevSecOps reference architecture.
NIST and the DoD working group will collaborate on best practices and security standards documents, with the goal of producing an early draft within 60 to 75 days, Chaillan said. The group will use a Git repository to edit and maintain the documents, which are publicly accessible.
NIST has a long history of working with public and private sector organizations to establish security standards, but what makes this effort unique is the focus on applying security standards to a specific use case in DevSecOps, NIST's Ross said.
"In the old days, the military and its contractors built systems that were only used for military applications, which gave them a lead over adversaries who didn't have the same technology," Ross said. "But there has been a technology explosion where most systems are dual-use, designed for both government and commercial use -- and adversaries have the same technology."
To protect the country, the DoD must establish a lead in the use of cloud-native technologies and learn how to stay ahead of adversaries with best practices, rather than an absolute technical advantage, Ross said.
"This is the most important project I have been involved with in more than 30 years in the field of cybersecurity," he added.
A potential DevSecOps template for enterprises
As government agencies and private-sector enterprises increasingly use the same open source technologies, many commercial companies look to the government, particularly the DoD, as the gold standard for cybersecurity, one IT consultant said.
"There's a saying, 'Nobody ever got fired for using IBM,'" said Jeremy Pullen, principal technical consultant at Polodis, a digital transformation consulting firm in Atlanta, who's closely following the DoD's DevSecOps work, including a recently published repository of hardened container images for general use. "There's a similar confidence in using systems hardened to the standards of the US government."
Pullen said the breadth of the collaboration will also help legitimize the DevSecOps concept as a set of practices, rather than tying it to any particular tool, vendor or method used by specific household-name enterprise IT teams.
"The last two years, I've had to educate people about what DevSecOps is and isn't -- it's not just using a tool from White Hat, Sonatype or Veracode," he said. "This paints a better picture of DevSecOps as an area of practice rather than just implementing somebody's product."
The effort will also help the government more easily procure new technologies, which could translate into enterprise procurement approaches, Pullen said.
This project reflects a shift in the federal government's approach to tech, as well as a general shift toward open source software, and open source knowledge sharing, across the IT industry, said Shannon Williams, co-founder and president of Rancher, whose federal team will work on Kubernetes security standards.
Other open standards, such as Center for Internet Security (CIS) benchmarks, already exist for this purpose, but this project will improve how they are linked to other DevSecOps tools and refine how secure software is developed, Williams said.
"This isn't just about hardening Kubernetes -- it's about how to build a secure software factory," he said. "It's about how to operate Kubernetes, in a set of living documents that can change as new technology emerges."
In addition to container and Kubernetes hardening for DevSecOps use, one of the sub-teams in the DoD project will standardize a process that generates continuous authority to operate for every software change produced by a government agency.
It's a practice the Air Force has already implemented under Chaillan, which means software changes can be deployed quickly to production without going through a lengthy security audit each time. Chaillan estimates this process has cut out 100 hours of deployment delay for his team in the last year, and the team is able to make multiple fully accredited software changes per day.
The DoD Security Authorization Working Group (DoDSAWG) project will be divided into seven teams:
Team 1: DoD Enterprise DevSecOps Reference Architecture Design
Team 2: Kubernetes Security Requirements Guide (SRG)
Team 3: Containers SRG
Team 4: DevSecOps cloud access controls
Team 5: Work with NIST on DevSecOps publications based on Reference Design.
Team 6: Continuous Authority to Operate (cATO) Guidance, defining:
- Accreditation requirements for DevSecOps pipeline processes and various layers of infrastructure
- Accreditation requirements to allow teams to use the accredited pipelines
- The expected deliverables / artifacts of pipelines/platforms and automation
Team 7: Write training requirements for Security Controls Assessors, Information Systems Security
Managers, and Authorizing Officials to understand how to adopt new cATO guidance
(Source: Nicolas Chaillan)