Platform One: DoD Enterprise DevSecOps Services

Platform 1 Logo
Repo One – DoD Centralized Container Source Code Repository (DCCSCR)

Repo One is the central repository for the source code to create hardened and evaluated containers for the Department of Defense. It also includes various source code open-source products and infrastructure as code used to harden Kubernetes distributions.

Repo One is currently operated at https://repo1.dsop.io/dsop/.

All DoD activities that are creating containers that could benefit the DoD at an enterprise scale should publish their containers’ source code in the DCCSCR by following the DoD Enterprise DevSecOps Ref Design, Container On-boarding guide, and Container Hardening guide requirements.
All programs should evaluate any existing containers for reuse before creating a new container image.

Iron Bank – DoD Centralized Artifacts Repository (DCAR)

Iron Bank is the DoD repository of digitally signed, binary container images that have been hardened according to the Container Hardening Guide coming from Iron Bank. Containers accredited in Iron Bank have DoD-wide reciprocity across classifications.

Iron Bank is currently operated at https://ironbank.dsop.io/.

Prior to creating a new container image, DoD programs should check if the container images already exists in DCAR and use the DoD signed containers whenever possible.

DevSecOps Platform (DSOP)
The DSOP is a collection of approved, hardened Cloud Native Computer Foundation (CNCF)-compliant Kubernetes distributions, infrastructure as code playbooks, and hardened containers that implement a DevSecOps platform compliant with the DoD Enterprise DevSecOps Reference Design, and its source code is hosted on Repo One.

IaC Repositories:

Kubernetes CNCF-compliant currently supported are: OpenShift 4.x, Kubernetes upstream, VMWare PKS Essential and Rancher Federal RKE.
Kubernetes CNCF-compliant to be supported soon: D2IQ Konvoy, VMWare Tanzu and Oracle Kubernetes.

There are a number of existing Platform One IaC environments in development or completed. Since it is difficult to truly make IaC totally cloud agnostic, Platform One will be supporting the following environments:

  • Amazon Web Services (AWS) IL-2, IL-5, S, S-SAP (when available), TS/SCI, and TS-SAP (FENCES), AWS Outpost
  • Azure IL-2, IL-5, S (when available), S-SAP (when available), Azure Stack
  • On-premise / Edge VMWare vSphere
  • Platform One’s IaC offerings will continue to expand upon customer requests

The DSOP includes the various mandated containers of the Reference Design including Elasticsearch, Fluentd, and Kibana (EFK), Sidecar Container Security Stack (SCSS), etc.

Teams should leverage the Infrastructure as Code (IaC) available on the DCCSCR whenever possible and contribute back their code improvements to the DCCSCR whenever applicable.

Platform One Enterprise Services

Platform One provides additional pay-per-use services and contract vehicles to facilitate teams’ adoption and move to DevSecOps. The list of services will continuously evolve.

  • Party Bus: Platform One Shared Enterprise Environments (Multi-Tenant) (for Development, Test and Production)
    • These are environments that benefit from the Platform One Continuous ATO, hosted on Cloud One, SC2S and C2S managed by the Platform One team as multi-tenant environments. Perfect for smaller/medium sized teams. They provide Continuous Integration/Continuous Delivery (CI/CD) and various development tools/capabilities.
    • Impact Level (IL)-2, IL-5, Secret, and TS/SCI environments exist or are in development (pay per user model ($2,000/user/month))
    • To learn more about the capabilities on these environments, availability and limitations (including ingress/egress/endpoints/Multi Factor Authentication factors etc.), please contact usaf.cso@mail.mil with Subject: “Platform One Party Bus Question”
  • Big Bang: Platform One Dedicated DevSecOps Environments
    • Build, deliver and operate custom Infrastructure as Code and Configuration as Code with the deployment of dedicated environments at various classification levels with CI/CD pipelines and c-ATO. Perfect for large teams/programs that need a dedicated enclave (cost per DevSecOps environment).
    • Build and deliver new hardened containers as needed for program specific software (pay per use/container).
    • To learn more about these capabilities, please contact usaf.cso@mail.mil with Subject: “Platform One Big Bang Question”
  • Custom Development Services
    • Build and deliver new and accredited custom software applications (microservice) by leveraging the Platform One pipeline and following Platform One’s DoD Continuous Authority to Operate (cATO) (pay per app).
    • To learn more about these capabilities, please contact usaf.cso@mail.mil with Subject: “Platform One Custom Development Services Question”
  • Cloud Native Access Point (CNAP)
    The Cloud Native Access Point is available on Cloud One to provide access to Development, Testing and Production enclaves at IL-2, IL-4 and IL-5 that using Platform One DevSecOps environments by using an internet-facing Cloud-native Zero trust environment.

