Who needs it?
The Department of Defense (DoD) and civilian agencies of the U.S. federal government, as well as enterprises in private industry, need secure CI/CD to drive more value through their software delivery pipelines while lowering security risk.
The problem
Federal government agencies facing time-to-mission pressures are trying to automate pipelines to accelerate the building of new applications and add urgently needed functionality to existing applications. But they’re constrained by Information Assurance guidelines requiring CI tools to pass advanced security certifications. For the private sector, the freedom of choice in software is higher, but the need for security in their CI/CD toolchain isn’t necessarily any lower. Enterprises who have high security standards and are highly regulated or can’t expose themselves to vulnerabilities, can rest assured that CloudBees is the right choice for CI.
CloudBees can help
The hardened version of CloudBees CI provides a container that has achieved a Certificate to Field (CtF) from the U.S. Air Force Platform One team. Platform One is the official DevSecOps Enterprise Services team for the Department of Defense (DoD). A CtF is a formal certification given by the U.S. Air Force Platform One team. Software containers that receive a CtF can be used to deploy a platform within a specific environment that has received an Authority to Operate (ATO). An ATO certification means that a platform meets security standards as set forth by Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) and National Institute for Standards and Technology (NIST) Risk Management Framework (RMF) guidelines. Platform One provides platforms that are already accredited and can only use containerized software with an approved CtF. CloudBees CI is also included in the AWS GovCloud Marketplace, which provides Amazon’s government customers, organizations in highly regulated industries, and other commercial entities that meet AWS GovCloud (US) requirements an easy channel for procurement of CloudBees CI.
The solution
CloudBees CI provides a hardened Docker container image which is placed in the Department of Defense Centralized Artifact Repository (DCAR), the storage repository maintained by the DoD. Teams from any DoD or civilian agency can access and simply pull the hardened Docker container image out of DCAR. The solution has been engineered to minimize the use of any libraries or components that have known security vulnerabilities. For example, if a team uses a library to execute HTTP communication between a CloudBees CI controller and agent, the functionality within CloudBees CI ensures secure ports and protocols are used at both ends.