PLATFORM ONE PRODUCTS AND SERVICES
Customer DevSecOps Platform (DSOP)
Platform One’s DSOP is a collection of approved, hardened Cloud Native Computer Foundation (CNCF)-compliant Kubernetes distributions, infrastructure as code playbooks, and hardened containers. This collection implements the Platform One DevSecOps platform that is compliant with the DoD Enterprise DevSecOps Reference Design, and its source code is hosted on Repo One.
IaC (Infrastructure as Code) Repositories – These offerings will continue to expand upon customer requests.
- Platform One IaC: https://repo1.dso.mil/platform-one
- LevelUP IaC: https://repo1.dso.mil/levelup-automation
- D2IQ Konvoy: https://repo1.dso.mil/platform-one/distros/d2iq
- Rancher Federal: https://repo1.dso.mil/platform-one/distros/rancher-federal
- OpenShift 4.x: https://repo1.dso.mil/platform-one/distros/red-hat
- VMWare PKS Essential: https://repo1.dso.mil/platform-one/dod-tanzu
Kubernetes CNCF-compliant currently supported are: OpenShift 4.x, Kubernetes upstream, D2IQ Konvoy, VMWare PKS Essential and Rancher Federal RKE. Kubernetes CNCF-compliant to be supported soon: VMWare Tanzu and Oracle Kubernetes.
There are a number of existing Platform One IaC environments in development or completed. Since it is difficult to truly make IaC totally cloud agnostic, Platform One will be supporting the following environments:
- Amazon Web Services (AWS) IL-2, IL-5, S, S-SAP (when available), TS/SCI, and TS-SAP (FENCES), AWS Outpost
- Azure IL-2, IL-5, S (when available), S-SAP (when available), Azure Stack
- On-premise / Edge VMWare vSphere
The DSOP includes the various mandated containers of the Reference Design including Elasticsearch, Fluentd, and Kibana (EFK), Sidecar Container Security Stack (SCSS), etc.
Teams should leverage the IaC available on the DCCSCR whenever possible and contribute back their code improvements to the DCCSCR whenever applicable.
Iron Bank – DoD Centralized Artifacts Repository (DCAR)
- Iron Bank is the DoD repository of digitally signed, binary container images including both Free and Open-Source software (FOSS) and Commercial off-the-shelf (COTS)
- All artifacts are hardened according to the Container Hardening Guide. Containers accredited in Iron Bank have DoD-wide reciprocity across classifications
- Over 300 containers available today and growing
Registry One – DoD Container Registry
- The DoD registry of digitally signed, binary FOSS and COTS container images that have been hardened and approved by Iron Bank
- These accredited containers have DoD-wide reciprocity across classifications
- Over 300 containers available for use
Party Bus – ABMS All Domain Common Environment (ADCE): Platform One Shared Enterprise Environments (Multi-Tenant) for Development, Test, and Production
- These are environments that benefit from the Platform One cATO, hosted on Cloud One, SC2S, C2S and FENCES managed by the Platform One team as multi-tenant environments. They provide Continuous Integration/Continuous Delivery (CI/CD) and various development tools/capabilities
- Impact Level (IL)-2 IL-4, IL-5, IL-6, and TS/SCI, SAP environments exist or are in development with a pay per developer model
- Perfect for smaller/medium sized teams
Stargate: Diode/Cross Domain Service
- Platform One managed service
- Provides an NSA requirements compliant “pre” and “post” landing zone to push artifacts to the high side. This includes containers for MVP and binaries/executables and other file types soon.
- AWS Diode is approved for Platform One use
- Assesses cybersecurity risk by using Iron Bank analyzed Bill of Materials (BOM)/Body of Evidence (BOE) and virus scanning
- Enforces certificate-based provenance and checksum integrity for transfers ensuring the chain of trust is preserved
Identity Management / SSO / PKI
- Brings Single Sign On with various DoD PKI options and MFA options.
- Brings Person Entity (PE) and Non Person Entity (NPE) x509 certificate based authentication
- Connects to existing AF, DoD and DIB PKI capabilities
- Provide secure and cloud native, agnostic and elastic capability
- Leverages VAULT capability and provides automated certificate generation, Kubernetes native and allows for automated certificate rotation
- Can be used for code signing, container signing and NPE/PE authentication
- Centralizes/Aggregates logs and pushes to CSSP and vSO
Platform One Continuous Integration / Continuous Delivery (CI/CD) with Infrastructure as Code (IaC)
- Teams can use existing CI/CD pipelines hosted on Repo One with their current Infrastructure as Code (IaC) code.
- If a custom CI/CD pipeline is needed due to specific program mission needs, check out the Big Bang options.
