Air Force’s Software Factory is Moving Iron Bank to Classified Levels

Platform One, the Air Force’s DevSecOps software delivery platform, is expanding its Iron Bank container repository to the secret level in the next two months and plans to bring it to the top secret level by the end of next fiscal year.

Iron Bank is a repository that stores open-source code in containers and allows the software factory to expeditiously deliver the most up-to-date version of software for military applications securely.

There is still no way for intelligence community partners such as the NSA or the Air Force Office of Special Investigations (OSI) that produce a vast volume of intelligence to deliver collected intelligence to the rest of the DOD community automatically. Platform One is partnering with those agencies to introduce automation in that manual process across its Iron Bank’s 1,300 containers.

“The technology as far as standing it up at these classification levels is something we’ve, for the most part, cracked the nut on. The challenge is taking that intel … and automating it,” Lt. Col. Brian Viola, Platform One’s materiel leader, told GovCIO Media & Research. “Another one that we are working through is … cross-domain solutions.”

Moving the repository from unclassified to classified levels is simple for files that follow a well-defined structure. The process becomes more challenging with unstructured code, or binary code, and requires cross-domain solutions to do it securely.

“That [unstructured code] could come in many different forms,” Viola said. “Any software program would be considered unstructured code. While we’re trying to push safe files up, the goal or … the job of a cross-domain solution would be to make sure that you’re not pushing any unsafe files up. To do that, in an automated way, is a very complex challenge.”

“Anything that you consume out of Iron Bank never comes with zero risk, just like not all cybersecurity vulnerabilities are created equal. We try to put a nutrition label with every container that then the consumer of that container can look at and go, ‘Okay, I understand the vulnerabilities but my environment mitigates those risks,'” Viola added.

The software factory is also partnering with the Air Force CIO and the DOD CIO to accelerate the capability delivery process, particularly expanding a continuous authority to operate, or cATO, and the certificate to field.

Traditionally, authorizing an information system to operate and ensuring that the risk of deploying those systems is acceptable takes anywhere from 18 months to three years. In many instances, it is too late or out of date by when the authority to operate is issued.

Last year, the Defense Department released a memo outlining the benefits of continuous authorization stating that “cATO represents a challenging but necessary enhancement of our cyber risk approach in order to accelerate innovation while outpacing expanding cybersecurity threats.”

“You can imagine that if you’re trying to push things out into the field every week or every two weeks, those two things don’t necessarily …support each other. I need the warfighter to use something every week or two weeks to enhance capability, but yet, every year or two, you’re going to give me authority to operate for new capabilities,” Viola said.

“And what that will allow from a security standpoint, if you think about all the patches that come down with all these products, whether it’s open source or commercial products, you need to take those patches and push those out as fast as you can so you can stay ahead of your adversary. If it takes you 18 months to do that, you’re vulnerable for 18 months. If you can patch your system in a matter of minutes, it’s a lot harder for them to exploit that capability,” he added.

In addition, Platform One offers Party Bus, a platform-as-a-service that the factory sells at cost to the greater DOD, and it is looking to make “containers cattle.” The cattle versus pets analogy describes an environment where some containers that are cared for and treated with a lot more care are “pets,” and containers that are not given as much attention are “cattle.”

“Your containers — you don’t want to treat them as pets. You don’t want to love them. You don’t really want to take care of them, right? But the idea is … you should just get rid of your container very frequently. You should just get rid of it, rebuild it, automate that process.” Viola said. “Today, we’ve made a lot of progress in automating that. We’re able to spin up environments in a matter of hours, but I want to be able to get it down to the matter of minutes.”

Platform One has been around for only four years, and it is the first year the organization is fully funded and has the budget to be able to plan for the coming year. The team is preparing for how they will distribute its resources next year.

“I really just try to look at the next three to six months. The technology moves so fast, we’re trying to keep up with it. And to do that, I don’t think you can put a plan out there for the next five years, and then just go execute it. I think you have to constantly be aware what our adversaries are doing, what technology is doing and what we need to do to be able to operate in that environment,” Viola said.