Home / DoD Software Factory

Anchore brings DevSecOps to your DoD software factory

    • Meet DoD DevSecOps requirements.

    • Automate security checks to secure software for warfighters.

    • Leverage out-of-the-box policy packs for DoD standards.

    • Deploy in IL4 to IL6  (air-gapped and classified) environments.

Secure your DoD software factory with Anchore Federal

Anchore Federal is used across the US Department of Defense (DoD) to secure software factories that speed up development to aid warfighters. With Anchore Federal programs meet DoD DevSecOps requirements, apply zero-trust principles for applications and ensure cyber readiness.

Platform One and Black Pearl are using Anchore to harden containers for the Iron Bank. Anchore Federal is deployed in IL4 and IL6 environments and supports a continuous feed of new vulnerabilities even in an air-gapped or high side environment.

Anchore aligns with the DoD DevSecOps Reference Design and offers:

  • Container hardening (Anchore DISA policy pack)
  • Container policy enforcement (Anchore Federal policy packs)
  • Container image selection (Container Hardening Scanner)
  • Artifact storage (Anchore image registry integration)
  • Release decision-making (Anchore Kubernetes Admission Controller)
  • Runtime policy monitoring (Anchore Kubernetes Automated Inventory)

Anchore is listed in the DoD Container Hardening Guide and the Container Image Creation and Deployment Guide as a Container Hardening scanner.


One of the key purposes of Anchore is the mitigation of insider threat within the DevSecOps lifecycle by detecting unapproved changes to Dockerfiles. Read our latest white paper “DevSecOps for a DoD Software Factory: 6 Best Practices for Container Images” that advises on best practices for setting new standards in security and efficiency for DoD software factories.


Continuous vulnerability scanning

Automate vulnerability scans at each step in the development lifecycle, including source code repos, CI/CD pipelines, container registries, and Kubernetes platforms. Identify vulnerabilities, malware, secrets, and security risks. Anchore Federal integrates with common DevOps platforms such as GitLab, GitHub, or Jenkins to enable a “shift left” security posture and runs on any Kubernetes, including government clouds, on-prem OpenShift or, Rancher.


Automate DoD and NIST security checks

Enforce DoD standards with automated policy checks. Leverage Anchore’s out-of-the-box policy packs for NIST, DoD, DISA, and FedRAMP to speed compliance. Enforce controls for NIST 800-53 and 800-190 out of the box. Demonstrate compliance with controls from the Secure Software Development Framework as codified in NIST 800-218. Uncover issues as the software is built and avoid last-minute surprises before your compliance audit.

sample of policy bundles

Automate FedRAMP Controls

Remediate security findings easily

Reduce the manual effort to process security findings and create POA&Ms. Create action plans for developers detailing necessary remediation steps and use time-based allowlists that align POA&Ms. Fix issues faster and smarter.


Provide proof of your security posture

Ensure the security of your software with pass/fail reports of NIST, DoD, DISA, and FedRAMP checks. Document software contents with application-level SBOMs. Track and report on changes in your security posture and SBOMs over time.

Application-SBOM-graphic

Achieve continuous ATO (cATO)

Fulfill the required capabilities of cATO more easily. Use automated security checks and policy enforcement to continuously monitor and assess security controls per the Risk Management Framework (RMF).   Generate, store, and monitor SBOMs throughout the development lifecycle to ensure the security of the software supply chain. Leverage a centralized SBOM database to instantly triage the impact of zero-day vulnerabilities. Align with the DoD DevSecOps Reference Design and DoD Container Hardening Guide.


The Security Technical Implementation Guide (STIG) is a Department of Defense technical guidance standard that captures the cybersecurity requirements for a specific product. Achieving STIG compliance is complex and can be daunting. Download our in depth guide on best practices.


DoD Software Factory FAQs

Chevron icon What is a DoD software factory?

DoD software factories are used to enable the DoD to deliver incremental secure software capabilities to warfighters on a continuous basis.  It is defined in the DoD Software Modernization Implementation Plan that was approved in April of 2023 as collections of people, tools, and processes that enable teams to continuously deliver value by deploying software to meet the needs of a specific community of end users while enabling continuous rollout and cutting-edge cyber resilience.

 

Chevron icon What are examples of DoD software factories?

There are a number of software factories within the DoD.  Examples include Platform One (USAF), Black Pearl (US Navy), Project Overmatch (US Navy), Kessel Run (USAF), and Army Software Factory.  Anchore is already used by Platform One, Black Pearl, and other large software factories. Anchore is also used to harden containers for the Iron Bank.

Chevron icon How does a DoD software factory relate to DevSecOps?

They are closely related. DoD software factories are built on DevSecOps principles and processes. In fact,  they are referred to as DevSecOps software factories in the DoD Enterprise DevSecOps Fundamentals and the DoD Enterprise Strategy Guide .

Chevron icon How does Anchore Enterprise help create a DoD software factory?

Anchore is already used by Platform One, Black Pearl, and other software factories. Anchore is also used to harden containers for the Iron Bank.
Anchore aligns with the DoD DevSecOps Reference Design by offering solutions for:

  • Container hardening (Anchore DISA policy pack)
  • Container policy enforcement (Anchore Enterprise policies)
  • Container image selection (Iron Bank)
  • Artifact storage (Anchore image registry integration)
  • Release decision-making (Anchore Kubernetes Admission Controller)
  • Runtime policy monitoring (Anchore Kubernetes Automated Inventory)

Anchore is also specifically mentioned in the DoD Container Hardening Guide and the Container Image Creation and Deployment Guide as a Container Hardening scanner.

Chevron icon How does a DoD software factory relate to NIST standards?

DoD documentation relating to DevSecOps software factories is aligned to and mapped against the controls specified in NIST 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations), NIST SP 800-37, (Risk Management Framework for Information Systems and Organizations) as well as NIST SP 800-190 (Application Container Security Guide).

 

Chevron icon Are the principles of the DoD software factory relevant to other government agencies?

Yes. Because the DoD DevSecOps software factory recommendations are built on NIST standards, they can also apply to other national security or civilian agencies in the US.  In addition, national security agencies in allied nations may also build on the DoD DevSecOp software factory recommendations.

Learn more about solutions for the DoD and DevSecOps

Federal Compliance

Automate compliance checks using out-of-the-box and custom policies.

Open Source Security

Improve open source security by easily tracking direct and transitive open source dependencies to identify and fix vulnerabilities early.

DevSecOps

Automate DevSecOps for your cloud-native software supply chain with an API-first DevSecOps solution.

Container Security

Identify and remediate container security risks and monitor post-deployment for new vulnerabilities.

FedRAMP Vulnerability Scanning

Meet the new FedRAMP Vulnerability Scanning Requirements for Containers and achieve compliance faster with Anchore.

Container Vulnerability Scanning

Reduce false positives and false negatives with best-in-class signal-to-noise ratio.

Kubernetes Images Scanning

Allow or prevent deployment of images based on flexible policies and continuously monitor the inventory of insecure images running in your clusters.

Container Registry Scanning

Identify and remediate new risks and vulnerabilities as they emerge.

CI/CD Security & Compliance

Embed security and compliance into your CI/CD pipeline to uncover vulnerabilities, secrets, and malware in your automated build processes.

Software Bill of Materials

Get comprehensive visibility of your software components and ensure vulnerability accuracy with the most complete SBOM available. Generate, store, analyze, and monitor SBOMs across the application lifecycle to identify software dependencies and improve supply chain security.

Container Compliance

Automate compliance checks using out-of-the-box and custom policies.

Speak with our security experts

Learn how Anchore’s SBOM-powered platform can help secure your software supply chain.