https://armypubs.army.mil/epubs/DR_pubs/DR_a/ARN42688-PPM_CIO-050-000-WEB-1.pdf
DEPARTMENT OF THE ARMY
CHIEF INFORMATION OFFICER
107 ARMY PENTAGON
WASHINGTON DC 20310-0107
CS-SEC-DV-050
SAIS-CS (25-1rrrr) 12 December 2024
MEMORANDUM FOR SEE DISTRIBUTION
SUBJECT: Army Development, Security, and Operations Pipeline Certification
1. References.
a. Army Chief Information Officer (CIO) Memorandum (Software Modernization
Directive Initiative 8 Implementation Plan).
b. Army Chief Information Officer (CIO) Memorandum (Army Development,
Security, and Operations Configuration Management Framework).
2. Purpose. Establish criteria for evaluating and a process for certifying development,
security, and operations (DevSecOps) pipelines.
3. Background. As the Army Software Modernization Directive Initiative 8
Implementation Plan details, all Army software development supporting capabilities that
require an ATO will transition to certified DSOPs. Software development that utilizes
CI/CD will transition to certified DevSecOps pipelines, as appropriate.
a. A DSOP is a set of tools and automation that enables software development. It
includes the ability to create DevSecOps pipelines.
b. A DevSecOps pipeline is a collection of DevSecOps tools, which implement
control gates, enforces thresholds, and is automated to the greatest extent possible.
c. A deployment platform is where the software executes. They range from hyper
scaling cloud to traditional on premises to embedded at the tactical edge.
4. Policy. For a DevSecOps pipeline to receive a certification, the owner must request
an evaluation, and the DevSecOps review board, as established in Army Software
Modernization Directive Initiative 8 Implementation Plan, must certify the pipeline.
The certification ensures the pipeline adheres to the following:
a. General requirements:
(1) Must reside on a certified DSOP with preference for Army certified DSOPs.
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Pipeline Certification
(2) Must provide default control gates and threshold enforcements.
(3) The control gates and thresholds should be adjustable to meet different
mission requirements and authorizing official (AO) risk threshold by the AO or delegated
to the program information system security manager.
(4) Must maximize use of automation while including control assessor (CA)
reviews for security relevant changes.
(5) Mitigations for all outstanding findings must be communicated to the CAs in
the form of mitigation statements. These statements must consider the context of the
application and the deployment platform security boundary.
(6) Must leverage the National Institute of Standards and Technology (NIST)
Common Vulnerability Scoring System based on the current published quantitative
severity ratings.
(7) Must provide all security-relevant artifacts and logs in an accessible and
machine-readable collection that ensures integrity and traceability.
b. Pre-build tests. Tests that operate on the entire repository.
(1) Must include integrity checks for supporting components, frameworks, and
dependencies.
(2) Must include a mechanism for unit testing and code coverage enforcement.
(3) Should provide unit testing frameworks for all applicable languages.
c. Pre-build scans. Security scans that operate on the source code and repository.
(1) Must include static application security testing (SAST) to assess security risks
and code quality in the application source code.
2
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Pipeline Certification
(2) Must include credential/secrets detection on the entire project to prevent
inclusion of sensitive data with the source code.
(3) Should include linting of relevant components including configurations,
container specifications, and source code to reduce errors.
d. Software builds. The software build process varies based on software types but
may involve compiling, linking, containerization or other processes. It may occur on or
off DSOPs.
(1) Software builds targeting production-level deployment platforms must occur
on certified DSOPs.
(2) Software builds should preference Army certified DSOPs but may execute on
other certified DoD DSOPs.
(3) Software builds should be reproducible to enable the detection of
compromised build platforms.
e. Post-build scans. Security scans that have a dependency on the build.
(1) Must produce a high-fidelity software bill of materials (SBOM) for every
pipeline execution in a NIST authorized format.
3
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Pipeline Certification
(2) Must conduct software composition analysis using the SBOM to identify
known vulnerabilities and their impacts.
(3) Must conduct supply chain risk analysis using the SBOM to identify unknown
threats including malicious or adversary activity in the supply chain.
(4) Must include dynamic application security testing (DAST) to identify runtime
vulnerabilities as a simulated malicious user for all applications that run as a service or
provide an application programming interface.
