Application and Workload Capabilities

Establish application identification:

• Identify all legitimate and necessary applications required for various functions in the Component and create a whitelist of these approved applications to reference or make changes to later. This may involve contacting vendors, reviewing documentation, and/or using software discovery solutions. These can range from basic network discovery solutions built into common operating systems to more comprehensive commercial solutions.

Establish code identification:

• Gather necessary contextual information, such as code source names, unique identifiers, location (on-premises or off-site), and supportability. This information is used with other Zero Trust (ZT) services to create need-to-know access to each application.

Enable network traffic discovery:

• Leverage network analysis and deep packet inspection to capture network traffic and identify applications based on data flows, communication patterns, protocols, and port usage.

Enable signature-based discovery:

• Review and analyze code source file headers and associated metadata to identify existing codes based on known attributes and unique signature patterns.

Define objectives and scope:

• Clearly define what constitutes a legacy, virtualized on-premises, or cloud-hosted application. Define the details to be collected, including vendor information, version numbers, commercial names, patch levels, licensing details, support contacts, etc.
• Identify the details necessary for effective application and code management. Consider factors like age, hosting environment, and dependencies.

Establish common criteria:

• Review the approved applications list and classify each according to the established criteria. This will involve consultation with application owners or technical experts and product documentation references.
• Add the new classification fields to the Component’s application tracking solution if the fields are not already present.

Establish code ownership:

• Review features within code source attributes and file metadata to establish and document code ownership.

Define objectives and scope:

• Identify the details necessary for effective application and code management.

Establish code repository management:

• Collect, maintain, and review classification attributes. Leverage the National Institute of Standards and Technology (NIST) cybersecurity framework to maintain inventories for all types of software and services, including Commercial Off-The-Shelf (COTS), open-source, custom applications, Application Programming Interface (API) services, and cloud-based applications and services.
• Update the inventory or repository with the classification details for each approved application.

Explore inventory methods:

• Enable automated discovery with scanning tools and technologies to identify applications, operating systems, software components, versions, and unique code source patterns.
• Collaborate with stakeholders and specific mission partners to provide manual input and insights on relevant application purpose and functionality, classification attributes, and applicable risk-based security bulletins.

Established a centralized repository:

• Set up an encrypted central repository for the application whitelist. At its outset, this can begin as a manual process using a spreadsheet or database, then move to centralized ownership using an Information Technology (IT) asset management system, such as a Configuration Management Database (CMDB). CMDBs store application information and can track changes, relationships, and dependencies.

Maintain Application/Code Inventory:

• Verify and validate the accuracy of the application/code inventory in accordance with the Enterprise/Component defined requirements, or at a recommended frequency of no greater than annually.

Review recommended DevSecOps best practice architecture to include CI/CD pipelines:

• Adopt guidance on how specific collections of technologies form a secure and effective DevSecOps platform for building software.
• Leverage Software as a Service (SaaS) deployment and Infrastructure as Code (IaC) to quickly and securely establish a DevSecOps environment where development tools are separated from testing and production deployments.

Establish Component-level DevSecOps policy and processes aligned with mission specifics:

• Leverage the advanced and highly scalable programmable infrastructure provided by an approved Cloud Service Provider (CSP) while considering potential vendor lock-in when selecting and deploying services.
• Explore existing programs, such as the Defense Information Systems Agency (DISA) Hosting and Computer Center (HaCC), for secure cloud service templating and the ability to preserve security controls when pursuing Authorization to Operate (ATO).
• Communicate and ensure that security requirements for software development are shared and known by all stakeholders, including third-party partners providing commercial and customized software components.

Assemble cross-functional teams to execute a DevSecOps strategy:

• Define goals and objectives in establishing a DevSecOps program, such as:
  • Build secure, agile applications.
  • Reduce mean time to production.
  • Improve mean time to recovery.
  • Automate risk and threat modeling.
  • Create an immutable platform, such as a logical container that prevents modification after instantiation.
• Promote and adopt a DevSecOps culture where self-organized teams break down silos and unify software development, deployment, security, and operations through the adoption of an automated CI/CD pipeline.

Build standardized playbooks:

• Assess the current security posture in accordance with the Enterprise/Component requirements.
• Adopt continuous knowledge sharing.
• Enable software built-in security.
• Leverage secure open source.
• Implement approved automated toolchains to reduce human effort and improve security practices' accuracy, reproducibility, usability, and comprehensiveness throughout the Software Development Lifecycle (SDLC).

Automate approved deployments:

• Enforce secure, mandatory code signing.
• Automate all repeatable tasks.
• Adopt CI.
• Adopt CD.
• Enable security testing automation.
• Integrate security into the CI/CD pipeline.

Enable continuous Specific, Measurable, Achievable, Relevant, and Time-bound (SMART) performance metrics:

• Continuously develop technical expertise to advance DevSecOps adoption and improvement.
• Adopt a capability model, not a maturity model, leveraging tempo metrics (e.g., deployment frequency, change lead time, etc.) and stability metrics (e.g., mean time to recovery, change failure rate, etc.).
• Establish a software factory model through the adoption of the known four (4) key Phases:
  • Design
  • Instantiate
  • Verify and validate
  • Operate and monitor
• Adopt containerized microservices
• Persistently strive for built-in cyber resilience—the ability to anticipate, withstand, recover from, and adapt to adverse threat conditions—while ensuring the confidentiality, integrity, and availability of essential key mission requirements remain secure.

