New version of CloudBees CI solution meets stringent US DoD standards
CloudBees, the enterprise software delivery company, unveiled a hardened version of CloudBees CI, the industry-leading continuous integration (CI) solution.
The new version meets the United States Department of Defense (DoD) specifications for security, one of the most demanding security certifications in the world.
The new release of CloudBees CI (formerly known as CloudBees Core) is available immediately and enables DoD and civilian agencies of the U.S. federal government, as well as enterprises in private industry, to drive more value through their software delivery pipelines while lowering security risk.
Federal government agencies facing time-to-mission pressures are trying to automate pipelines to accelerate the building of new applications and add urgently needed functionality to existing applications. But they’re constrained by Information Assurance guidelines requiring CI tools to pass advanced security certifications.
The hardened version of CloudBees CI provides a container that has achieved a Certificate to Field (CtF) from the U.S. Air Force Platform One team. Platform One is the official DevSecOps Enterprise Services team for the DoD.
A CtF is a formal certification given by the U.S. Air Force Platform One team. Software containers that receive a CtF can be used to deploy a platform within a specific environment that has received an Authority to Operate (ATO).
An ATO certification means that a platform meets security standards as set forth by DISA STIG and NIST RMF guidelines. Platform One provides platforms that are already accredited and can only use containerized software with an approved CtF.
“With the CtF, CloudBees CI can be readily used by DoD agencies, as well as civilian agencies and federal system integrators (FSIs),” said Michael Wright, director, federal sector, at CloudBees. “It provides all the benefits of CI in a Jenkins environment, and it meets rigorous government standards for security and compliance.”
CloudBees CI is built on Jenkins, the most widely-used automation server in the world. CloudBees CI provides flexible, governed CI and can be hosted on-premise, in the public cloud or in a hybrid environment. It enables teams to centrally manage software development tools, optimize software delivery velocity, maximize developer team efficiency and enforce global compliance policies.
“The Department of Defense has made software delivery a top priority. DevSecOps vendors, such as CloudBees, getting authorized to DoD standards supports the mission of the Department of Defense enterprise DevSecOps initiative,” said Nicolas Chaillan, Air Force chief software officer and co-lead for the DoD Enterprise DevSecOps Initiative.
“The goal of this initiative is to enable DoD programs in their transition to agile and DevSecOps. We want to establish force-wide DevSecOps capabilities and best practices, as well as foster continuous ATO processes and faster, more streamlined technology adoption.”
CloudBees CI provides a hardened Docker container image which is placed in the Department of Defense Centralized Artifact Repository (DCAR), the storage repository maintained by the DoD. Teams from any DoD or civilian agency can access and simply pull the hardened Docker container image out of DCAR.
The solution has been engineered to minimize the use of any libraries or components that have known security vulnerabilities. For example, if a team uses a library to execute http communication between a CloudBees CI master and agent, the functionality within CloudBees CI ensures secure ports and protocols are used at both ends.
The new hardened version of CloudBees CI can not only help agencies transform to secure DevSecOps processes – but also enterprises operating in highly regulated industries or those simply wanting heightened security capabilities.