The US Department of Defense is looking for a way to improve its
assurance processes in order to better understand the
trustworthiness of its systems. They want a system that can:
-
Maximize the discovery of vulnerabilities to containerized applications
in runtime and
-Report vulnerabilities through a federated approach for consumption by current legacy cybersecurity management systems.
Currently, the
Department of Defense lacks an efficient method for monitoring
containerized applications that can provide near real-time checks based
on security technical implementation guides (STIGs). This lack of
assurance can lead to vulnerabilities being exploited by
adversaries, which could jeopardize national security. The
Department of Defense needs a system that can address these
concerns in order to protect the country.
Project Objectives:
- To improve software development speed, quality, and efficiency.
- To improve security by prototyping and demonstrating a continuous
compliance monitoring tool.
- To improve the quality and efficiency of assurance across the DoD
by prototyping and demonstrating a federated assurance system.
Milestones:
The prototype tool will encompass and integrate the three core
needs:
- A prototype of the DevSecOps environment,
- A prototype of a continuous compliance monitoring tool,
- A prototype of a federated assurance system.
Compliance as Code:
- The DISA-JFAC partnership is working to improve software
development speed, quality, and efficiency by prototyping and
demonstrating automated content based upon security technical
implementation guides (STIGs) for use in DevSecOps and
containerized environments.
Continuous Compliance Monitoring:
- The partnership is also working to improve security by prototyping
and demonstrating a continuous compliance monitoring
tool that can detect and respond to deviations from security
technical implementation guides (STIGs) and DoD standards .
Federated Assurance:
- Finally, the partnership is working to improve the quality and
efficiency of assurance across the DoD by prototyping and
demonstrating a federated assurance system that allows different stakeholders to share assurance data and processes through the development and use of application programming interfaces (APIs).
The partnership between DISA and JFAC is working to improve software development speed, quality, and efficiency by prototyping a compliance monitoring tool that supports near real-time scanning of containerized applications based on security technical implementation guides (STIGs) . This tool will allow the DoD to more easily discover container vulnerabilities and misconfigurations and through the use of application programming interfaces (APIs) provide the data to government cybersecurity management systems.
Software Development, Prototyping, DevSecOps, Federateed Assurance System
Not Provided