Assess security and select vulnerability testing methodologies:

• Define criteria for software security checks and enable tracking throughout the SDLC.
• Adopt and implement a range of software security testing methodologies to include:
  • Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST)
  • Software Composition Analysis (SCA)
  • Container security scanning
  • IaC scanning
  • Runtime Application Self-Protection (RASP)
  • Cybersecurity testing and evaluation

Integrate vulnerability scanning into the CI/CD pipeline:

• Incorporate multiple security checks at each stage of the CI/CD pipeline (e.g., build, test, deploy, etc.).
• Conduct early and frequent testing and evaluation to rapidly adapt to change and ensure safe failure mechanisms for critical vulnerabilities.

Prioritize, report, and remediate:

• Establish a straightforward process for triaging and prioritizing critical, high-value vulnerabilities based on severity, mission impact, and exploitability.
• Develop built-in feedback loops to streamline the remediation process. Conduct early and frequent scanning and share reports with developers, quality assurance testers, and the teams for quick intervention.

Review the Enterprise Directives on DevSecOps and software modernization strategy:

• Leverage Enterprise policy and guidance.

Develop a Component-level DevSecOps program to streamline the software modernization strategy:

• Establish different process workflows essential for a secure Software Development Lifecycle (SDLC) to align with specific mission constraints, such as:
  • System complexity
  • Architecture model
  • Technical requirements
  • Risk tolerance level
  • Service level agreement
  • User/Person Entity (PE) experience
• Leverage the cloud Infrastructure as Code (IaC) reference design to build secure native cloud infrastructure for the DevSecOps environment.
• Establish a version-controlled, Component-wide DevSecOps governance based on Enterprise guiding principles, evolving toward a stringent, continuous security posture improvement.

Build and deliver a resilient software capability at the speed of relevance:

• Leverage the Enterprise’s DevSecOps Managed Service Provider (MSP) to design, build, and establish an approved DevSecOps software factory platform with multi-tenancy capabilities.
• Assess and upgrade the existing infrastructure and technology stack to ensure compliance with DevSecOps toolchains, Continuous Integration/Continuous Delivery (or Deployment) (CI/CD) platforms, microservice architecture, and emerging automation toolkits.
• Adopt a multitude of CI/CD pipelines to build resilient, distinct, and standardized structures for source code with specific tools, workflows, scripts, environments, and a set of automated tasks to achieve CI and delivery of new applications.

Adopt standardized design patterns:

• Develop a consistent, fixed infrastructure by adopting automated and standardized design patterns using templating and IaC-type deployment.
• Build modular software components, loosely coupled, for enhanced agility and scalability.
• Leverage Application Programming Interface (API) for seamless integration and interoperability compliance.

Leverage Enterprise-approved Cloud Service Provider (CSP) programmable infrastructure:

• Explore and leverage the extensive resources of approved commercial CSPs to develop secure native cloud applications.
• Integrate Software as a Service (SaaS)-managed service capabilities with on-premises infrastructure deployment to build DevSecOps platforms, CI/CD pipelines, and automation toolchains at different information impact levels.

Enforce mandatory code signing and repository-privileged access control:

• Implement security policies throughout the software factory by enforcing secure code signing to protect the repository source code, data, and the infrastructure platform.
• Leverage Policy Enforcement Point (PEP) and Policy Decision Point (PDP) throughout all Phases of the SDLC to regulate and restrict resource access to only approved Users/PEs/Non-Person Entities (NPEs).

Maintain and keep CI/CD tools up to date:

• Avoid Poisoned Pipeline Execution (PPE) by implementing two (2)-person rules for all code and tool updates.
• Implement Least Privilege policies for CI/CD access by enabling CI/CD Pipeline-Based Access Controls.

Enforce Enterprise-approved cryptography:

• Leverage the industry standards and/or recommendations, such as Federal Information Processing Standards (FIPS) 140-3 approved cryptographic modules, to implement and configure a robust cryptographic algorithm to protect data, protect secret keys generated across the CI/CD pipelines, and secure the API ecosystem.
• Implement granular segmentation and traffic filtering.
• Implement workload-based management throughout the SDLC by leveraging micro-segmentation to achieve application-level segmentation that extends beyond the traditional Transport Layer Four and reaches to Application Layer Seven.
• Apply the ZT principle of “deny all by default” to reduce the attack surface further and restrict privilege escalation and lateral movement.

Adopt secure accounts, Least Privilege, and separation of duties:

• Automate security as code and configuration as code to enforce access control policies, version control, automated testing, and integrate User and Entity Behavior Analytics (UEBA).

Enforce whitelisting for libraries and CI/CD tools:

• Define the most comprehensive criteria for the whitelisting policy to continuously verify and validate the integrity of CI/CD tools and components by enforcing whitelisting for CI/CD libraries and tools. Consider key features such as:
  • Reputation
  • Licensing
  • Security bulletin
  • Accreditation
  • Latest Common Vulnerabilities and Exposures (CVEs)

Integrate Testing and Evaluation (T&E) goals at the program’s inception to influence requirements, Request for Proposals (RFPs), and acquisitions:

• Enable secure and rapid software deployment without compromising T&E processes by automating the capture and analysis of relevant metrics that best reflect functional and non-functional software requirements.
• Encourage continuous upskilling to maintain a broader competency pool of technical talent capable of successfully developing and testing software, DevSecOps platforms, and CI/CD pipelines.
• Integrate ZT principles throughout the SDLC to support Cyber Survivability Endorsement (CSE) for specific applications, data, and infrastructure.

