The Air Force wants to open its Platform One services to private sector partnerships with the hope of tapping into a consortium of academic and industry organizations to enhance its coding environment.
Platform One is an environment provisioned by the US Air Force to advance the cultural transformation to DevSecOps. Platform One uses containerization and the associated Kubernetes technology to automate secure code development and deployment. The goal of Platform One is to make the process and tools used in software development so secure the products themselves can be trusted. Platform One has several enterprise service offerings providing choices of multi-tenant, dedicated, or custom resources and is considered revolutionary for a public sector agency.
In fact, Platform One developed and continues to improve container hardening processes so that software passing these rigorous assessments and security criteria, could be made available to other agencies producing their own software factories thus reducing costs to the taxpayer. Providers of Platform One technology benefit as they also gain access to Platform One’s continuous Authority To Operate (c-ATO), meaning new code written on the platform would be approved for use on other military networks with the same security requirements. That is the essence of DevSecOps, where software is built with security baked-in continuously from the start.
In an effort to continue pushing innovative ideas, The Air Force’s AFWERX office pitched creating a software development Cooperative Research and Development Agreement (CRADA) — a research partnership between the government and non-government entities that allows for the private sector to commercialize government-created technology — to bolster the Department of Defense’s DevSecOps work. CRADAs provide for the transfer of technology breakthroughs from the government to private sector use.
“DEVSECOPS TEAMS OFTEN NEED SPECIFIC TOOLS, THEY NEED ACCESS TO A CLASSIFIED CLOUD ENVIRONMENT, SO PLATFORM ONE CAN INSTANTIATE A DEVSECOPS ENVIRONMENT ON DEMAND AND CUSTOMIZE IT TO THEIR NEEDS, GET THE LICENSES THEY NEED, GET THE TALENT SUPPORT THEY NEED.”
-Nicolas Chaillan, Air Force Chief Software Officer
With the combination of Platform and the CRADA initiative, both public and private sectors benefit from the resources immediately available to the private sector DevSecOps teams and the applications produced but the public sector benefits from input from private sector engineers improving pipeline automation, security, and quality based scanning, runtime, storage, and networking capabilities used for modern software development and deployment processes. Non-Government resources would get direct access to Air Force subject matter experts, provide valuable feedback on Platform One products, and an influence on the future of the platform.
As with the Providers of tools for Platform One, non-government participants can also develop applications that would then be used throughout the public sector – having gone through the rigorous c-ATO process accepted by public sector governance and compliance requirements.
Platform One’s visionary is Air Force Chief Software Officer (CSO), Nicolas Chaillan. Chaillan works with the Program Executive Officers (PEOs) and is responsible for analyzing current software and cloud migration plans to avoid vendor lock-ins while allowing for rapid prototyping and a streamlined process for deployment. “DevSecOps teams often need specific tools, they need access to a classified cloud environment, so Platform One can instantiate a DevSecOps environment on demand and customize it to their needs, get the licenses they need, get the talent support they need,” Chaillan said.
Non-government resources can securely gain access to Platform One via a recently implemented Cloud Native Access Point (CNAP). The CNAP is available on Cloud One to provide access to Platform One DevSecOps environments (Development, Testing, and Production) at IL-2, IL-4, and IL-5 using an internet-facing Cloud-native Zero trust environment. A Zero Trust posture is critical to protecting government assets with isolation policies, Role Based Access Control, and auditing while fostering innovation by experimentation.
According to Chaillan, “We’ve managed to provision a zero trust stack which enforces device state security posture with MFA multi-factor authentication, using RBAC and ABC, creating Software Defined Perimeter, and I’ve been involved in Zero Trust for over five years on the commercial side and at DHS. The entire vision there is to be able to enforce the device state, tying that back to the user identity. We whitelist access resources to protect assets.”
By opening up Platform One to non-government entities, the USAF is leading the way to public/private cooperation and collaboration to produce high quality, secure, and performant software and sharing the processes, automation, frameworks, etc. across all public sector to advance the digital transformation of our traditionally risk-averse organizations in order to produce services quickly, securely and cost-effective for US taxpayers and citizenry.