- To learn more about these capabilities, please contact af.cso@us.af.mil with Subject: “Platform One CI/CD Options Question”
Custom Development Services
- Build and deliver new and accredited custom software applications (microservice) by leveraging the Platform One pipeline and following Platform One’s DoD Continuous Authority to Operate (cATO) (pay per app).
- To learn more about these capabilities, please contact af.cso@us.af.mil with Subject: “Platform One Custom Development Services Question”
Repo One – DoD Centralized Container Source Code Repository (DCCSCR)
- The central repository for the source code to create hardened and evaluated containers for the DoD
- Stores various source code such as open-source products and Infrastructure as Code (IAC) used to harden Kubernetes distributions
Big Bang – Platform One Dedicated DevSecOps Environments
- Build, deliver and operate custom IAC and Configuration as Code (CAC) with the deployment of a dedicated DevSecOps environment at any classification level with CI/CD pipelines and cATO
- Perfect for large teams/programs that need a dedicated enclave (free if self-deployed or cost per environment if Platform One managed)
- Can be deployed anywhere – edge, cloud, air-gapped etc. with hardware in the loop testing
- Build and deliver new hardened containers as needed with a pay per use/container model
Cloud Native Access Point (CNAP)
- Platform One Managed Service
- Provides a full Zero Trust stack enforcing device state, user Role Based Access Control (RBAC) and Software Defined Perimeter/Networks based on Google BeyondCorp concepts
- Can be deployed air-gapped and on classified environments
- Allows access to Cloud One (AWS GovCloud and Azure Government) and Platform One without having to go through the DISN/DoDIN/CAP/IAP
- Allows access from thick clients on BYOD, government owned devices (both mobile and desktop) while enforcing their device states by using AppGate as a zero trust client.
- Allows for VDI options for zero / thin clients
- Brings DMZ/Perimeter stack with break and inspect, IDS/IPS, WAF capability, full packet capture as an elastic Cloud based stack
- Brings Single Sign On with various DoD PKI options and MFA options.
- Centralizes/Aggregates logs and pushes to CSSP and vSOC
vSOC: Virtual Security Operations Center
- Provides Data Lake/Warehouse capability with Elasticsearch, Fluentd, Kibana (EFK)
- Cloud agnostic, Kubernetes native
- Brings Security Information and Event Management (SIEM)
- Implements Security Orchestration, Automation and Response (SOAR) capabilities
- Achieves user behavior analytics beyond CVEs/signature scanning with both supervised and unsupervised machine learning built into Platform One’s single EFK collection instance
Cloud Native DNS
- Platform one deploys a CNCF-graduated authoritative DNS server to provide a highly available, secure central way to manage DNS for dso.mil. This solution centralized DNS management for the organization and allowed us to execute DNS updates in minutes vs. weeks (for IL5)
- Cloud-native, agnostic and elastic DNS capability with .MIL and non .MIL capabilities
- Fully managed by configuration as code and Git mergers
- Runs on Kubernetes using coreDNS.
Platform One DevSecOps
- Platform One managed service
- Cloud-native, agnostic and elastic DNS capability with .MIL and non .MIL capabilities
- Fully managed by configuration as code and Git mergers
- Runs on Kubernetes using coreDNS.
PLATFORM ONE TRAINING / ONBOARDING OPTIONS
- 1-day training Session: Introduction to DevSecOps. Overview and understanding of the vision and activities.
- A 2-month full on-boarding, that concludes with your platform team being able to support your own DevSecOps applications for development and production
- A 3-day Platform One Platform Workshop. Hands on code and User-Centered Design (UCD) to create your first Platform One DevSecOps pipelines and deploy a “push button” DoD DevSecOps software factory.
PLATFORM ONE BoAs
A Basic Ordering Agreement (BOA) is an agreement between the Government and a contractor. “A BOA may be used to expedite contracting for uncertain requirements for supplies or services when specific items, quantities, and prices are not known at the time the agreement is executed, but a substantial number of requirements for the type of supplies or services covered by the agreement are anticipated to be purchased from the contractor.” FAR 16.703(b). Platform One has established BOAs with a pool of vetted contractors for specific supplies and/or services
BOA 1: Cloud Services
- Services to develop and deploy accredited, integrated and tested code at multiple classification levels and hybrid cloud architectures
- Awarded: 1 Nov 19
- Companies On-boarded: 27
BOA 2: DevSecOps Pipeline and platform Integration and Licensing Services
- DevSecOps pipeline and platform integration and licensing service to support a wide collection of software and programming tools supporting the CI/CD of software products
- Awarded: 1 Nov 19
- Companies On-boarded: 9
BOA 3: Software DevSecOps Services
- Technical services of full-stack DevSecOps engineers, infrastructure engineers, and other key personnel
- Awarded: 15 Jan 20*
- Companies On-boarded: 19