Zoom Logo

DoD DevSecOps Reference Design - Shared screen with speaker view - Recording 2/2
Nicolas Chaillan
01:04:04
For everyone, if you need to access the documents, including our slide deck, it is available at https://software.af.mil/dsop/documents/
Nicolas Chaillan
01:04:10
This is the place to go to for our latest documents.
Nicolas Chaillan
01:07:13
Please everyone stay muted.
John Thompson
01:07:40
You sound good Nicolas.
Ryan
01:09:08
Can you repeat the website info for the slides
Nicolas Chaillan
01:09:33
https://software.af.mil/dsop/documents/
Nicolas Chaillan
01:17:21
usaf.cso@mail.mil
Carlo de Guzman A4PA
01:19:33
is there updated policy regarding OSS? how can we trust the community contributing to these open products are not bad actors and verify C-SCRM?
Marlon Coerbell, CTR Sev1Tech
01:20:56
Because it's a managed service and not a commercial cloud service (CSO), can you house C-I-A with a high watermark? Per the Cloud SRG, CSOs are limited to moderate.
ceotwell
01:21:24
IS the expecting that this will become compliance documentation for K8s/OCI
Albert Wu, AFLCMC/HIE
01:21:39
Can you speak briefly to why you chose Kubernetes over Docker Swarm?
575986
01:22:20
Who can we reach out to for information on how much this would cost a program to leverage?
Rob
01:22:56
Any program office. Reach out to rob.slaughter@afwerx.af.mil
Brad Sollar
01:23:02
Can you speak to the contract vehicles for this project, or what industry should be looking at for participating as a vendor to the USAF?
Bhaarat
01:23:06
If CloudOne leveraging EFK, Prometheus, and Grafana?
Pete Francis
01:24:35
Can you recommend a source of information about how this may enable embedded systems software development and evaluation?
Travis
01:25:01
What do you recommend using for the container application password/credential management with kubernetes that is comparable to docker secrets?
Rob
01:25:10
please wait to answer questions until the end
Rob
01:25:21
After the presentation we will answer
Carlo de Guzman A4PA
01:25:31
thank you. do you have the assessments of all OSS proposed in the sidecar suites and architectures?
Brandon Durepo
01:26:09
Can you speak to lesson learned on large scale persistent storage options available to Kubernetes?
Ian Friedman
01:27:02
What is the ETA on the DCAR mirroring solution?
Rob
01:27:46
please wait to ask questions until the end of the presentation
Brad Sollar
01:31:03
Can you talk to pure upstream Open Source vs. supported Open Source?
Jack Harris
01:31:38
Is there plans to expand UBI in the future to more ML friendly OSs (e.g., Ubuntu)
Rob
01:32:11
please wait to ask questions until the end of the presentation
ChrisDickman-Mile2
01:34:40
\\
ceotwell
01:35:44
Will the charts be downloadable?
Nicolas Chaillan
01:35:52
https://software.af.mil/dsop/documents/
Norman Leach
01:37:07
Audio dropped
larryh
01:37:17
no
Blair Nicodemus
01:37:17
audio is fine
Gregory Behm
01:37:19
I can hear
Jon Clayton
01:37:20
No its good
Yocelyn Moreno
01:37:20
We can hear you
FarreDo
01:37:29
Audio is good
608119
01:38:13
I don't think I captured the link to the presentation correctly. Would someone please share it here?
Nicolas Chaillan
01:38:25
https://software.af.mil/dsop/documents/
608119
01:38:39
Thank you
mojganpedoeim
01:43:22
But we do not have to use Platform one if we have our own team for example if we are working on a AF application migration and need devsecops we can build the development environment using the ATOed stack
Eugene's iPad
01:44:06
...
tim
01:44:54
Are the steps / scripts available to install the ATO'd stack on our own IaaS?
Carlo de Guzman A4PA
01:46:16
will SLAs be provided per sidecar? is security your focus or is it functionality? will the sidecars as a service proposed be required to operate IAW the DoD CC SRG ( SNAP/CAP/P-ATOs/etc?)
DoD DevSecOps Reference Design
01:46:19
Hello all, Mr. Chaillan will be answering questions after he reviews the slides. Thank you for your patience.
Chris Hauser
01:47:00
So the USAF is charging for solutions to be deployed in Cloud One or Platform One?
mojganpedoeim
01:47:12
But we can build our own CI/CD pipeline? Using the ATO containers?
