RAISE 2.0 RPOC Walkthrough Guide

Build your DevSecOps Platform (DSOP) — a hardened Kubernetes environment with all the supporting services that the 8 security gates and ongoing operations depend on. This is the foundation everything else runs on. Do not skip ahead; the security gates in Phase 2 depend on these services being operational.

1. Provision infrastructure — Use OpenTofu (or Terraform) to create VMs/instances. For on-prem, Proxmox VE or vSphere work well. For cloud, AWS GovCloud or Azure Gov.
2. Harden the operating system — Apply DISA STIG to Rocky Linux 9 (or RHEL 9) using Ansible. Enable FIPS 140-2 mode, SELinux enforcing, auditd configured.
3. Install RKE2 Kubernetes — RKE2 is the only DISA STIG-certified K8s distribution. Install in HA mode (3 server + N agent nodes). Enable the CIS hardening profile.
4. Bootstrap Flux CD — Install Flux CD for GitOps-based platform management. All services below are deployed as HelmReleases reconciled from Git.
5. Deploy Istio service mesh — STRICT mTLS cluster-wide. Istio gateway for ingress. This satisfies SC-8 (encryption in transit).
6. Deploy cert-manager — Automate TLS certificate lifecycle. Internal CA for cluster services, Let's Encrypt or DoD PKI for external.
7. Deploy Kyverno policy engine — Pod Security Standards (baseline + restricted), image registry restrictions, label requirements. This becomes your policy enforcement backbone.
8. Deploy monitoring stack — kube-prometheus-stack (Prometheus + Grafana + AlertManager). ServiceMonitors for all platform components.
9. Deploy logging stack — Loki + Alloy for centralized logging. 90-day retention for audit logs.
10. Deploy secrets management — OpenBao (or Vault) + External Secrets Operator. Kubernetes auth method. KV v2 engine for app secrets.
11. Deploy container registry — Harbor with Trivy scanning enabled on push. Robot accounts for CI/CD. Cosign signature verification.
12. Deploy runtime security — NeuVector for container runtime monitoring, network segmentation, CIS scanning, and admission control.

• ✓Kubernetes cluster running (RKE2, HA mode, CIS profile enabled)
• ✓STIG-hardened OS (Rocky Linux 9 / RHEL 9 with FIPS enabled)
• ✓GitOps engine operational (Flux CD bootstrapped, reconciling from Git)
• ✓Service mesh with mTLS STRICT (Istio deployed and healthy)
• ✓Certificate management (cert-manager with ClusterIssuers)
• ✓Policy engine (Kyverno with baseline + restricted policies)
• ✓Monitoring stack (Prometheus + Grafana + AlertManager)
• ✓Logging stack (Loki + Alloy, 90-day audit retention)
• ✓Secrets management (OpenBao/Vault + External Secrets Operator)
• ✓Container registry (Harbor with Trivy scanning on push)
• ✓Runtime security (NeuVector deployed and scanning)
• ✓Default-deny NetworkPolicies in all namespaces

Build a CI/CD pipeline that enforces all 8 RAISE 2.0 security gates. Each gate must be automated (except Gate 6: ISSM Review) and must produce machine-readable evidence. The pipeline must fail if any gate fails — this is non-negotiable. The TA will run your pipeline end-to-end during certification.

• ✓CI/CD pipeline defined (GitHub Actions or GitLab CI YAML)
• ✓Gate 1: SAST — Semgrep configured with OWASP + security rulesets, SARIF output
• ✓Gate 2: SBOM — Syft generates SPDX + CycloneDX, attached via Cosign attestation
• ✓Gate 3: Secrets — Gitleaks scans source + history, fails on findings
• ✓Gate 4: CSS — Trivy scans container image, fails on CRITICAL/HIGH
• ✓Gate 5: DAST — OWASP ZAP baseline scan against deployed staging app
• ✓Gate 6: ISSM Review — Pipeline pauses for manual approval before prod deploy
• ✓Gate 7: Signing — Cosign signs image + attaches attestations
• ✓Gate 8: Storage — Image pushed to Harbor, Trivy re-scan on push
• ✓Reference application runs through full pipeline successfully
• ✓All gate artifacts saved (SARIF, SBOM, scan reports, signatures)
• ✓Kyverno enforces image signature verification on deploy

Categorize your system using FIPS 199 and NIST SP 800-60. This determines the security controls you must implement and directly affects the rigor of assessment. Get this right early — changing categorization later means re-doing control selection and documentation.

1. Identify information types — Use NIST SP 800-60 Vol II to determine what types of information your platform processes (e.g., C3.2.8 System Development, C3.4.1 General Information). List each type.
2. Assign impact levels — For each information type, assign Confidentiality, Integrity, and Availability impact levels (Low, Moderate, High) per FIPS 199.
3. Determine system high-water mark — Your system categorization is the highest impact level across all information types for each dimension (C, I, A).
4. Document rationale — Write clear justifications for each impact level. The AO will review these.
5. Select control baseline — Based on categorization, select NIST 800-53 control baseline (Low, Moderate, or High). Most DSOPs are Moderate.

• ✓Information types identified (per NIST 800-60 Vol II)
• ✓Impact levels assigned (C, I, A) for each information type
• ✓System high-water mark determined (e.g., Moderate-Moderate-Moderate)
• ✓Rationale documented for each impact level
• ✓NIST 800-53 control baseline selected (Low/Moderate/High)

Prepare the formal compliance documentation required for RPOC designation. This includes the SLA template (RAISE Appendix C), CI/CD Tools Certification (RAISE Appendix D), Plan of Action and Milestones (POA&M), and supporting artifacts. This is the most documentation-heavy phase — start early and iterate.

