Compliance as Code / Continuous Compliance Monitoring / Federated Assurance

Opportunity Summary

Description

Submit NLT 23:59 ET, 15 September 2022
The Department of Defense (DoD) is looking to improve the speed, quality, efficiency, and security of software development with a DevSecOps environment supporting the DoD’s federated community. This effort is looking to achieve three core lines of effort culminating in prototypes and demonstrations in support of federated DevSecOps across the DoD. These core lines of effort are compliance as code, continuous compliance monitoring, and federated assurance. These three core lines of effort would result in prototypes and demonstrations that would show how federated DevSecOps across the DoD could work.

Opportunity Details

The US Department of Defense is looking for a way to improve its assurance processes in order to better understand the trustworthiness of its systems. They want a system that can:

- Maximize the discovery of vulnerabilities to containerized applications in runtime and

-Report vulnerabilities through a federated approach for consumption by current legacy cybersecurity management systems.

Currently, the Department of Defense lacks an efficient method for monitoring containerized applications that can provide near real-time checks based on security technical implementation guides (STIGs). This lack of assurance can lead to vulnerabilities being exploited by adversaries, which could jeopardize national security. The Department of Defense needs a system that can address these concerns in order to protect the country.

Project Objectives:

To improve software development speed, quality, and efficiency.
To improve security by prototyping and demonstrating a continuous compliance monitoring tool.
To improve the quality and efficiency of assurance across the DoD by prototyping and demonstrating a federated assurance system.

Milestones:

The prototype tool will encompass and integrate the three core needs:

A prototype of the DevSecOps environment,
A prototype of a continuous compliance monitoring tool,
A prototype of a federated assurance system.

Use Case Scenario

Compliance as Code:

The DISA-JFAC partnership is working to improve software development speed, quality, and efficiency by prototyping and demonstrating automated content based upon security technical implementation guides (STIGs) for use in DevSecOps and containerized environments.

Continuous Compliance Monitoring:

The partnership is also working to improve security by prototyping and demonstrating a continuous compliance monitoring tool that can detect and respond to deviations from security technical implementation guides (STIGs) and DoD standards .

Federated Assurance:

Finally, the partnership is working to improve the quality and efficiency of assurance across the DoD by prototyping and demonstrating a federated assurance system that allows different stakeholders to share assurance data and processes through the development and use of application programming interfaces (APIs).

Future State Solution

The partnership between DISA and JFAC is working to improve software development speed, quality, and efficiency by prototyping a compliance monitoring tool that supports near real-time scanning of containerized applications based on security technical implementation guides (STIGs) . This tool will allow the DoD to more easily discover container vulnerabilities and misconfigurations and through the use of application programming interfaces (APIs) provide the data to government cybersecurity management systems.

Keywords

Software Development, Prototyping, DevSecOps, Federateed Assurance System

Reference URL

Not Provided

Opportunity Details

More Opportunities

Compliance as Code / Continuous Compliance Monitoring / Federated Assurance

Opportunity Summary

Description

Opportunity Details

Use Case Scenario

Future State Solution

Keywords

Reference URL

Point of Contact