# DevSecOps Roadmap ## Rationale - RMF is good, RMF+DevSecOps is great. Why? - RMF is not the whole universe, what else do we use? How do we use it? - Those things are very different, how do we connect the two? ## Progression ### Formulating the Business Need - Establishing a purpose: the business need (short, executive summary) - RMF Step(s): Prepare, Categorize - 800-47: Planning an Information Exchange - Understand the process - Understand and define data from, to, and made by the process - Define a technical solution to the business need. > To demonstrate an approach to DevSecOps that integrates RMF, SP 800-47 (Information Exchange) and OSCAL. This will help developers and information security practitioners understand the process, and methods for writing automated tests for security controls. ### Establishing Project (Administrative) - RMF Step(s): Categorize, Implement, Monitor? - Jetison old GitHub issues - Do not serve current needs - Establish requirements for public access to all repos (DHS could keep their implementation private if they'd like) - Configure repo and VCS management with relevant permissions back them with controls - Track and notify of forks and given near real-time info for risk-managed decisions ### Establishing Project (Technical) - RMF - Permissions to create persistent access tokens on AWS for CI/CD - "Repository reset" - Seperation of concerns (core blossom repo vs. nist or dhs forks) - Actions automation for core and fork repos - Baseline tooling to execute tests - Standardize a location for oscal model content - Produce artifacts of assessment for a single test - Mechanisms for discontinuance based on repository state. # Presentation Goals and Requirements ## Goals ## Deliverables - [Rationale for DevSecOps design and outcomes](#Rationale)