Engagement Theater 1: DevSecOps: Automating STIG Compliance and Vulnerability Assessment
- Room: Swing Hall, 2700/2800 Aisle
Wednesday, October 27, 2021: 10:30 AM - 11:30 AM
The Defense Information Systems Agency(DISA Services Development (SD) Directorate DevSecOps Program is focused on the development of a Continuous Compliance Monitoring (CCM) approach for all DoD mission partners that monitors and provides compliance enforcement of containerized applications which cover all the DevSecOps pillars - Develop, Build, Test, Release and Deploy, and Runtime - for a secure posture with the focus being on automation and integration going forward. CCM is an automated process by which the DevSecOps team, including ISSMs and SCAs, can detect compliance issues and security threats during each phase of the DevSecOps pipeline. To date, the DevSecOps team has completed the STIG compliance (as Compliance as Code (CaC) files) to a cloud centric model where DevSecOps containerized applications are monitored with minimal human interference. The work also includes monitoring STIG compliance, Vulnerabilities and Organizational Policy. CaC files are available today for mission partner usage, found on Cyber Exchange, with CCM ready for Proof of Concept (PoC) testing fall of this year. Compliance as Code (CaC) can be summarized as the codification of compliance controls so their adherence, application and remediation can be automated. CaC tools work by utilizing the automatable STIG compliance checks to validate the mission partner’s environment. CaC’s objective has been driven by the ultimate aim of automating the traditional manual process of STIG validation which consumes valuable DoD time and resources. CaC takes the tightest delivery bottleneck, e.g., reading a 50-page compliance PDF, and translates it into automated scripts, which ultimately results in reduced time to perform audits and generate data to ensure compliance.
Approved for 1 CompTIA CEU: A+, Network+, Security+, Cloud+, and Linux+; 1 GIAC CPE; and 1 CertNexus CFR CEC