Development, security and operations teams all strive for the same end result: software that is always worthy of release, stable and compliant in production. Achieving an Authority to Operate (ATO) for a new system, however, can take up to 18 months and is often a costly undertaking. On top of this, it usually has to be repeated every three years or so. This applies universally across all government agencies. The Risk Management Framework developed by NIST suggests an alternative approach -- continuous reauthorization -- based on understanding the security posture of a system at all times and its worthiness to go live. DevSecOps facilitates continuous reauthorization by automating the required security steps throughout the software development lifecycle and continuously providing security teams with the insight to judge whether the system is worthy of deployment.
“The Department of Defense has made software delivery a top priority. DevSecOps vendors, such as CloudBees, getting authorized to DoD standards support the mission of the Department of Defense enterprise DevSecOps initiative.”U.S. Air ForceNicolas Chaillan
Chief Software Officer
Using automation and built-in security validation throughout the development process, DevSecOps can give security teams the confidence that the right checks have been completed – and acted upon. Read the DevSecOps: Speed and Security Together, at Last whitepaper to learn more.
A consistent and transparent audit trail, showing how an application or system was built over time, gives clear evidence of security and regulatory compliance. Learn how CloudBees CI helped a government partner increase compliance while fixing bugs more quickly and speeding deployments.
DevSecOps allows government security teams to trust the software delivery pipelines -- and thus more easily grant ATO -- because they know whether the output of those pipelines comply with organizational policy. Learn more about How DevSecOps Helps the Federal Government Achieve Continuous ATO.
Federal government agencies facing time-to-mission pressures are trying to automate pipelines to accelerate the building of new applications and add urgently needed functionality to existing applications. But they’re constrained by Information Assurance guidelines requiring CI tools to pass advanced security certifications.
CloudBees offers a hardened version of CloudBees CI, which meets the United States Department of Defense (DoD) specifications for security. CloudBees CI provides a container that has achieved a Certificate to Field (CtF) from the U.S. Air Force Platform One team. Platform One is the official DevSecOps Enterprise Services team for the Department of Defense. (Software containers that receive a CtF can be used to deploy a platform within a specific environment after the program or agency receives an Authority to Operation (ATO).
CloudBees enables government agencies to fully secure and automate their software delivery pipelines in line with DevSecOps best practices. CloudBees CI weaves compliance and governance (e.g., scans, role-based access control (RBAC), approvals, rejections, remediation) directly into the developers’ workflows, empowering them to own the security experience – continuously testing code and fixing defects – without having to be security experts. This creates trustworthy CI/CD pipelines that ensure that insecure or non-compliant software does not advance downstream. This is DevSecOps in practice.Learn more about hardened CloudBees CI
Federal Systems Integrators (FSIs) who have embraced modern software delivery practices are helping DevSecOps become “real” for agencies instead of just a buzzword. FSIs can now deliver an array of capabilities faster and more securely by eliminating wasteful manual effort, easily enforcing organizational policy, and accelerating the path to production. At CloudBees, our federal government business model is 100 percent partner-centric. We believe that investing fully in partners is the best way for our technology to benefit the maximum number of government customers. In turn, we rely on partners to deliver a superlative CloudBees experience to the end customer. Learn how we become a profit center to our FSI partners by making them faster, more productive, and more attractive to government customers.