Jack Harris
01:48:48
who helps with the accreditation of the “new” software in the Application Layer — in the past that has been the long pole in the tent
Humberto Pina
01:48:56
Is there a catalog specification with what is offered with Platform One <K8, Istio, Jenkins, xDK tool set, etc…>?
Rich Thissell
01:48:57
How does Platform One Collaboration Tools interface with the DI2E collaboration portals?
Blair Nicodemus
01:51:30
is there a list or URL listing all the vendors that have been awarded contracts? I do not see this on the web site
Shane Deichman
01:51:32
Mr. Chaillan, Would you please speak to the implications of the forthcoming Cybersecurity Maturity Model Certification (CMMC) process? Will all USAF DevSecOps efforts require vendors all have third-party CMMC certification before they can deliver products (even containerized software or microservices), or even support a BOA Prime as a Subcontractor?
Bhaarat
01:51:57
Does PlatformOne use Podman and Buildah?
Drew's iPad (2)
01:57:12
what tools comprise ADTS in DevSecOps and are they built into Cloud One and Platform One?
Andrew Roth
01:57:14
yes
Gregory Behm
01:57:17
yes
Shane Deichman
01:57:32
Mr. Chaillan, Would you please speak to the implications of the forthcoming Cybersecurity Maturity Model Certification (CMMC) process? Will all USAF DevSecOps efforts require vendors all have third-party CMMC certification before they can deliver products (even containerized software or microservices), or even support a BOA Prime as a Subcontractor?
Andrew Roth
01:57:47
Many of the repos in DCCSCR are missing LICENSE files, resulting in GitLab showing “No license. All rights reserved”. Is this just an oversight that will be fixed? Without specifying a license, legally, the default is “all rights reserved”.
TJ
01:58:15
Do the SCSS zero trust capabilities work with message brokers such as Kafka?
Jimmie
01:58:17
Are hardened containers in the LevelUp repo available for use outside of this pipeline?
Carlo de Guzman A4PA
01:58:22
will the authorization of the sidecars be Enterprise or will reach AO need to authorize all components?
Carl Fischer
01:58:22
Is there a group chat or mailing list set up for organizations working to stand up PlatformOne in our own environment?
Bhaarat
01:58:28
Can vendors with SBIR Phase I get on the BoA or workin with PlatformOne?
Minh Vo
01:59:00
Mr. Chaillan, do you have your SAFe Memo posted somewhere?
Tristan Bonner
01:59:02
@Nicolas Chaillan, what is your opinion of the Capability Maturity Model Integration (CMMI)? Has it become bloated past usefulness, or will it still be relevant to software development as we progress as a DevSecOps organization?
TJ
01:59:05
Are the Anchore and OpenSCAP policies and scripts available to the public?
Chad Cravens
01:59:16
Do these groups (platform one / level up / etc) offer community slack we can join and ask questions on?
Nadim Nakhleh
01:59:24
It doesn't appear that the containers already in DCCSRC follow the rules you described about not downloading from outside sources. Are they going to be updated to meet those requirements so they can be better used as templates for contributions?
David.Gagliano
01:59:29
+@MinhVo - also looking for the doc
Andrew Roth
01:59:42
Since this is an AMA, as is the tradition, Would you rather fight 100 duck-sized horses or one horse-sized duck?
Carlo de Guzman A4PA
02:00:05
will platform one be presented as an "authorized product or an MSP?
lee.benson
02:00:12
How are third party artifacts such as Node Package Manager (NPM) packages kept in sync within the environment?
ceotwell
02:00:40
Continuous ITW/AA accreditation available?
Jimmie
02:00:47
Are app teams allowed to tailor containers on the LevelUp platform or are the containers provided as read-only? If app teams can modify containers from the repo, does require apps to include these containers within their app ATO?
David.Gagliano
02:01:33
TY
Albert Wu, AFLCMC/HIE
02:01:44
It seems like GitLab is a bit more favored from the AF enterprise level. Our BES PEO seems to be going more Atlassian tool suite. Is there going to be a more pronounced direction from AF CSO office on which way to go and what would be a standard enterprise offering?
Bhaarat
02:01:49
Do the prime vendors on the BOA require a Facility Clearance?
Jack Harris
02:01:51
Can you talk a little about the process of getting new software accredited (at the application layer) on this system — who is the AO?