(5) Must include malware scanning to identify known malicious signatures.
(6) Must include configuration compliance checks to ensure that applicable
security technical implementation guides (STIGs) are implemented.
(7) Must include checks for secure development practices that may or may not
be included in the SAST/DAST at the minimum including:
(a) Must include a check for unnecessary software components and
dependencies to ensure that production software is minimized.
(b) Must ensure that software components are within their security lifecycle
including distributions, frameworks, languages, etc.
(c) Must ensure least privilege, separation of privilege, and isolation are enforced
for production software.
4
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Pipeline Certification
f. Post-build tests. Tests that have a dependency on the build.
(1) Must provide a mechanism to allow for automated function and integration
testing.
(2) Should provide function and integration testing frameworks coupled with
instantiable or otherwise available deployment platforms to enable complete end-to-end
testing.
g. Release and authorization. The process for authorizing a release of an
application.
(1) Must include a mechanism for developers to request an authorization for a
software release.
(2) Must include a mechanism for CA review and automated enforcement of
established security gate thresholds prior to application authorization.
(3) Must have a mechanism which ties the release version of applications to the
associated configuration state of the application and the platform deployment level.
(4) Must have a mechanism that ensures the traceability of authorized
applications to their security artifacts.
(5) Should make use of deployment levels such as development, testing, and
production to accelerate the frequency of authorized releases.
5
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Pipeline Certification
h. Deliver and deploy. The mechanisms that deliver, deploy, and rollback the
authorized application to the application platform.
(1) Must provide mechanisms to allow for both continuous delivery and
deployment of authorized application to authorized application platforms.
(2) Must have a process that ensures the traceability of deployed applications and
their deployment platforms to their authorizations.
i. Should be augmented by human and business processes including:
(1) Automated inclusion of CA reviews in the pipelines.
(2) Manual penetration testing and threat modeling.
5. Policy review. The OCIO Policy & Risk Governance Division (SAIS-CSP) will review
this policy annually, or as required, and update as appropriate.
6. Points of contact.
a. CIO Policy Inbox: usarmy.pentagon.hqda-cio.mbx.policy-inbox@army.mil.
b. SAIS-CSP policy team: usarmy.pentagon.hqda-cio.mbx.sais-csp@army.mil.
c. SAIS-ADS Deputy Director: Dr. Gregory Smoots, gregory.c.smoots.civ@army.mil.
d. Chief, Software Modernization AAG: Lauren Pavlik, lauren.c.pavlik.civ@army.mil.
LEONEL T. GARCIGA
Chief Information Officer
DISTRIBUTION:
Principal Officials of Headquarters, Department of the Army
Commander
U.S. Army Forces Command
U.S. Army Training and Doctrine Command
U.S. Army Materiel Command
U.S. Army Futures Command
U.S. Army Pacific
U.S. Army Europe and Africa
U.S. Army Central
(CONT)
6
SAIS-CS (25-1rrrr)
SUBJECT: Army Development, Security, and Operations Pipeline Certification
DISTRIBUTION: (CONT)
U.S. Army North
U.S. Army South
U.S. Army Special Operations Command
Military Surface Deployment and Distribution Command
U.S. Army Space and Missile Defense Command/Army Strategic Command
U.S. Army Cyber Command
U.S. Army Medical Command
U.S. Army Intelligence and Security Command
U.S. Army Corps of Engineers
U.S. Army Military District of Washington
U.S. Army Test and Evaluation Command
U.S. Army Human Resources Command
U.S. Army Corrections Command
U.S. Army Recruiting Command
Superintendent, U.S. Military Academy
Commandant, U.S. Army War College
Director, U.S. Army Civilian Human Resources Agency
Executive Director, Military Postal Service Agency
Director, U.S. Army Criminal Investigation Division
Director, Civilian Protection Center of Excellence
Director, U.S. Army Joint Counter-Small Unmanned Aircraft Systems Office
Superintendent, Arlington National Cemetery
Director, U.S. Army Acquisition Support Center
CF:
Principal Cyber Advisor
Director of Enterprise Management
Director, Office of Analytics Integration
Commander, Eighth Army
7