Compile to Combat in 24 Hours

(C2C24)Scaling up the ability to deliver software capability

“at the speed of relevance”

Presented by

Richard Jack

Distinguished C4ISR Software Engineer (SSTM)

Richard.jack@navy.mil

Statement A: Approved for Public Release, Distribution Unlimited.

Statement A: Approved for Public Release, Distribution Unlimited. 2

From Isolated Systems to Information Warfare

Data Centric,

Shared, Actionable

Awareness Across

Units & Composite

Warfare Structure

Stovepipe

Systems

Shared

Infrastructure

– Compute

and Storage

Shared Afloat

Core Services

User Centered

– business

logic and

presentation

Data Centric –

Exposing and

Sharing of Data

Other Surveillance

CVN

Surface Action Group

Unattended Unmanned Submarines

Carrier Air Wing Maritime ReconnaissanceOverhead

Moving to a data centric organization – enabling DWO efforts

Navy Challenges – Industry Comparison

3

Industry Example

Navy Example

DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver

capability and services at high velocity without sacrificing Quality or Security

Statement A: Approved for Public Release, Distribution Unlimited.

Navy Embracing a Cultural Shift

▼ Commercial Cloud – Embrace use of Commercial Cloud, taking advantage of Commercial Cloud agility and elasticity for SecDevOps

▼ SecDevOps/RMF – Use of SecDevOps and automation, including RMF testing and leveraging the “Software Inheritance Model (SIM)” (e.g., as a part of the assess and incorporate process) to help streamline the ATO process.

▼ Shared Infrastructure - Use of secure shared infrastructure (e.g., CANES), including a shared software platform that provides Platform as a service (PaaS)/ Container as a Service (CaaS) for software applications (e.g., ACS).

▼ Shift towards Modern Application Architectures - Use of a standardized data strategy, enabling data reuse by many application components, and efficient use of bandwidth through efficient inter-component messaging.

4

Rapid capability insertion with speed, scale, and rigorStatement A: Approved for Public Release, Distribution Unlimited.

C2C24 and Changing the Process Culture

RAISED – (aka “ATO in a Day”)

5

Infrastructure

Platform as

a Service

Apps

Model for Apps

meeting compliance

SW Architecture

and Standards

Compliance

IDM M M

Def. Impl. Guid. APs BOE Type

AC-1 X X X P

AC-1.1 X X XThe organization defines the personnel

or roles to be recipients of the access

control policy necessary to facilitate the

DoD has

defined

the

The

organizatio

n being

Automatic

ally

compliant

Policy X

AC-1.2 X X XThe organization defines the personnel

or roles to be recipients of the

procedures necessary to facilitate the

DoD has

defined

the

The

organizatio

n being

Automatic

ally

compliant

Policy X

AC-1.3 X X XThe organization develops and

documents an access control policy that

addresses purpose, scope, roles,

The

organizatio

n being

The

organizatio

n

1.)

Provide

signed and

Policy X

AC-1.4 X X XThe organization disseminates the

access control policy to organization-

defined personnel or roles.

The

organizatio

n being

The

organizatio

n

1.)

Provide

signed and

Policy X

AC-1.5 X X XThe organization develops and

documents procedures to facilitate the

implementation of the access control

The

organizatio

n being

The

organizatio

n

1.)

Provide

signed and

Policy X

AC-1.6 X X XThe organization disseminates the

procedures to facilitate access control

policy and associated access controls to

The

organizatio

n being

The

organizatio

n

1.)

Provide

signed and

Policy X

AC-1.7 X X XThe organization reviews and updates

the access control policy in accordance

with organization-defined frequency.

The

organizatio

n being

The

organizatio

n

1.)

Provide

signed and

Policy X

AC-1.8 X X XThe organization defines a frequency for

reviewing and updating the access

control policy.

DoD has

defined

the

The

organizatio

n being

Automatic

ally

compliant

Policy X

AC-1.9 X X XThe organization reviews and updates

the access control procedures in

accordance with organization-defined

The

organizatio

n being

The

organizatio

n

1.)

Provide

Site's audit

Policy X

AC-1.10 X X XThe organization defines a frequency for

reviewing and updating the access

control procedures.

DoD has

defined

the

The

organizatio

n being

Automatic

ally

compliant

Policy X

(SYSTEM NAME)(eMASS #)

NIST 800-53r4 Security Control Catalog

Selection & Tailoring Tool

Title

CCI-002107

CCI-002108

CCI-000001

CCI-000002

Co

nfi

den

tia

lity

Inte

gri

ty

Av

ail

ab

ilit

y

Access Control Policy and

Procedures

CCI-000004

CCI-000005

CCI-000003

CCI-001545

CCI-000006

CCI-001546

Inh

erit

ab

le b

y

low

er-l

evel

syst

em?

Tie

r I

Inh

erit

an

ce

(Do

D L

evel

)

Tie

r II

In

her

ita

nce

(Na

vy

or

CO

CO

M)

Tie

r II

I In

her

ita

nce

(Tec

hn

ica

l)

Control Information

Tie

r II

I In

her

ita

nce

(Op

era

tio

ns)

Sec

Dev

Op

s

Tie

r II

I In

her

ita

nce

(AC

S/O

pen

Sh

ift)

Tie

r II

I In

her

ita

nce

(Sh

ip)

Tie

r II

I In

her

ita

nce

AD

NS

Tie

r II

I In

her

ita

nce

CA

NE

S -

Mo

del

1

Tie

r 3

In

her

ita

nce

CN

D

Tie

r II

I In

her

ita

nce

ST

AC

C

Syst

em/P

rogra

m

(No

t In

her

ita

ble

)

+/-

RMF Assess and Incorporate SW Engineering in a Day (RAISED)

Automated Security

Testing and

Automated RMF

Light weight apps packaged

as containers riding on the

CANES PaaS

Statement A: Approved for Public Release, Distribution Unlimited.

QUESTIONS?

6Statement A: Approved for Public Release, Distribution Unlimited.