Compile to Combat in 24 Hours
(C2C24)Scaling up the ability to deliver software capability
“at the speed of relevance”
Presented by
Richard Jack
Distinguished C4ISR Software Engineer (SSTM)
Statement A: Approved for Public Release, Distribution Unlimited.
Statement A: Approved for Public Release, Distribution Unlimited. 2
From Isolated Systems to Information Warfare
Data Centric,
Shared, Actionable
Awareness Across
Units & Composite
Warfare Structure
Stovepipe
Systems
Shared
Infrastructure
– Compute
and Storage
Shared Afloat
Core Services
User Centered
– business
logic and
presentation
Data Centric –
Exposing and
Sharing of Data
Other Surveillance
CVN
Surface Action Group
Unattended Unmanned Submarines
Carrier Air Wing Maritime ReconnaissanceOverhead
Moving to a data centric organization – enabling DWO efforts
Navy Challenges – Industry Comparison
3
Industry Example
Navy Example
DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver
capability and services at high velocity without sacrificing Quality or Security
Statement A: Approved for Public Release, Distribution Unlimited.
Navy Embracing a Cultural Shift
▼ Commercial Cloud – Embrace use of Commercial Cloud, taking advantage of Commercial Cloud agility and elasticity for SecDevOps
▼ SecDevOps/RMF – Use of SecDevOps and automation, including RMF testing and leveraging the “Software Inheritance Model (SIM)” (e.g., as a part of the assess and incorporate process) to help streamline the ATO process.
▼ Shared Infrastructure - Use of secure shared infrastructure (e.g., CANES), including a shared software platform that provides Platform as a service (PaaS)/ Container as a Service (CaaS) for software applications (e.g., ACS).
▼ Shift towards Modern Application Architectures - Use of a standardized data strategy, enabling data reuse by many application components, and efficient use of bandwidth through efficient inter-component messaging.
4
Rapid capability insertion with speed, scale, and rigorStatement A: Approved for Public Release, Distribution Unlimited.
C2C24 and Changing the Process Culture
RAISED – (aka “ATO in a Day”)
5
Infrastructure
Platform as
a Service
Apps
Model for Apps
meeting compliance
SW Architecture
and Standards
Compliance
IDM M M
Def. Impl. Guid. APs BOE Type
AC-1 X X X P
AC-1.1 X X XThe organization defines the personnel
or roles to be recipients of the access
control policy necessary to facilitate the
DoD has
defined
the
The
organizatio
n being
Automatic
ally
compliant
Policy X
AC-1.2 X X XThe organization defines the personnel
or roles to be recipients of the
procedures necessary to facilitate the
DoD has
defined
the
The
organizatio
n being
Automatic
ally
compliant
Policy X
AC-1.3 X X XThe organization develops and
documents an access control policy that
addresses purpose, scope, roles,
The
organizatio
n being
The
organizatio
n
1.)
Provide
signed and
Policy X
AC-1.4 X X XThe organization disseminates the
access control policy to organization-
defined personnel or roles.
The
organizatio
n being
The
organizatio
n
1.)
Provide
signed and
Policy X
AC-1.5 X X XThe organization develops and
documents procedures to facilitate the
implementation of the access control
The
organizatio
n being
The
organizatio
n
1.)
Provide
signed and
Policy X
AC-1.6 X X XThe organization disseminates the
procedures to facilitate access control
policy and associated access controls to
The
organizatio
n being
The
organizatio
n
1.)
Provide
signed and
Policy X
AC-1.7 X X XThe organization reviews and updates
the access control policy in accordance
with organization-defined frequency.
The
organizatio
n being
The
organizatio
n
1.)
Provide
signed and
Policy X
AC-1.8 X X XThe organization defines a frequency for
reviewing and updating the access
control policy.
DoD has
defined
the
The
organizatio
n being
Automatic
ally
compliant
Policy X
AC-1.9 X X XThe organization reviews and updates
the access control procedures in
accordance with organization-defined
The
organizatio
n being
The
organizatio
n
1.)
Provide
Site's audit
Policy X
AC-1.10 X X XThe organization defines a frequency for
reviewing and updating the access
control procedures.
DoD has
defined
the
The
organizatio
n being
Automatic
ally
compliant
Policy X
(SYSTEM NAME)(eMASS #)
NIST 800-53r4 Security Control Catalog
Selection & Tailoring Tool
Title
CCI-002107
CCI-002108
CCI-000001
CCI-000002
Co
nfi
den
tia
lity
Inte
gri
ty
Av
ail
ab
ilit
y
Access Control Policy and
Procedures
CCI-000004
CCI-000005
CCI-000003
CCI-001545
CCI-000006
CCI-001546
Inh
erit
ab
le b
y
low
er-l
evel
syst
em?
Tie
r I
Inh
erit
an
ce
(Do
D L
evel
)
Tie
r II
In
her
ita
nce
(Na
vy
or
CO
CO
M)
Tie
r II
I In
her
ita
nce
(Tec
hn
ica
l)
Control Information
Tie
r II
I In
her
ita
nce
(Op
era
tio
ns)
Sec
Dev
Op
s
Tie
r II
I In
her
ita
nce
(AC
S/O
pen
Sh
ift)
Tie
r II
I In
her
ita
nce
(Sh
ip)
Tie
r II
I In
her
ita
nce
AD
NS
Tie
r II
I In
her
ita
nce
CA
NE
S -
Mo
del
1
Tie
r 3
In
her
ita
nce
CN
D
Tie
r II
I In
her
ita
nce
ST
AC
C
Syst
em/P
rogra
m
(No
t In
her
ita
ble
)
+/-
RMF Assess and Incorporate SW Engineering in a Day (RAISED)
Automated Security
Testing and
Automated RMF
Light weight apps packaged
as containers riding on the
CANES PaaS
Statement A: Approved for Public Release, Distribution Unlimited.
QUESTIONS?
6Statement A: Approved for Public Release, Distribution Unlimited.