Promote zero-day vulnerability programs:

• Promote a culture of transparency, where collaborative teams of researchers and partners can legally, ethically, and securely test and share findings of the latest potential exploits and vulnerabilities to help strengthen the security posture of developed software applications.

Implement continuous improvement:

• Monitor Key Performance Indicators (KPIs) and security metrics to track the latest vulnerability releases and emerging threats.
• Enable dashboard alerting to monitor vulnerability count, remediation time, and scan coverage.

Identify stakeholders that will be responsible for the governance of AppSec:

• Create and implement a governance structure that will identify and establish Component application security in accordance with Enterprise requirements.
• Consider existing governing bodies within the Component and determine if expanding their roles and responsibilities to cover application security or establishing a new body is optimal.

Obtain and implement a standardized AppSec approach:

• Implement a code remediation policy aligned with Enterprise requirements, best business practices, and industry standards that support the Component’s operational needs.
• Establish and implement a unified security posture to ensure a secure and consistent AppSec development lifecycle process.
• Integrate automated security tools to develop a pipeline for early detection and mitigation of vulnerabilities including:
  • Static Application Security Testing/Dynamic Application Security Testing (SAST/DAST)
  • Software Composition Analysis (SCA)
• Develop a formal code remediation policy requiring developers to promptly address identified security flaws and apply security patches in accordance with Enterprise compliance standards.
• Implement CI/CD practices integrated with security automation to streamline secure development and deployment processes.
• Implement real-time vulnerability remediation and Incident Response (IR) to enhance AppSec compliance maturity across the Enterprise.
• Implement policies to foster close collaboration among development, security, and operations teams, supported by ongoing education, training, and awareness initiatives to ensure adherence to Enterprise cybersecurity directives.
• Establish the time frame for periodic review/assessment of AppSec requirements.

Ensure adequate security for serverless functions in PaaS environments:

• Select and configure security solutions that monitor serverless workloads for vulnerabilities and compliance (e.g., event-driven security monitoring, anomaly detection based on behavioral analysis, serverless runtime protection, etc.).
• Enable structured logging and automated monitoring to detect, analyze, and respond to security events in real-time.
• Implement Least Privilege access controls (e.g., Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), etc.) to enforce security boundaries and prevent unapproved actions, such as:
  • Function-specific identity policies
  • Attribute-based approval
  • Just-in-Time (JIT) access
• Secure API interactions with proper authentication, encryption, and gateway protections (e.g., token-based authentication, request verification, validation, filtering, end-to-end Transport Layer Security (TLS) encryption, etc.).
• Deploy real-time security alerts with automated responses to mitigate risks quickly, including:
  • Automated rollback on detection of malicious activity
  • Dynamic threat scoring
  • Security event escalation workflows
• Integrate security monitoring into DevSecOps workflows to continuously assess and improve serverless security posture, including:
  • Automated security scanning in CI/CD pipelines
  • Infrastructure as Code (IaC) security checks
  • Real-time compliance verification and validation

Ensure API gateways serve as central points of control to manage and secure API traffic effectively:

• Implement API gateways with layered security measures, ensuring protection beyond the environment perimeter, such as:
  • Namespace isolation
  • Endpoint security
  • Proxy enforcement
• Manage API authentication, approval, and access controls to detect and prevent unapproved access (e.g., token-based authentication, Open Authorization (OAuth), rate limiting, etc.).
• Integrate WAF protections and continuous API testing within CI/CD pipelines to detect and mitigate threats.
• Apply continuous security testing for API vulnerabilities throughout the development lifecycle.
• Enforce distributed API security policies across cloud environments to ensure consistent protection.
• Enhance API security with automated threat detection and response mechanisms (e.g., Artificial Intelligence (AI)-driven anomaly detection, automated remediation workflows, cryptographic integrity checks, etc.).
• Secure application environments with isolation techniques to prevent unapproved code execution, for example:
  • Kernel integrity monitoring
  • Secure boot enforcement
  • Hypervisor registry protections
• Integrate automated security remediation into API workflows to address known vulnerabilities, including:
  • Automated Common Vulnerabilities and Exposures (CVE) patching
  • Runtime security monitoring
  • Integrity verification and validation

Standardize, protect, and integrate container and serverless security functions:

• Secure modern cloud-native applications by implementing protections for computing, storing, and managing containers and serverless functions. This includes digital security hash checksums or equivalent live challenges to detect container image vulnerabilities and serverless function misconfigurations.
• Integrate security into the CI/CD pipeline to automate and enforce security checks throughout the development lifecycle, for example:
  • Scanning container images for vulnerabilities.
  • Ensuring compliance with security policies.
  • Monitoring serverless functions for misconfigurations and runtime issues.
• Apply industry-standard kernel hardening practices, as a baseline, for evolving security functions within a DevSecOps approach. This ensures security is embedded in the code committed for deployment.
• Secure container orchestration platforms by customizing default configurations, adapting open-source security scripts, and enforcing access controls based on Least Privilege and Separation of Duties.
• Ensure seamless interaction between Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) systems while maintaining traceability for API Hypertext Transport Protocol (HTTP) client/server and web-tier operations, including:
  • Create, Read, Update, and Delete (CRUD) transaction tracking
  • Real-time security event correlation
  • Automated threat response workflows
• Protect compute, storage, and managed Hyperconverged Infrastructure (HCI) pod container buckets to secure resources during runtime activities, including but not limited to:
  • Identity and Access Management (IAM) for containerized workloads
  • Encryption of sensitive data at rest and in transit
  • Policy-driven resource allocation
• Define and enhance serverless architecture with real-time monitoring, Identity and Access Management (IAM), and event-driven security controls.
• Customize and re-standardize security configurations by integrating them into automated pipelines. This allows for early detection and remediation of security issues, reducing breach risks through an agile development process.
• Enforce authentication of User/Person Entity (PE)/Non-Person Entity (NPE) accounts to prevent file image breach techniques.

