Overview
Iron Bank is the DoD's source for hardened containers. A hardened container allows the application/container to run on an ATO'd Kubernetes cluster that meets the DevSecOps Reference Design (see documentation). To get an ATO a container must go through the normal process in the downstream environment as set up in that program. Our systems assist in that process by producing a secure by design baseline that other programs can leverage and compliance and vulnerability findings and assessments that can also be leveraged. In addition, many compliance findings and vulnerabilities are resolved through the Iron Bank processes.
Key Things to Know
- Iron Bank and Repo1 (GitLab) are completely open to the public (available at IL2). There are no locked down versions of Iron Bank
- Hardened containers do not have a Certificate to Field (CtF) or an Authority to Operate (ATO)
- Direct uploads of ”external” container images to the registry is not supported. All images pushed to the registry must be hardened.
- Iron Bank does not run containers. Availability of container images does not imply an “automatic” deployment to any specific environment (i.e., Party Bus).
- There are no built in features supporting license keys, or methods to protect intellectual property (we encourage vendors to incorporate the necessary technologies to fulfil individual licensing and protection requirements).
- Iron Bank is not a completely 100% automated platform. Portions of the “hardening” process are manual and involve substantial human effort.
Who is Iron Bank for?
Iron Bank ultimately is for anyone to consume or contribute. However, we specifically target the following personas:
- DoD organizations wishing to consume hardened containers and Iron Banks BoE (Body of Evidence) for each container
- DoD organizations wishing to help contribute to containers (e.g. bug fixes, new applications, updates)
- DoD Authorization Officials wishing to understand the risks associated with applications
- Commercial vendors wishing to bring their application to the DoD
Our Methodology
Containers submitted to Iron Bank will be scanned and evaluated according to Iron Bank Acceptance Baseline Criteria (ABC) and judged complaint or non-compliant. Each container will also receive an Overall Risk Assement (ORA) score.
At a high level, applications must meet the following requirements:
- Rebasing the container onto an Iron Bank image
- Internet disconnected build processes
- The application and all containers must be supported by a vendor, open source community, or government entity
- You must be working with the latest of the release series for your dependencies and application
- Continuous monitoring (currently every 12 hours) and timely submission of justifications for any new findings
- Submission of any new application update(s) no later than the day of public release
If a container is not part of Big Bang, it does not need to be inspected and have all findings reviewed to be made available in Iron Bank. Containers do not receive an ATO or CTF, but the ORA score they receive is intended to help Iron Bank customers evaluate the risk involved in using a given container in their environment. It is always the responsibility of the program or organization using a given container to evaluate it and accept or reject it based on their own criteria.
Please note that Iron Bank will evaluate each container on an individual basis and may refuse to harden or accept onboarding of any container for any reason. A finding or condition that disqualifies one container may not disqualify another. For example, an Istio container must run as root, whereas this would be unacceptable for most other containers.
Detailed documentation on Acceptance Baseline Criteria and Overall Risk Assessment