  • Platform One Continuous Integration / Continuous Delivery (CI/CD) with Infrastructure as Code (IaC)
    • Teams can use existing CI/CD pipelines hosted on Repo One with their current Infrastructure as Code (IaC) code.
    • If a custom CI/CD pipeline is needed due to specific program mission needs, check out the Big Bang options.
    • To learn more about these capabilities, please contact usaf.cso@mail.mil with Subject: “Platform One CI/CD Options Question”
  • Platform One Training/On-Boarding Options
    • Check out the CSO DevSecOps / DAU training at https://software.af.mil/training/
    • Virtual Platform One Learning Hub that provides self service on-boarding [June 2020 Launch]
    • 1-day training Session: Introduction to DevSecOps. Overview and understanding of the vision and activities. [June 2020 Virtual Launch]
    • A 3 day Platform One Platform Platform Workshop. Hands on code and User-Centered Design (UCD) to create your first Platform One DevSecOps pipelines and deploy a “push button” DoD DevSecOps software factory. [Currently Available]
    • A 6-week full on-boarding, that concludes with own CI/CD pipeline and Minimum Viable Product (MVP) ready for production [Currently Available]
    • A 2-month full on-boarding, that concludes with your platform team being able to support your own DevSecOps applications for development and production [July 2020 Virtual Launch]
    • Customized training options (both at our locations or on your premises) (pay per use).
    • To learn more about these capabilities, please contact usaf.cso@mail.mil with Subject: “Platform One Training Question”
  • Platform One DevSecOps Managed Tools
    • Platform One Enterprise Chat: provides a collaboration solution suitable for connecting developer teams (pay per use): IL4 (.mil email only) https://chat.collab.cdl.af.mil/
    • Platform One Party Bus (see above, pay per use)
    • Platform One Multi-Level Security Data Transfer (CDS/Diode) (pay per use)
    • Platform One Stack Exchange: knowledge sharing service for software developers and engineers. (pay per use)
    • To learn more about these capabilities, please contact usaf.cso@mail.mil with Subject: “Platform One Managed Tools Question”
  • Platform One Cybersecurity/Pen-testing Services
    • Ability to pen-test a DevSecOps environment at various classifications level (pay per use)
    • To learn more about these capabilities, please contact usaf.cso@mail.mil with Subject: “Platform One Pen-testing Options Question”

DevSecOps Basic Ordering Agreements (BOAs) – Contract Vehicles

The Air Force Chief Software Officer has awarded various contract vehicles to facilitate the acquisition and bulk purchasing of DevSecOps tools, services and talent. DoD programs are encouraged to leverage these contracts where appropriate. DoD Contracting Officers and Acquisition workforce can receive training to leverage the DevSecOps BOAs.

To learn more about the DevSecOps BOAs, please contact usaf.cso@mail.mil with Subject: “Platform One BOAs Question”

DevSecOps DSAWG (DoD Security Authorization Working Groups) Workgroups

All the documents created for the DSAWG are Document as Code (DaC) available at https://repo1.dsop.io/dsawg-devsecops

  • Team 1: DoD Enterprise DevSecOps Ref Design (and following updates)
  • Team 2: Kubernetes SRG
  • Team 3: Containers SRG
  • Team 4: Cloud Native Access Point
  • Team 5: Work with NIST (Ron Ross) on DevSecOps new publication based on Ref Design.
  • Team 6: Continuous ATO Guidance, defining the:
    • Accreditation requirements to accredit DevSecOps pipeline process and the various layers
    • Accreditation requirements to accredit teams to use the accredited pipelines
    • The expected deliverables / artifacts of pipelines/platforms + automation eMass etc.
  • Team 7: Write the required training for SCAs and ISSMs and AOs to understand how to adopt to new cATO guidance
  • Team 8: DevSecOps Real-Time/Embedded systems
  • Team 9: Digital Engineering as a Service
  • Team 10: High Performance Computing (HPC)