Integrate serverless security into DevSecOps and CI/CD Processes:

• Safeguard serverless applications by applying granular security measures across cloud-native and HCI environments, including protections for compute and storage resources.
• Implement Information Technology Operations Management (ITOM)-informed security controls to manage software binary configurations, script changes, patch management, and IR. For example:
  • Version-controlled Configuration Management (CM)
  • Automated integrity checks for software binaries
  • Centralized patch and change control
• Embed serverless security into DevSecOps and CI/CD pipelines to automate security checks throughout the AppSec development lifecycle.
• Automate runtime protection and event logging to capture AI/Machine Learning (ML)-driven threat indicators in the pipeline.
• Ensure API integrity in CI/CD workflows by verifying and validating request consistency through challenge-response mechanisms. This serves as an AI-driven early warning system for anomalous behavior.
• Apply automated testing at multiple levels to verify and validate serverless security across services and environments. Examples include:
  • Unit and integration tests for API endpoints
  • Security verification and validation for microservices interactions
  • Automated error recovery in containerized deployments
• Deploy dynamic CI/CD dashboards to provide real-time visualizations supporting security monitoring and decision-making.
• Integrate DevSecOps into CI/CD pipelines to enforce serverless security functions as a core automation step. This ensures effective governance for Information Assurance Vulnerability Management (IAVM), patch management, and IR, such as:
  • Dashboard-driven security control verification and validation
  • Managed security metrics to measure compliance
  • Secure configuration baselines for serverless workloads

Verify and validate code remediation:

• Periodically reassess code remediation actions to ensure they comply with Enterprise/Component AppSec requirements. Conduct assessments at the frequency determined by the Component AppSec governing body.

Verify and validate secure API gateways:

• Periodically reassess the efficacy of the secure API gateways to ensure they comply with Enterprise/Component AppSec requirements. Conduct assessments at the frequency determined by the Component AppSec governing body.

Verify and validate serverless assets:

• Periodically reassess serverless assets/resources to ensure they are being managed to align with Enterprise/Component AppSec requirements. Conduct assessments at the frequency determined by the Component AppSec governing body.

Develop Component-level, secure source code policy in accordance with Enterprise requirements:

• Identify and document all Enterprise software development infrastructure and processes security requirements. Update and maintain the requirements over time to ensure continuous compliance.
• Establish clear and comprehensive binary code security policies across all development teams, infrastructures, third-party software suppliers, and internal software factories.
• Implement environment security around the infrastructures, source code development, network access, Continuous Integration/Continuous Delivery (or Deployment) (CI/CD) pipelines, component dependencies, and third-party libraries.

Review industry-approved best practices:

• Adopt and mandate adherence to best secure coding practices and standards (e.g., Open Worldwide Application Security Project (OWASP), Computer Emergency Response Team (CERT), National Institute of Standards and Technology (NIST), etc.) to protect the integrity of approved binaries and source code.
• Mandate input verification and validation across the entire software development lifecycle. Adhere to the principle of Least Privilege throughout the integration of software components.
• Establish a component-wide versioned Development, Security, and Operations (DevSecOps) governance based on guiding principles evolving to the rigorous continuous validation process.

Establish a source code approval process:

• Establish acceptance criteria and requirements for approved binaries and source code. Define the characteristics that binaries and source code should meet to comply with the approval process.
• Implement source code versioning and the integrity check of different component dependencies to track and manage approved binaries and source codes.

Secure software code development:

• Ensure the development platform and CI/CD infrastructure are secure, restricted, and segmented with filtered access through Policy Enforcement Points (PEPs).
• Leverage the Software Bill of Materials (SBOM) as a critical security element to perform an in-depth analysis of all software components routinely and systematically. Check libraries and frameworks to include open source for known vulnerabilities.

Integrate Access Control policy and secure code signing:

• Enforce digital code signing and binary scanning to protect against tampering, malware intrusion, poisoned pipeline execution, and insecure first-party code.
• Adopt and leverage the Public Key Infrastructure (PKI) to implement trusted certificates, hash value verification for integrity checks, and enforce control policies to track changes to code and binaries.
• Select a repository platform (e.g., cloud-based, self-hosted, fully managed, etc.) that meets Component requirements, with solid security features, collaboration tools, built-in robust access controls, and seamless DevSecOps integration.

Implement strong encryption and version control:

• Enable version control to track changes made to code over time and maintain a complete history of all modifications.
• Leverage Multi-Factor Authentication (MFA), from Activity 1.3.1 (Phase One) – Organizational MultiFactor Authentication (MFA) and Identity Provider (IdP), to implement strong authentication and approval mechanisms.
• Implement secure Enterprise-approved cryptography and consider industry-best standards, such as NIST and Federal Information Processing Standards (FIPS), to secure sensitive source code, binaries, Application Programming Interface (API) keys, passwords, and encryption keys.

