Implementing secure and compliant software solutions within the Department of Defense's (DoD) software factory framework is no small feat.
For Black Pearl, the premier DevSecOps platform for the U.S. Navy, and Sigma Defense, a leading DoD technology contractor, the challenge was not just about meeting stringent security requirements but to empower the warfighter.
We'll cover how they streamlined compliance, managed open source software (OSS) risk, and reduced vulnerability overload—all while accelerating their Authority to Operate (ATO) process.
Challenge: Navigating Complex Security and Compliance Requirements
Black Pearl and Sigma Defense faced several critical hurdles in meeting the stringent security and compliance standards of the DoD Enterprise DevSecOps Reference Design:
- Achieving RMF Security and Compliance: Black Pearl needed to secure its own platform and help its customers achieve ATO under the Risk Management Framework (RMF). This involved meeting stringent security controls like RA-5 (Vulnerability Management), SI-3 (Malware Protection), and IA-5 (Credential Management) for both the platform and the applications built on it.
- Maintaining Continuous Compliance: With the RAISE 2.0 memo emphasizing continuous ATO compliance, manual processes were no longer sufficient. The teams needed to automate compliance tasks to avoid the time-consuming procedures traditionally associated with maintaining ATO status.
- Managing Open-Source Software (OSS) Risks: Open-source components are integral to modern software development but come with inherent risks. Black Pearl had to manage OSS risks for both its platform and its customers' applications, ensuring vulnerabilities didn't compromise security or compliance.
- Vulnerability Overload for Developers: Developers often face an overwhelming number of vulnerabilities, many of which may not pose significant risks. Prioritizing actionable items without draining resources or slowing down development was a significant challenge.
"By using Anchore and the Black Pearl platform, applications inherit 80% of the RMF's security controls. You can avoid all of the boring stuff and just get down to what everyone does well, which is write code."
— Christopher Rennie, Product Lead/Solutions Architect
Solution: Automating Compliance and Security with Anchore
To address these challenges, Black Pearl and Sigma Defense implemented Anchore, which provided:
- Policy Packs to Meet RMF Security Controls: Black Pearl used Anchore Enterprise's DoD policy pack to identify, evaluate, prioritize, enforce, and report on security controls necessary for RMF compliance. This ensured that both the platform and customer applications met all required standards.
- Automated and Continuous ATO Compliance: Anchore's automation capabilities managed security findings and tracked Plan of Action and Milestones (POA&Ms), reducing manual intervention and ensuring continuous compliance without the usual resource drain.
"Working alongside Anchore, we have customized the compliance artifacts that come from the Anchore API to look exactly how the AOs are expecting them to. This has created a good foundation for us to start building the POA&Ms that they're expecting."
— Josiah Ritchie, DevSecOps Staff Engineer
- Managing OSS Risks with Continuous Monitoring: Anchore's integrated vulnerability scanner, policy enforcer, and reporting system provided continuous monitoring of open-source software components. This proactive approach ensured vulnerabilities were detected and addressed promptly, effectively mitigating security risks.
- Automated Prioritization of Vulnerabilities: By integrating the Anchore Developer Bundle, Black Pearl enabled automatic prioritization of actionable vulnerabilities. Developers received immediate alerts on critical issues, reducing noise and allowing them to focus on what truly matters.
Results: Accelerated ATO and Enhanced Security
The implementation of Anchore transformed Black Pearl's compliance process and security posture:
- Platform ATO in 3-5 days: With Anchore's integration, Black Pearl users accessed a fully operational DevSecOps platform within days, a significant reduction from the typical six months for DIY builds.
"The DoD has four different layers of authorizing officials in order to achieve ATO. You have to figure out how to make all of them happy. We want to innovate by automating the compliance process. Anchore helps us achieve this, so that we can build a full ATO package in an afternoon rather than taking a month or more."
— Josiah Ritchie, DevSecOps Staff Engineer
- Significantly reduced time spent on compliance reporting: Anchore automated compliance checks and artifact generation, cutting down hours spent on manual reviews and ensuring consistency in reports submitted to authorizing officials.
- Proactive OSS risk management: By shifting security and compliance to the left, developers identified and remediated open-source vulnerabilities early in the development lifecycle, mitigating risks and streamlining the compliance process.
- Reduced vulnerability overload with prioritized vulnerability reporting: Anchore's prioritization of vulnerabilities prevented developer overwhelm, allowing teams to focus on critical issues without hindering development speed.
Conclusion: Empowering the Warfighter Through Efficient Compliance and Security
Black Pearl and Sigma Defense's partnership with Anchore demonstrates how automating security and compliance processes leads to significant efficiencies. This empowers Navy divisions to focus on developing software that supports the warfighter.
Achieving ATO in days rather than months is a game-changer in an environment where every second counts, setting a new standard for efficiency through the combination of Black Pearl's robust DevSecOps platform and Anchore's comprehensive security solutions.
If you're facing similar challenges in securing your software supply chain and accelerating compliance, it's time to explore how Anchore can help your organization achieve its mission-critical objectives.
Download the full case study below👇