Repo One – DoD Centralized Container Source Code Repository (DCCSCR)
Repo One is the central repository for the source code to create hardened and evaluated containers for the Department of Defense. It also includes various source code open-source products and infrastructure as code used to harden Kubernetes distributions.
Repo One is currently operated at https://repo1.dso.mil/dsop/.
All DoD activities that create containers which could benefit the DoD at an enterprise scale should publish their containers’ source code in the DCCSCR. They should follow the DoD Enterprise DevSecOps Reference Design, Container On-boarding guide, and Container Hardening guide requirements.
Iron Bank – DoD Centralized Artifacts Repository (DCAR)
Iron Bank is the DoD repository of digitally signed, binary container images that have been hardened according to the Container Hardening Guide coming from Iron Bank. Containers accredited in Iron Bank have DoD-wide reciprocity across classifications.
Iron Bank is currently operated at https://ironbank.dso.mil/.
Prior to creating a new container image, DoD programs should check if the container images already exists in DCAR and use the DoD-signed containers whenever possible.
DevSecOps Platform (DSOP)
The DSOP is a collection of approved, hardened Cloud Native Computer Foundation (CNCF)-compliant Kubernetes distributions, infrastructure as code playbooks, and hardened containers. This collection implements a DevSecOps platform compliant with the DoD Enterprise DevSecOps Reference Design, and its source code is hosted on Repo One.
IaC (Infrastructure as Code) Repositories:
- Platform One IaC: https://repo1.dso.mil/platform-one
- LevelUP IaC: https://repo1.dso.mil/levelup-automation
- D2IQ Konvoy: https://repo1.dso.mil/platform-one/distros/d2iq
- Rancher Federal: https://repo1.dso.mil/platform-one/distros/rancher-federal
- OpenShift 4.x: https://repo1.dso.mil/platform-one/distros/red-hat
- VMWare PKS Essential: https://repo1.dso.mil/platform-one/dod-tanzu
Kubernetes CNCF-compliant currently supported are: OpenShift 4.x, Kubernetes upstream, D2IQ Konvoy, VMWare PKS Essential and Rancher Federal RKE.
Kubernetes CNCF-compliant to be supported soon: VMWare Tanzu and Oracle Kubernetes.
There are a number of existing Platform One IaC environments in development or completed. Since it is difficult to truly make IaC totally cloud agnostic, Platform One will be supporting the following environments:
- Amazon Web Services (AWS) IL-2, IL-5, S, S-SAP (when available), TS/SCI, and TS-SAP (FENCES), AWS Outpost
- Azure IL-2, IL-5, S (when available), S-SAP (when available), Azure Stack
- On-premise / Edge VMWare vSphere
- Platform One’s IaC offerings will continue to expand upon customer requests
The DSOP includes the various mandated containers of the Reference Design including Elasticsearch, Fluentd, and Kibana (EFK), Sidecar Container Security Stack (SCSS), etc.
Teams should leverage the IaC available on the DCCSCR whenever possible and contribute back their code improvements to the DCCSCR whenever applicable.
Platform One Enterprise Services
Platform One provides additional pay-per-use services and contract vehicles to facilitate teams’ adoption and the move to DevSecOps. The list of services will continuously evolve.
- Party Bus – ABMS All Domain Common Environment: Platform One Shared Enterprise Environments (Multi-Tenant) (for Development, Test and Production)
- These are environments that benefit from the Platform One Continuous ATO, hosted on Cloud One, SC2S and C2S managed by the Platform One team as multi-tenant environments. Perfect for smaller/medium sized teams. They provide Continuous Integration/Continuous Delivery (CI/CD) and various development tools/capabilities.
- Impact Level (IL)-2, IL-5, Secret, and TS/SCI environments exist or are in development (pay per user model ($2,000/user/month))
- To learn more about the capabilities on these environments, availability and limitations (including ingress/egress/endpoints/Multi Factor Authentication factors etc.), please contact firstname.lastname@example.org with Subject: “Platform One Party Bus Question”
- Big Bang: Platform One Dedicated DevSecOps Environments
- Build, deliver and operate custom Infrastructure as Code and Configuration as Code with the deployment of dedicated environments at various classification levels with CI/CD pipelines and c-ATO. Perfect for large teams/programs that need a dedicated enclave (cost per DevSecOps environment).