Leverage the supply chain vetting process:

• Keep third-party suppliers of binary code and different CI/CD pipelines separated from each other through isolation, segmentation, containerization, and API accesses.
• Develop AI modeling technology for risk-based secure code storage to include model weights, pipelines, reward models, and other AI model elements that protect the confidentiality, integrity, and availability of the binaries and source code.

Enforce continuous threat monitoring:

• Review and restrict third-party libraries upon license compliance checks, vulnerability scanning, and systematic code review. Enforce the adoption of Software Composition Analysis (SCA) solutions for indepth software analysis.

Review policies and standards:

• Collaborate with the Enterprise to obtain relevant directives and updated policies on vulnerability management.
• Ensure the Enterprise-provided policies include minimum requirements for tracking, assessing, reporting, and remediating vulnerabilities for applications and services within the Component environment.
• Document how Component-level practices will align with Enterprise vulnerability categorization and reporting thresholds.

Define scope and objectives:

• Clearly define vulnerability mission objectives aligned to broader directives and defense strategies, such as:
  • Reduce the attack surface.
  • Continuous compliance.
  • Leverage the threat intelligence and vulnerability sharing to build a robust and effective Incident Response (IR).
• Ensure that defined mission objectives integrate measurable outcomes for vulnerability response timelines, stakeholder collaboration, and remediation success.

Develop a vulnerability management strategy:

• Leverage Enterprise-defined requirements.
• Identify vulnerability intelligence sources (e.g., vendor bulletins, Common Vulnerabilities and Exposures (CVEs), etc.).
• Develop vulnerability remediation workflows, for example:
  • Document vulnerability and affected applications and services.
  • Identify corrective actions.
  • Develop implementation
  • Verify and validate correction/resolution.
• Identify Component Data, Applications, Assets, and Services (DAAS).
• Leverage the device Inventory, from Activity 2.1.1 (Discovery) – Device Health Tool Gap Analysis.
• Leverage the application/code inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification.
• Leverage the data inventory, from Activity 4.1.1 (Discovery) – Data Analysis.
• Integrate a centralized tracking system to record and update the lifecycle status of each vulnerability (e.g., open, in review, remediated, verified, etc.).

Build a comprehensive vulnerability management team and governance board:

• Establish policy, assign responsibilities, and provide guidelines for participation in the Component vulnerability management process, to include:
  • Cross-functional stakeholders
  • System owners
  • Application developers
  • Mission assurance
  • Compliance teams
• Ensure the governance board is responsible for oversight of response timelines, policy adherence, and coordination with Enterprise counterparts.

Vulnerability triage and reporting:

• Develop technical analysis and remediation capabilities to select and prioritize vulnerabilities based on severity, exploitability, exposure, and compliance requirements.
• Empower the vulnerability management team to:
  • Receive vulnerability reports from approved sources.
  • Coordinate and investigate to identify vulnerable systems.
  • Share findings report(s) with approved stakeholders for actions.
  • Disseminate advisories and security bulletins on found vulnerabilities to the broader community as appropriate.
• Define and document criteria for escalation, communication channels, and reporting cadence to Enterprise-level vulnerability management stakeholders.
• Establish periodic reviews to assess performance metrics, identify outstanding critical vulnerabilities, and ensure alignment with Enterprise Service Level Agreements (SLAs).

Review Enterprise policies and standards:

• Collaborate with the Enterprise and other Components to obtain relevant directives and updated policy guidance on vulnerability management.
• Adopt and participate in the VDP to discover and disseminate the most relevant and updated security bulletins on Indicators of Compromise (IoC) and potential threats.

Perform a VMP gap analysis:

• Identify areas within the Component VMP, from Activity 3.3.2 (Phase One) – Vulnerability Management Program Part 1, that should change to align with the Enterprise VMP.
• Establish clear objectives for expanding and implementing Enterprise-directed changes.
• Clearly define the scope of the program expansion.
  • Include and highlight the specific repositories to be integrated.
  • Include the types of vulnerabilities to be managed.

Update the Component VMP to align with the Enterprise VMP:

• Leverage the vulnerability management team, from Activity 3.3.2 (Phase One) – Vulnerability Management Program Part 1, to incorporate these changes into the existing vulnerability management solution(s).

Define objectives and scope:

• Establish clear objectives within the VMP for automated threat sharing.
  • Include improving threat detection.
• Enhance vulnerability management.
• Support proactive defense.
  • Identify, mitigate, and monitor emerging threats.
• Define the scope of the threat-sharing process.
  • Include specific sources of threat intel.
  • Include types of threats to be shared.
  • Include components of the VMP to be integrated.

Identify controlled threat intelligence sources:

• Identify controlled sources of threat intel.
  • Include Information Sharing and Analysis Centers (ISAC).
  • Include approved agencies.
  • Include commercial threat intel. providers.
• Determine types of threat intelligence data to be integrated.
  • Include IoC.
  • Include threat actor profiles.
  • Include Tactics, Techniques, and Procedures (TTP).
  • Include vulnerability information.

Select threat-sharing and integration solutions:

• Select solutions for aggregating and sharing threat intelligence.
• Utilize solutions to track and manage vulnerabilities throughout their lifecycles.
• Utilize solutions to integrate threat intelligence data into the VMP.
• Integrate granular access controls and threat protections to enhance situational awareness and mitigate application-specific threats.

