Written by Jackson Barnett
Efforts to expand the AviationPlatform One’s software development environment came to a standstill after a few military IT managers have voiced cybersecurity concerns about the platform, FedScoop has learned.
Concerns center on officials’ understanding of architecture, environmental policies and a perceived lack of security documentation. Some officials have attempted to outright ban the use of code stored in one of its repositories, and reciprocity talks with other services have been put on hold due to differences in risk levels that each is willing to take. take, several sources with knowledge of the matter told FedScoop.
The success of Platform One and its replication in the military could have huge impacts for developers who need a secure coding method for their products to be approved by the authorities responsible for DOD. But to achieve widespread use, managers of multiple services must approve its use, and reciprocity with similar coding environments must be negotiated between services.
Platform One is one of the Air Force’s premier offices for digital innovation. The service is focused on navigating the Department of Defense bureaucracy to create technology it says is more secure than current DOD risk aversion processes. The core desktop technology runs on Google’s Kubernetes, an open source system for securely storing code in “containers.” It was touted by its leaders as a key part of DOD’s drive to become a digital organization by leveraging what’s known as DevSecOps, a technical and cultural approach to writing code that integrates security into all levels of development.
“As pioneers, all of these programs broke the glass and were greeted by many with joy and by some with hesitation,” said Lauren Knausenberger, Air Force CIO, in a statement provided to FedScoop. She added: “We do our best to educate people on new technologies and new processes and use their experience to help them constantly adapt. “
Instead of going through the DOD’s de facto process for software authorization, Platform One was able to gain its approval so that the authorization of the new code was automated, essentially accrediting a recipe rather than testing each batch.
DOD’s software authorization process requires developers to submit code to a multi-month checklist-based approval process each time they want to update. Some IT managers claim that this can make software systems vulnerable to breaches, as they are forced to sit stagnant while updates are being checked.
Focusing on the process of writing code, advocates of Platform One say it is more secure, faster, and in line with best business practices.
“Platform One prioritizes cybersecurity over compliance controls. Do people want to be safe or do they want to be compliant? Both require work, and some prefer one over the other, ”Rob Slaughter, former director of Platform One, told FedScoop.
But despite the improved security processes seen by Platform One, officials who want to use it say they have concerns.
The problem for some, said Slaughter, is, “They [Platform One] just don’t have the homework in the right format.
Speaking to FedScoop, former DOD CISO Jack Wilmer said the individual issues raised by officials were not entirely dangerous in themselves, but demonstrated that without a way for services to have a common understanding of cyber risk mitigation, it is difficult to achieve reciprocity.
Several officials who requested Platform One’s security documentation said they had not received any, creating mistrust of the system. Officials who had discussed using Platform One or were familiar with its practices told FedScoop that they felt the remediation process was too ad hoc for their convenience and the authorization of new containers was too centralized.
Officials were also very concerned about one of Platform One’s Iron Bank products, which stores open source code in containers. The issues with Iron Bank revolve around a perceived lack of verification of who is contributing and a lack of a legal framework for issuing fixes for code stored on the system.
Some of the concerns about Iron Bank’s remediation process and software supply chain were brought to the attention of the DOD CIO office during a meeting on expanding the use of Iron Bank, according to two officials close to the meeting.
Emails reviewed by FedScoop indicate that officials have “a desire for more transparency and input into the verification process” of Iron Bank containers.
Danielle Metz, deputy IT director at the news firm who chaired the meeting, said such meetings are held regularly to help develop Iron Bank’s technology.
“Implementing software containers is a rapidly growing but still relatively nascent area for DoD. The Air Force Iron Bank has been at the forefront of identifying secure and repeatable processes for software development and insertion into Platform One and other programs across DoD, ”said she said in a statement to FedScoop.
Knausenberger announced Platform One’s role in removing new technology barriers in DOD and told FedScoop that many of the concerns boiled down to a misunderstanding of the new technology.
“These programs all do things differently,” she said.
The Navy is working on its own DevSecOps platform similar to the One platform called Black Pearl. Navy and Air Force officials negotiated a reciprocal agreement to prevent the Navy from taking over the work already done by Platform One. But discussions have stalled on technical details regarding how Platform One accepted the risk and how it stored documentation on its security practices, officials said.
A Navy spokesperson told FedScoop in a statement that it is “strongly committed” to working with platforms and working to ensure cybersecurity practices “are transparent and repeatable to maximize reciprocity ”.
“The department of Marine and our partners are committed to seeing this work succeed, ”said the spokesperson.
Navy officials had requested documents through the Enterprise Mission Assurance Support Service (eMASS), an app that stores security packages. Because Platform One does not follow traditional compliance processes, it states that its documentation is not in the format supported by eMASS. Instead, the team “[automates] the vast majority of their security checks and audits, and store their documents in real time in their GIT repositories, ”Knausenberger said.
“This still scares security assessors sometimes because they are not used to finding documents in real time in a code repository,” she said.
Knausenberger added that Platform One sometimes draws criticism because it regularly works with red cybersecurity teams – hackers tasked with playing the adversary role – and. because teams are good at what they do, they sometimes identify vulnerabilities.
“Every time they do it, these teams take it very seriously, they learn from the results and they make fixes very quickly. Compare this to existing programs that have submitted a checklist at some point and may not know what issues currently exist, or may not be able to resolve them quickly. While change can make people uncomfortable, it’s the kind of change we need to win, ”Knausenberger said.