Norman Leach
02:02:24
Are containers tied into an authentication and authorization source? To enable use of IC PKI or DISA SIPR Token Cards for PKI identification and AccessIT! or GeoAXIS for authorizations
Chris Edwards
02:02:35
If a vendor application uses an external database, is it expected to provide a container image for that database within DCAR? (Example, MySQL container does not exist there today). Or can they simply indicate that an external database is necessary?
Juan Bautista & Tom Spargo PMW 120
02:02:48
Has any Navy programs utilized Platform One or Cloud One yet?
Chris Edwards
02:02:54
Would vendor applications accredited and accessible within DCAR be available to organizations using CloudOne and not PlatformOne?
Marlon Coerbell, CTR Sev1Tech
02:03:30
Because it's a managed service and not a commercial cloud service (CSO), can you house an application with with a high C-I-A watermark? Per the Cloud SRG, CSOs are limited to moderate.
Albert Wu, AFLCMC/HIE
02:03:34
Are systems in Cloud One considered to be on NIPR or commercial internet for the purposes of connecting to an on-prem system and filing the PPS/White listing paperwork?
Chris Edwards
02:04:23
What level of guidance and support is expected from a vendor submitting a container to DCAR with respect to running their applications in a Kubernetes environment? Deliverables of kubernetes-specific artifacts? Kubernetes-specific written guidance? General orchestration-agnostic guidance on running the application?
Woody Walton @ Elastic
02:05:11
Do you have any preference on the RHEL UBI version to be used (UBI7 or UBI8)?
Arvind Gupta
02:05:17
what kind of infrastructure is underneath platform one? is it public cloud or on-prem infrastructure? do you see performance impacts if running Kubernetes on public or on-prem cloud
Gregory Behm
02:06:20
Does this effort work with the DoD High-Performance Computing (HPCMP) Centers?
Bhaarat
02:07:26
Does AF have a plan to contribute some of its findings back to the open source?
Shawn
02:08:07
AMA - what are the latest books you're reading & recommending?
Marlon Coerbell, CTR Sev1Tech
02:08:14
Managed Service Platforms still have to adhere to the Cloud SRG, but do have flexibility regarding some of the administrative and additional controls in the guide.
Nadim Nakhleh
02:09:22
Do you have any thoughts on how the mandate to use OMS/UCI aligns or conflicts with this effort to drive towards cloud-native application development?
Pete Francis
02:09:27
Can you recommend a source of information about how this may enable embedded systems software development and evaluation?
Chris Edwards
02:09:55
If a vendor application submitted to DCAR has a need to refresh operating data from an external source, are there patterns for enabling this refresh? Example, current published public data is needed for the application to function. This data should be refreshed somewhat frequently. How would an application distributed through DCAR do this?
Ryan Lakey
02:10:59
Are you looking at alternatives to OpenSCAP for STIGing that are easier to develop like Inspec/Ansible?
Marlon Coerbell, CTR Sev1Tech
02:12:12
Since Mission Application Owners still have to get their own ATO from their respective AOs, for continuous ATO how does the AO stay apprised of existing POA&Ms if all the RMF documentation is on the repository.
Albert Wu, AFLCMC/HIE
02:12:14
Is there plan to offer "free" to AF hosted enterprise licenses of the top dsop tools we can use if our office doesn't have funding on it's own to purchase tools (maybe a model similar to DI2E)?
ceotwell
02:13:30
SIPRNET? JWICS?
Albert Wu, AFLCMC/HIE
02:17:41
Did you say the books were available on your site?
TJ
02:17:48
Do I need to have a contract with Platform One to get started using the stack?
Matt Aizcorbe
02:18:00
On using Kubernetes on ARM, we found Istio doesn't have an ARM based distribution. Have you worked through compiling it on ARM or used an alternative to Istio?
Marlon Coerbell, CTR Sev1Tech
02:18:36
Question that was not answered last time: 3. While I can appreciate the effort to include "baked-in" security services that are intended to automatically protect the various applications that will be hosted, has anyone looked at the attack surface of the security mechanisms themselves? It's likely that mechanisms such as IDS, behavior detection, etc. will fail at identifying advanced attacks just as they are failing today for traditional systems. For example, attacks such as RIPlace, Dexphot that bypass SEP, Defender AV, are file-less, attach to legitimate processes (LOLbins), and are polymorphic. With the consolidation of platforms like this, the result could be many applications compromised simultaneously since they rely on the same security layer. Is there a vulnerability assessment available somewhere and have the risks been quantified? What next generation security solutions are being considered, if any (e.g., secure multi-party computation, threshold encryption, homomorphic encryption, etc.)? Thank you.