Develop integration workflows:

• Design detailed workflows for integrating threat intelligence data into the VMP.
  • Include steps for data collection.
  • Include steps for normalization.
  • Include steps for ingestion.
  • Include steps for correlation.
• Identify and categorize applications needed for critical workflows.
• Define roles and responsibilities for each step in the integration workflow.
• Leverage a high-level federal vulnerability disclosure framework and information flow to ensure clear accountability and coordination.

Implement continuous monitoring and reporting:

• Configure continuous monitoring to track threat intelligence data and its integration into the VMP in real-time.
• Implement an automated continuous monitoring solution with integrated threat intelligence and testing to isolate and mitigate any software identified as having a supply chain compromise.
• Implement reporting mechanisms to provide real-time visibility into threat intelligence data and its integration into the vulnerability management program.

Adopt and align policies to manage the disclosure of vulnerabilities:

• Review and leverage Enterprise-level policies designed to streamline processes that manage the disclosure of vulnerabilities in public and private-maintained/operated services.
• Ensure senior leadership verifies and validates that the VMP’s objectives are compatible with the Component’s strategic direction and are seamlessly transitioned into the existing processes.
• Emphasize leadership support for continuous improvement and include a monitoring and auditing mechanism to report progress to upper management.
• Ensure the VDP publishes system-level advisories.
• Exploit available vulnerability reports and approved partner’s security bulletins to tailor and develop a robust mitigation strategy specific to the Enterprise mission.
• Leverage and participate in open channels and legal safe harbors for discovering vulnerabilities to report to appropriate stakeholders.

Review and align to Enterprise best practices:

• Review Enterprise DevSecOps requirements.
• Leverage the Component DevSecOps Policy, from Activity 3.2.1 (Phase One) – Build Development, Security, and Operations (DevSecOps) Software Factory Part 1.

Review objectives and scope:

• Leverage existing Enterprise/Component policies and procedures to establish clear objectives for continuous verification and validation within the Continuous Integration/Continuous Delivery (or Deployment) (CI/CD) pipeline.
• Verify and validate that the scope spans the entire lifecycle, including the design, development, distribution, deployment, acquisition, maintenance, and destruction of the system.
• Define the scope of the verification and validation processes, including the types of verification and validation to be performed.
• Extend the existing Component DevSecOps policy to include the new continuous verification and validation requirements.

Leverage existing Component VMP, from Activity 3.3.2 (Phase One) – Vulnerability Management Program Part 1 and Activity 3.3.3 (Phase Two) – Vulnerability Management Program Part 2:

• Identify the environments/systems that are the most vulnerable and will cause the most significant environmental impact if compromised.
• Leverage industry standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Supply Chain Risk Management (C-SCRM) publication, to guide the Component on how to identify, assess, select, and implement risk management processes and mitigating controls.

Deploy and enforce security requirements into the CI/CD pipeline:

• Leverage automation processes, from Activity 3.2.1 (Phase One) – Build Development, Security, and Operations (DevSecOps) Software Factory Part 1 and Activity 3.2.2 (Phase One) – Build Development, Security, and Operations (DevSecOps) Software Factory Part 2, to enforce security verification and validation throughout the various Phases of the CI/CD pipeline.
  • Include code commit.
  • Include build.
  • Include testing.
  • Include staging.
  • Include deployment.

Integrate the planning phase:

• Conduct threat modeling to identify potential security threats and vulnerabilities.
• Establish security policies and guidelines that should be considered throughout the development cycle.

Integrate coding phase:

• Use static code analysis solutions to identify security vulnerabilities and code quality issues early in the development process.
• Conduct regular code reviews with a focus on security by vetting developed source code and common libraries through DevSecOps development practices.
• Use peer reviews and automated solutions to ensure that security best practices are followed.

Integrate the build phase:

• Use dependency management solutions to identify and address vulnerabilities in third-party libraries and dependencies.
• Automate the build process to ensure consistency and repeatability.
• Integrate security testing into the build process.

Integrate the testing phase:

• Implement automated testing for security, functionality, and performance.
• Perform regular vulnerability scans to identify security weaknesses.
• Conduct penetration testing to identify, exploit, and remediate vulnerabilities and weaknesses proactively.

Integrate the deployment phase:

• Use Infrastructure as Code (IaC) solutions to automate the provisioning and configuration of the infrastructure.
• Implement Configuration Management (CM) to ensure that systems are securely configured.
• Configure security monitoring to detect and respond to security incidents.

Review existing vulnerability management programs:

• Leverage technical capabilities, from Activity 3.3.2 (Phase One) – Vulnerability Management Program Part 1 and Activity 3.3.3 (Phase Two) – Vulnerability Management Program Part 2, to maintain software Supply Chain Risk Management (SCRM) compliance with existing VMPs.
• Augment software for C-SCRM solutions with threat intelligence to flag any software identified as having a supply chain compromise or an increased risk profile, facilitating additional testing, verification, and validation.
• Monitor for the most common risks identified through best practices.
  • Include insertion of counterfeits.
  • Include unapproved production.
  • Include tampering and theft.
  • Include insertion of malicious software and hardware.
• Monitor factors from outside vendors that allow for low-cost, interoperability, rapid innovation, and multiple product features, among others, which increase the risk of a supply chain compromise, leading to risks to the User/Person Entity (PE).

