The Big Picture: Defense DevSecOps runs on a knowable set of documents, platforms, and tools. This index collects them in one place — the same sources cited across the Secure Delivery series.
Why It Matters
Half the time lost on a defense software program is spent finding the authoritative document or the right tool, not reading it. Bookmark this page instead. Every link is the primary source or the working tool — no vendor summaries in between.
The Details
- Policy & Strategy: The DoD-level documents that set the rules — CSRMC, DoDI 8510.01, the Zero Trust Strategy, cATO criteria.
- NIST Publications: The control catalogs and frameworks the evidence maps to.
- Platforms & Pipeline Tools: Platform One services and the open-source tools that produce the evidence.
- Compliance & Training: CMMC bodies, assessment portals, and where to build the skills.
Bolding indicates resources I use or have used directly; non-bolded links are curated for reference. Verify the current version of any policy document before citing it — issuances change.
Start here
Curated paths
Policy path
Policy & Strategy
New to defense compliance? Start with the documents that set the rules of the game.
Builder path
Pipeline & DevOps Tools
Jump here for the scanners, policy engines, and GitOps controllers that produce evidence.
Platform path
Platform One & Cloud
Use these when you're deploying on DoD platforms and inheriting their controls.
Compliance path
CMMC & Assessment
Start here when a contract clause or a C3PAO assessment is the forcing function.
Featured resources
High-signal sources
Resource Index
- DoD Policy & Security Strategy
- DoD CIO Cybersecurity Risk Management Construct (CSRMC) — the RMF replacement; covered in my RMF 2.0 post
- CSRMC Strategic Tenets — the ten tenets, one page each
- DoDI 8510.01 — Risk Management Framework for DoD Systems — still the issuance of record during transition
- Continuous ATO Evaluation Criteria — what the DoD actually checks; pairs with my cATO post
- DoD Zero Trust Strategy — the FY2027 mandate; covered here
- DoD AI Cybersecurity Risk Management Tailoring Guide — how models get authorized; covered in ATO for AI Systems
- EO 14028 — Improving the Nation’s Cybersecurity — the order behind SBOM and ZT mandates
- DoD CIO Library — the index of record when you need the current version of anything above
- NIST Security Publications & Frameworks
- SP 800-37r2 — Risk Management Framework — the framework CSRMC restructures
- SP 800-53r5 — Security and Privacy Controls — the control catalog everything maps to
- SP 800-171r3 — Protecting CUI — the CMMC Level 2 baseline
- SP 800-172 — Enhanced Requirements for CUI — the Level 3 delta
- SP 800-207 — Zero Trust Architecture — the ZT reference model
- SP 800-218 — Secure Software Development Framework — the EO 14028 development standard
- SP 800-161r1 — Supply Chain Risk Management — the C-SCRM practices behind the SR controls
- OSCAL — Open Security Controls Assessment Language — machine-readable compliance; the foundation of cATO evidence
- NIST AI Risk Management Framework — Govern, Map, Measure, Manage
- SP 800-53 Control Overlays for Securing AI Systems (COSAIS) — the AI overlays, drafts landing Q3 2026
- Platform One & DoD Cloud Services
- Platform One — the DoD DevSecOps platform; the reference cATO implementation
- Iron Bank — hardened container registry with inheritance-ready assessments
- Iron Bank Documentation — onboarding and hardening requirements for getting an image accepted
- Big Bang — the P1 Kubernetes baseline (Istio, Kyverno, Falco) as code
- Repo One — DoD source repository; pipelines with mandatory policy gates
- DoD Cyber Exchange — STIGs, SRGs, and cyber policy in one place
- DISA STIGs — the hardening baselines assessors check against
- NSA/CISA Kubernetes Hardening Guidance — the K8s baseline worth reading before the STIG
- Pipeline Security & DevOps Tooling
- Open Policy Agent — policy as code; the engine behind most pipeline gates (my PaC post)
- Kyverno — Kubernetes-native policy; easier entry than Rego for K8s-only shops
- OPA Gatekeeper — OPA as a K8s admission controller
- Checkov — IaC scanning for Terraform, CloudFormation, K8s manifests
- Trivy — container and dependency scanning plus SBOM generation in one pass
- Semgrep — SAST with writable rules; tune it for LLM failure modes (why that matters)
- Argo CD — GitOps controller; declarative state reconciliation (the GitOps case)
- Flux — the other GitOps controller; lighter footprint, same principle
- detect-secrets — pre-commit secret scanning; cheapest control you’ll ever implement
- Supply Chain & SBOM Security
- Syft — SBOM generation for containers and filesystems; SPDX and CycloneDX output
- Grype — vulnerability correlation against the SBOM
- cdxgen — CycloneDX-native generation; strongest polyglot support
- OWASP Dependency-Track — continuous SBOM monitoring against new CVEs
- Sigstore / cosign — artifact signing and verification
- SLSA — supply chain integrity levels; the provenance framework
- SPDX — the ISO SBOM format
- CycloneDX — the OWASP SBOM format; native VEX support
- CISA SBOM Resources — minimum elements and current guidance (my SBOM post)
- OSV — open source vulnerability database
- NVD — the National Vulnerability Database
- CMMC, Compliance & Security Assessment
- CMMC Program (DoD CIO) — the official program page; start here, not with vendors (my CMMC post)
- The Cyber AB — the accreditation body; C3PAO marketplace
- DIBNet — the 72-hour incident reporting portal; know it before you need it
- eMASS (DCSA) — where authorization packages live
- Lula — validates K8s state against OSCAL-defined controls
- Compliance Trestle — the OSCAL SDK for automating SSP and assessment artifacts
- FedRAMP — cloud service authorization; the inheritance source for most SaaS controls
- Getting Started: Education & Training
- DoD Cyber Exchange Training — free role-based training, including RMF and ZT courses
- Defense Acquisition University — acquisition and cybersecurity credentials; free for the workforce
- CIS Critical Security Controls — the threat-informed control set behind Army RMF 2.0’s baseline
- MITRE ATT&CK — the adversary behavior catalog; the “threat” in threat-informed
- NIST RMF Small Enterprise Quick Start — the plain-language RMF walkthrough
- The Secure Delivery series on this blog — GitOps → Policy as Code → Zero Trust → CMMC → SBOM → cATO, in reading order