DevSecOps and Enterprise Data Management

DevSecOps

DevSecOps addresses two enterprise objectives. The first is establishing, maintaining, and enforcing a continuous loop of ever-evolving best practices for secure development and operations. The second: integrating security experts into the development process to better understand the steps being taken to safeguard applications and participate directly in tradeoff decisions.

In essence, DevSecOps forward deploys the security audit process — accelerating delivery by closing the loop between secure development and security validation.

Ultimately, DevSecOps helps federal agencies shift away from thinking about and investing in application development (including IT modernization) and cybersecurity as two separate initiatives. They can and, indeed, should be combining development, modernization, and security as a single integrated focus with joint decision-making.

Software and cybersecurity pervade all aspects of DoD's mission from business systems to weapons systems to Artificial Intelligence to cybersecurity to space. CSEngineering helps DoD and IC programs  establishing DevSecOps capabilities:

  • Deliver applications rapidly and in a secure manner, increasing the warfighters competitive advantage

  • Bake-in and enforce cybersecurity functions and policy from inception through operations

  • Enhance enterprise visibility of development activities and reduces accreditation timelines

  • Ensure seamless application portability across the enterprise, Cloud, and disconnected, intermittent, and classified environments

  • Drive DoD transformation to Agile and Lean Software Development and Delivery

CSEngineering maintains and supports the Platform One DevSecOps stack across multiple security classifications. We leverage Platform One Infrastructure as Code (IaC) and Configuration as Code (CaC) to onboard and support a variety of platform teams across the DoD onto various Kubernetes distributions (Kubernetes upstream, Rancher, OpenShift, VMWare Tanzu, etc.) for disconnected environments, both classified and unclassified in collaboration with the various companies that created the Kubernetes distributions.

We leverage and develop Platform One IaC/CaC to be fully cloud-agnostic (including on-premise infrastructure) leveraging technologies such as Terraform, Ansible, Helm, and Kubernetes Operators.

We enhance the cybersecurity and the code security process of the Platform One stack across all classified and unclassified environments.

We develop necessary IaC/CaC changes to allow for the automated deployment of Platform One and DSOP into Cloud One (Air Force Cloud with Azure Government and AWS GovCloud) and other commercial and Government cloud tech stacks. Our engineers utilize new and continuously hardened containers from Iron Bank.

 

Our programmers develop various backend/automated processes for the automation of the container accreditation process in React/Python and other modern programming languages. One example is the Whitelist User Interface (UI) to enable accreditation teams and container maintainers’ ability to review and approve findings to get containers accredited.

Federal Enterprise Architecture 

CSEngineering has a long track record of implementing Federal Enterprise Architecture (FEA), Department of Defense Information Enterprise Architecture (DoD IEA) Reference Models, and the associated reference models. 

FEA & DoD IEA represent a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a holistic approach at all times, for the successful development and execution of strategy. Enterprise architecture applies architecture principles and practices to guide organizations through the business, information, process, and technology changes necessary to execute their strategies. This includes everything from a small mobile application development project to the design, installation and migration to a complex network serving hundreds of thousands of users. These practices utilize the various aspects of an enterprise to identify, motivate, and achieve these changes.

CSEngineering promotes IT solutions that support Federal government operational requirements for standardized technology and application service components. This facilitates integration requirements for broad Federal IT and e-Gov Initiatives, as well as promote the sharing, consolidation, and “re-use” of business processes and systems across the Federal government. We promote the use of open source solutions and open technology development where practicable to enable this “re-use” in accordance with the underlying tenets of FEA/DoD IEA and to address any number of areas of interest within the limits of IT and supporting services and disciplines. 

Application Services

Application Services provide support for all applications and collaborative service capabilities. These services include support for developing and implementing enterprise and departmental-level applications. These applications may be “cross-cutting” in nature, with inter-related service processing components extending across/beyond the enterprise, or unique to a particular agency/department’s mission requirements.

We promote, to the maximum extent practicable use of commercially available technologies (e.g. Commercial Off-the-Shelf (COTS) and non-developmental items) to support Federal government agencies’ IT solution requirements. CSE provides competencies to employ agencies’ enterprise architectures (EAs), to support IT solutions development and implementation and alignment with the FEA.

Our Application Services include complete life cycle support, including planning, analysis, research and development, design, development, integration and testing, implementation, operations and maintenance, information assurance, and final disposition.

We provide Applications Services for systems required to support unique agency and departmental-level mission requirements. These services include support for existing and/or new/emerging mission requirements.

Digital Asset Services

Content Management: Content development, maintenance, updates, and distribution (e.g., content authoring, content review/approval, tagging/aggregation, content publishing/delivery, syndication management).

Document Management: Capturing, indexing, and maintaining documents (e.g., document imaging, optical character recognition (OCR), document revisions, library/storage, review/approval, document conversion, indexing/classification).

Knowledge Management: Collecting and processing data from multiple sources and generating information to support business requirements (e.g., information retrieval, information mapping/taxonomy, information sharing, categorization, knowledge engineering, knowledge capture/distribution/delivery, smart documents).

Records Management: Administration of official government records (record linking/association, record storage/archival, document classification, document retirement, digital rights management). 

Back Office Services

Data Management: Creating, using, processing, and managing data resources (e.g., data exchange, data mart, data warehouse, metadata management, data cleansing, extraction and transformation, data recovery).

Human Resources: Recruitment, training, and management of government personnel (e.g., recruiting, career development/retention, time reporting, awards/benefit management, retirement management, education/training, travel management).

Financial Management: Government financing and accounting activities (e.g., billing and accounting, credit/charge, expense management, payroll, payment/settlement, debt collection, revenue management, internal controls, auditing, activity based management, currency translation).

Asset/Material Management: Acquisition and management of Federal government assets (property/asset management, asset cataloging/identification, asset transfer/allocation/maintenance, facilities management, computers/automation management).

Development and Integration: Development and integration of systems across diverse operating platforms (e.g., legacy integration, enterprise application integration, data integration, instrumentation/testing, software development).

Human Capital/Workforce Management Development and Integration: Planning and supervisory operations surrounding government personnel (e.g., resource planning/allocation, skills management, workforce directory/locator, team/organization management, contingent workforce management). 

IT Security and Controls

IT Security

CSEngineering is experienced in the development and implementation of management, operational, and technical security controls required by agencies to assure desired levels of protection for IT systems and data are achieved (e.g., establishment of policy/procedures in support of Federal IT security requirements, conduct risk assessments to identify threats/vulnerabilities for existing/planned systems; support Federal mandates for measuring and reporting compliance, perform certification and accreditation (C&A) activities; provide training services to promote awareness and knowledge of compliance responsibilities for Federal IT security requirements).

System and Network Controls

We facilitate the planning, development, implementation, and management of system and network control mechanisms to support communication and automated needs. We also facilitate the planning, organizing, coordinating, and controlling of the arrangement of the elements of protection and monitoring capabilities, and incident recovery actions of the information environment. The process takes configuration orders; status reports; and operational and functional performance requirements as inputs and provides performance capabilities and service and infrastructure controls as outputs.

System and network controls are controlled by environment standards such as policy and operational guidance. We support the service control requirements that enable network controls and operational performance capabilities.