Review the existing acquisition and supply chain risk assessment lifecycle:

• Ensure effective C-SCRM procedures are implemented, enforced, and routinely audited Enterprise-wide to evaluate third-parties’ software vulnerabilities, risk exposure, and involve each tier.
  • Include Component.
  • Include mission/business processes.
  • Include information systems.
• Manage cybersecurity risks in the supply chain by ensuring the integrity, security, quality/resilience of the supply chain.

Manage exceptions:

• Applications/services that do not support CI/CD continuous verification and validation:
  • Identified
  • Documented
  • Approved/Rejected
• The Enterprise and/or Component determines risks.
  • Consider how risks can be mitigated, such as through upgrades, replacements, or decommissioning of applications/services that cannot be migrated.
• Approval is granted when justification for the exception outweighs the risks to the Enterprise/Component.
• Approval is periodically reassessed.

Enforce verification and validation reviews:

• Develop and mandate an application security checklist as part of the broader code review process.
• Develop and implement an IR plan to quickly address security incidents.
• Leverage application feedback loops to feed and automate security testing and vulnerability patching.

Implement continuous monitoring and reporting:

• Implement reporting mechanisms to provide visibility into verification, validation results, and compliance status.
• Leverage both manual code reviews and automated static analysis to create opportunities for continuous review of application security vulnerabilities.

Monitor and audit:

• Leverage existing CTI feeds, Common Vulnerability Exposures (CVE), and other Indicators of Compromise (IoC) to monitor the threat landscape and update the vulnerability management processes to effectively account for emerging threats and unknown vulnerabilities.
• Perform regular security audits to ensure compliance with security policies and regulatory requirements.

Test, verify, and validate:

• Conduct functional testing to ensure that the verification and validation workflows work as expected and effectively identify issues.
• Perform security testing to identify and mitigate any vulnerabilities in the verification and validation workflows.
• Monitor the verification and validation workflows to ensure their effectiveness and performance.
• Verify and validate that activity/events are ingested and actioned by Component Visibility and Analytics and/or Automation and Orchestration solutions.

Review and apply the following Enterprise policies and standards, as applicable:

• Collaborate with the Enterprise to align Component-level policy enforcement with established Enterprise standards. This collaboration should ensure consistency, interoperability, and compliance across environments.
• Understand Enterprise standards, such as:
  • Interoperability requirements
  • Development, Security, and Operations (DevSecOps)
  • Information Technology Operations Management (ITOM)
  • Applicable regulations, policies, and governance requirements

Deploy and enable selected gateways in accordance with Enterprise security and configuration standards:

• Integrate deployed gateways with Identity and Access Management (IAM) solutions to enforce authentication and access policies.
• Enforce and track access control decisions across integrated systems.
• Conduct continuous monitoring, data collection, parsing, analysis, and prioritized reporting of gateway and application activity.

Resource authorization gateways:

• Define the gateway authorization requirements.
• Identify external-facing web applications and services.
• Choose resource gateways for the Component.
• Integrate gateways with Identity and Access Management (IAM).
• Enforce and track Access Control.
• Continuous monitoring, keen collection, parsing, analysis, and priority reporting of applications and services.

Application migration planning:

• Leverage the Application/Code inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification, to identify applications and services that are compatible with the authorization gateways.
  • Determine if applications and services are capable of migration.
  • Identify/document systems for migrations and exceptions, as necessary.
• Verify and validate application/service compatibility with the authorization gateways.
• Develop application/service migration roadmap/implementation plans.

Manage exceptions:

• Applications/services that cannot be migrated are:
  • Identified
  • Documented
  • Approved/ or Rejected
• Approval is granted where the justification for the exception outweighs the risks to the Enterprise/Component.
• Risks are determined by the Enterprise and/or Component.
• Consider how risks can be mitigated, such as upgrades, replacement, or decommissioning of applications/services that cannot be migrated.
• Approval is periodically reassessed.

Implementation:

• Migrate applications/services behind the authorization gateways.
  • Consider prioritizing applications/services that present the most risk to the Component/Enterprise.

Verify and validate migrated applications/services:

• Ensure applications/services continue to function as expected/required.
• Ensure that applications/services cannot be accessed through methods that do not leverage the authorization gateways.

Verify and validate authorization gateways:

• Ensure authorization gateways are configured in accordance with the Enterprise requirements.
• Ensure authorization gateways are configured to provide the necessary functionality to support the Component’s operational requirements.

Periodically verify and validate:

• Periodically verify and validate the applications/services and authorization gateways to ensure they meet Enterprise/Component requirements.

Implement authorization gateways on all applications and services:

• Leverage the application/service migration roadmap/implementation plans, from Activity 3.4.1 (Phase One) – Resource Authorization Part 1.
• Adopt, adapt, test, and integrate:
  • Conduct testing, verification, and validation of proposed changes in the Development, Security, and Operations (DevSecOps) virtualized landscape environment, focusing on applicable areas.
  • Continuously refine proposed changes based on Continuous Integration/Continuous Delivery (or Deployment) (CI/CD) testing results to ensure they meet performance, security, and functional requirements.
• Migrate all applications and services:
  • Following Component stakeholder approval, deploy applications and services with approved resources (e.g., disk, memory, Central Processing Unit (CPU), Graphics Processing Unit (GPU) generic , Tensor Processing Unit (TPU), media, bandwidth, ports, protocols, Process Identifiers (PIDs), etc.) that have successfully passed testing to the appropriate CI/CD environment (e.g., prototype, live, or production).