TJ
02:18:42
Is there more/better documentation than what exists in the dcar.dsop/levelup repos?
mojganpedoeim
02:21:43
How do we keep up with version updates to the ATOed containers if we build the pipelines and not use platform one services? I am assuming we get notifications?
Carlo de Guzman A4PA
02:22:39
Are the asssesments of the stack and components available for us to view?
Jack Harris
02:23:42
kill containers every 48 hours?
Lynn Still
02:23:51
Is Platform One infrastructure FIPS compliant
Bradley Marshall
02:23:53
Arrived late, missed some of the Q&A. Maybe this was already asked but how do we get a transcript/recording of the questions and your responses?
Tristan Bonner
02:25:14
^Yes: software.af.mi/documents
Tristan Bonner
02:25:41
*.mil/documents
tim
02:26:18
how are you securing kubernetes secrets? Do you use an HSM? If so where is that hosted?
mojganpedoeim
02:26:22
Thanks Mr. Challan, I will send an email (that is my name Mojgan Pedoeim - IBM)
Rich Thissell
02:26:44
are containers built with optimizations for different micro architectures (.e.g, AVX512, AVX 2, etc)?
TJ
02:27:01
You mentioned a training program early on. Can you give us more information on that?
Matt Aizcorbe
02:28:28
You may have covered this, what is the release cycle for UBIs?
TimR
02:28:32
WHat about CAP?
Andrew Roth
02:28:34
dcar.dsop.io doesn’t seem to work with the same login as my dccscr.dsop.io. How do I pull containers?
TJ
02:28:35
Does it cover all of the Platform One products?
Blair Nicodemus
02:28:36
awesome. thank you
tim
02:28:36
Can you provide the links to the training?
David Smith
02:28:40
Who do we contact about the training program you just mentioned
Drew's iPad (2)
02:29:16
Are the ADTS tools listed in the documentation?
Sheila Lee
02:29:35
How do you envision normalizing future tests (DT&OT) within DevSecOps? There is a big gap within WMA communities…AOC/KR falls within WMA…Same goes for Space C2 Camp…Also the BMA and other mission areasWhat efforts have been done to work across the Test communities to find a balanced approach to meet the intents of various directives to include OMB/statutory requirements?
Albert Wu, AFLCMC/HIE
02:29:36
Do systems on AF NIPR have to submit white list requests to allow connections from Cloud One hosted apps?
Jack Harris
02:29:37
what does pricing look like compared to gov cloud?
TJ
02:29:41
training, thx
Erich Mirabal
02:29:43
you mentioned lift and shift, does that mean that there are some abstraction layers for AWS and Azure services like S3 buckets and such in platform and cloud one?
DoD DevSecOps Reference Design
02:30:05
usaf.cso@mail.mil
Merill.Ronquillo
02:32:26
Are the infrastructure components (source code repo, orchestration tool/Jenkins, etc) of the software factory intended to be deployed under a Kubernetes cluster as well, or is Kubernetes just for the developed applications?
Albert Wu, AFLCMC/HIE
02:33:12
On the whitelist question I meant the other way. Systems in Cloud One requesting data from AF NIPR systems such as ARMS-LC or vPSC?
Drew's iPad (2)
02:33:58
Thank you. Look forward to meeting you next week. VR Mr. Andrew Dwyer (MCSC)
Rob
02:34:13
How do DoD contractors get access to Platform One?
TimR
02:35:01
How soon will this recored session be posted to share with our teams?
Albert Wu, AFLCMC/HIE
02:35:20
Thank you so much for coming to Air Force Mr. Chaillan. Already seeing great work and movement in the DSOP space from you. Appreciate the top cover you're giving the rest of us to move forward.
Daniel
02:35:44
Thank you so much for your time today
DoD DevSecOps Reference Design
02:35:51
usaf.cso@mail.mil
Andrew Roth
02:35:52
How much access do I have to the cluster/tools provided by Platform One? User-level only? Admin? “The keys to the kingdom"?
Shane Deichman
02:38:04
Je ne parle pas Français
Andrew Roth
02:38:15
How does Platform One handle persistent workloads?
Woody Walton @ Elastic
02:39:54
Thank you, Mr. Chaillan & team!
rrw
02:39:55
thank you Nicolas Chaillan for leading
Jack Harris
02:40:00
:+1:
Janek Claus
02:40:03
+1
Kevin Madison
02:40:08
merci beaucoup
Nadim Nakhleh
02:40:10
thank you, great stuff!