- Build and deliver new hardened containers as needed for program specific software (pay per use/container).
- To learn more about these capabilities, please contact email@example.com with Subject: “Platform One Big Bang Question”
- Custom Development Services
- Build and deliver new and accredited custom software applications (microservice) by leveraging the Platform One pipeline and following Platform One’s DoD Continuous Authority to Operate (cATO) (pay per app).
- To learn more about these capabilities, please contact firstname.lastname@example.org with Subject: “Platform One Custom Development Services Question”
- Cloud Native Access Point (CNAP)
The Cloud Native Access Point is available on Cloud One to provide access to Development, Testing, and Production enclaves at IL-2, IL-4 and IL-5 that are using Platform One DevSecOps environments by using an internet-facing Cloud-native Zero trust environment.
- Platform One Continuous Integration / Continuous Delivery (CI/CD) with Infrastructure as Code (IaC)
- Teams can use existing CI/CD pipelines hosted on Repo One with their current Infrastructure as Code (IaC) code.
- If a custom CI/CD pipeline is needed due to specific program mission needs, check out the Big Bang options.
- To learn more about these capabilities, please contact email@example.com with Subject: “Platform One CI/CD Options Question”
- Platform One Training/On-Boarding Options
- Platform One Self Learning: https://auth.galvanize.com/register?uid=fbc9761c8f97c752ea
- Virtual Platform One Learning Hub that provides self service on-boarding [June 2020 Launch]
- 1-day training Session: Introduction to DevSecOps. Overview and understanding of the vision and activities. [June 2020 Virtual Launch]
- A 3 day Platform One Platform Platform Workshop. Hands on code and User-Centered Design (UCD) to create your first Platform One DevSecOps pipelines and deploy a “push button” DoD DevSecOps software factory. [Currently Available]
- A 6-week full on-boarding, that concludes with your own CI/CD pipeline and Minimum Viable Product (MVP) ready for production [Currently Available]
- A 2-month full on-boarding, that concludes with your platform team being able to support your own DevSecOps applications for development and production [July 2020 Virtual Launch]
- Customized training options (both at our locations or on your premises) (pay per use).
- To learn more about these capabilities, please contact firstname.lastname@example.org with Subject: “Platform One Training Question”
- Platform One DevSecOps Managed Tools
- Platform One Enterprise Chat: provides a collaboration solution suitable for connecting developer teams (pay per use): IL4 (.mil email only) https://chat.collab.cdl.af.mil/
- Platform One Party Bus (see above, pay per use)
- Platform One Multi-Level Security Data Transfer (CDS/Diode) (pay per use)
- Platform One Stack Exchange: knowledge sharing service for software developers and engineers. (pay per use)
- To learn more about these capabilities, please contact email@example.com with Subject: “Platform One Managed Tools Question”
DevSecOps Basic Ordering Agreements (BOAs) – Contract Vehicles
The Air Force Chief Software Officer has awarded various contract vehicles to facilitate the acquisition and bulk purchasing of DevSecOps tools, services and talent. DoD programs are encouraged to leverage these contracts where appropriate. DoD Contracting Officers and Acquisition workforce can receive training to leverage the DevSecOps BOAs.
To learn more about the DevSecOps BOAs, please contact firstname.lastname@example.org with Subject: “Platform One BOAs Question”
DevSecOps DSAWG (DoD Security Authorization Working Groups) Workgroups
All the documents created for the DSAWG are Document as Code (DaC) available at https://repo1.dso.mil/dsawg-devsecops
- Team 1: DoD Enterprise DevSecOps Ref Design (and following updates)
- Team 2: Kubernetes STIG
- Team 3: Containers STIG
- Team 4: Cloud Native Access Point
- Team 5: Work with NIST (Ron Ross) on DevSecOps new publication based on Ref Design.
- Team 6: Continuous ATO Guidance, defining the:
- Accreditation requirements to accredit DevSecOps pipeline process and the various layers
- Accreditation requirements to accredit teams to use the accredited pipelines
- The expected deliverables / artifacts of pipelines/platforms + automation eMass etc.
- Team 7: Write the required training for SCAs and ISSMs and AOs to understand how to adopt to new cATO guidance
- Team 8: DevSecOps Real-Time/Embedded systems
- Team 9: DevSecOps Playbook / Best Practices
- Team 10: High Performance Computing (HPC)
- Team 11: Digital Engineering as a Service