Manage exceptions:

• Applications/services that cannot be migrated are:
  • Identified
  • Documented
  • Approved/Rejected
• The Enterprise and/or Component determines risks.
  • Consider how risks can be mitigated, such as upgrades, replacements, or decommissioning applications/services that cannot be migrated.
• Approval is granted where the justification for the exception outweighs the risks to the Enterprise/Component.
• Approval is periodically reassessed.
• Applications that cannot be migrated or mitigated to a level acceptable by the Enterprise/Component should be decommissioned.

Verify and validate migrated applications/services:

• Ensure applications/services continue to function as expected/required.
• Ensure that applications/services cannot be accessed through methods not leveraging authorization gateways.

Verify and validate authorization gateways:

• Ensure authorization gateways are configured in accordance with the Enterprise requirements.
• Ensure configured authorization gateways provide the necessary functionality to support the Component’s operational requirements.

• Periodically verify and validate the applications/services and authorization gateways to ensure they meet Enterprise/Component requirements.

Leverage Enterprise SDC standards:

• Establish SDC standards based on understanding of Enterprise standards, to include:
  • Interoperability requirements
  • Development, Security, and Operations (DevSecOps)
  • Regulations, policies, best business practices, etc.
• Collaborate with stakeholders.
• Align Component governance and compliance policies with Enterprise requirements.
• Conduct a periodic review of policies on a defined schedule.

Document and sustain SDC-tracked changes:

• Document all changes, build release versions, and new features for project, program, or software builds and baselines.
• If completed, consider patch management and Incident Response (IR) processes within a tracking system solution, established in Activity 3.3.2 (Phase One) – Vulnerability Management Program Part 1, to effectively track changes, update build release baselines, and apply patches using the Component Vulnerability Management processes.

Identify, plan, and establish a distinct elements strategy for managing build, release, and version-controlled SDC activities:

• Apply an agile risk management plan, mutually agreed upon by Component stakeholders, to categorize and define a baseline approach within the configuration management review process.
  • Ensure the plan addresses both supported and non-supported assets as elements, including their interfaces and workload processes across Hyperconverged Infrastructure (HCI) or native cloud landscapes.
• Plan and ensure the establishment of real-time risk management and control by functional categories, criteria, or elements. Implement this as a routine and non-routine systemic process using dashboards or messaging techniques.
• Plan and ensure the quantification of supported binaries, build releases, and related script activities through a gap analysis systemic approach. Define “normal” SDC API routine scriptable runtime signatures and identify “anomalous” non-routine, non-signature SDC API activities to be determined or resolved.

Application migration planning:

• Leverage the Application and Code inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification, to identify applications and services compatible with the SDC.
  • Determine if applications and services are capable of migration.
  • Identify/document systems for migrations and exceptions, as necessary.
• Verify and validate application/service compatibility with the authorization gateways.
• Assess the feasibility of this transition across different Phases and timelines with defined milestone deliverables.
  • Consider factors such as the current and target future states of manual processes, binaries, API script calls, Continuous Integration and Continuous Delivery (or Deployment) (CI/CD) pipelines, micro-segmentation, available resources, and organizational priorities.

Manage exceptions:

• Identify and document applications/services that cannot support SDC, along with their technical limitations or operational dependencies.
• Document the business or mission justification for each exception.
• Evaluate each exception request against Enterprise SDC standards and Component risk tolerance:
  • Consider how risks can be mitigated, such as upgrades, replacements, or decommissioning of applications/services that cannot be migrated.
• Consider mitigation strategies for non-compliant applications/services, including:
  • Targeted upgrades or refactoring
  • Replacement with supported alternatives
  • Segmentation or isolation
  • Eventual decommissioning, where possible
• Periodically reassess all exceptions in coordination with evolving Enterprise and Component guidance and threat intelligence to ensure continued validity.

Reassess SDC policy/procedures:

• Periodically reassess Component SDC policy/procedures to ensure they align with Enterprise requirements.
• Validate ongoing alignment with updated Enterprise guidance, best practices, and threat-informed risk postures.
• Review the list of applications/services identified for SDC transition and update status (e.g., migrated, in-progress, exception, etc.).
• Analyze the effectiveness of SDC implementation using measurable indicators such as:
  • Number of compliant applications/services
  • Reduction in configuration drift
  • Timeliness of patching and release cycles

Develop SBOM:

• Extend the Component Master Application Inventory, from Activity 3.1.1 (Discovery) – Application and Code Identification, to include at least the following data points in accordance with SBOM documentation:
  • Name
  • Version
  • Supplier/Vendor
  • Type (e.g., open-source, third-party, proprietary, etc.)
  • Unique Identifiers/Hash

Test migration:

• Leverage the list of compatible software, from Activity 3.4.3 (Phase One) – Software-Defined Compute (SDC) Resource Authorization Part 1.
• Migrate compatible software within a controlled/test environment.
• Verify and validate post-migration application functionality.

Application migration:

• Enable SDC on SDC-supported platforms.
• Transition application functionality to applications that support SDC

Manage exceptions:

• Applications/services that cannot be migrated are:
  • Identified
  • Documented
  • Approved/Rejected
• Risks are determined by the Enterprise and/or Component.
  • Consider how risks can be mitigated, such as upgrades, replacements, or decommissioning of applications/services that cannot be migrated.
• Approval is granted when justification for the exception outweighs the risks to the Enterprise/Component.
• Approval is periodically reassessed

• Periodically reassess Component SDC policy/procedures to ensure they align with Enterprise requirements.