1. SLA Template (RAISE Appendix C) — This is the Service Level Agreement between the DSOP and application owners. It covers all 21 items including vulnerability remediation timelines, patching cadence, monitoring SLAs, incident response, backup/recovery, and access management. Application owners sign this before onboarding.
2. CI/CD Tools Certification (RAISE Appendix D) — A formal document listing every tool in your pipeline, its version, which gate it supports, pass/fail criteria, and evidence format. The TA reviews this to certify your pipeline.
3. System Security Plan (SSP) — Describes the system boundary, architecture, and how each NIST 800-53 control is implemented, inherited, or planned. This is the core ATO document.
4. Security Assessment Report (SAR) — Results of security testing. In RAISE, your automated pipeline results contribute to this.
5. Plan of Action & Milestones (POA&M) — Any known vulnerabilities or gaps that are not yet remediated, with timelines for resolution.
6. STIG Checklists — Completed DISA STIG checklists for your OS (Rocky Linux 9 / RHEL 9) and Kubernetes (RKE2). Export from STIG Viewer.

• ✓SLA template completed (RAISE Appendix C, all 21 items)
• ✓CI/CD Tools Certification completed (RAISE Appendix D)
• ✓System Security Plan (SSP) drafted with control implementations
• ✓Security Assessment Report (SAR) with pipeline evidence
• ✓POA&M created for all known open findings
• ✓Rocky Linux 9 / RHEL 9 STIG checklist completed
• ✓RKE2 Kubernetes STIG checklist completed
• ✓ISSM reviewed and agreed to SLA and pipeline design

Register your DSOP system in eMASS (Enterprise Mission Assurance Support Service) or MCAST, upload all compliance artifacts, and configure the control inheritance chain. This is a bureaucratic phase — start getting access early because it takes weeks.

1. Request eMASS access — This requires a CAC (Common Access Card) and can take 2-4 weeks to get approved. Start immediately. If you do not have a CAC, work with your ISSM to get one or have the ISSM register the system.
2. Register the system — Create a new system entry with the official name, acronym, categorization (from Phase 3), owning organization, and system boundary description.
3. Upload artifacts — Upload SSP, SAR, POA&M, STIG checklists, and architecture diagrams. Each artifact has a specific location in eMASS.
4. Map controls — For each NIST 800-53 control in your baseline, mark it as Implemented, Planned, Inherited, or Not Applicable. For inherited controls, reference the parent system (e.g., the cloud provider's FedRAMP authorization).
5. Mark inheritable controls — Critically, mark which controls your DSOP can provide to applications that onboard. This is what makes your RPOC valuable — apps inherit security controls from you instead of implementing them individually.

• ✓eMASS/MCAST access granted
• ✓System registered (name, acronym, categorization, boundary)
• ✓All artifacts uploaded (SSP, SAR, POA&M, STIGs, diagrams)
• ✓Controls mapped (Implemented/Planned/Inherited/N-A for each)
• ✓Inheritable controls marked for application onboarding
• ✓ISSM concurrence on control status

Submit your Appendix D (CI/CD Tools Certification) to the Technical Authority (TA) for review. The TA will evaluate your pipeline, verify all 8 gates are functional, and certify your toolchain. This is the technical gatekeeper — pass this and you are most of the way to RPOC.

1. Submit Appendix D — Send the completed CI/CD Tools Certification to the TA. Include tool names, exact versions, gate mapping, pass/fail criteria, and evidence format for each gate.
2. Prepare the demo — Set up your reference application (from Phase 2) with a clean Git history. The TA will likely want to see a live pipeline run.
3. Run a demo pipeline — Execute the full pipeline in front of (or recorded for) the TA. Show each gate running, producing evidence, and the pipeline failing when a gate fails.
4. Show gate failure behavior — Intentionally trigger each gate failure (introduce a vulnerability, add a leaked secret, etc.) to prove the pipeline stops.
5. Present evidence artifacts — Show stored SARIF reports, SBOMs, scan results, signed images, and attestations in Harbor.
6. Address TA feedback — The TA may request configuration changes or additional gates. Iterate until they certify.

• ✓Appendix D submitted to Technical Authority
• ✓Demo pipeline run completed (live or recorded)
• ✓Gate failure behavior demonstrated for each gate
• ✓Evidence artifacts presented (SARIF, SBOM, scans, signatures)
• ✓TA feedback addressed and changes implemented
• ✓TA certifies CI/CD toolchain

Present your complete RPOC package to the Authorizing Official (AO). The AO reviews all evidence, confirms the platform meets the 24 RPOC requirements, reviews inheritable controls, and formally designates the system as an RPOC. This is the finish line for platform accreditation.

1. Compile the RPOC package — Gather all artifacts: SSP, SAR, POA&M, STIG checklists, Appendix C (SLA), Appendix D (certified by TA), eMASS registration, and architecture diagrams.
2. Verify the 24 requirements — Cross-reference RAISE 2.0's 24 RPOC requirements against your implementation. Each must have documented evidence.
3. ISSM recommendation — Your ISSM must formally recommend the system for RPOC designation. This is typically a signed memo.
4. Present to AO — Brief the AO on the platform architecture, security controls, inheritable controls, risk posture (POA&M), and the certified CI/CD pipeline.
5. AO reviews and signs — The AO signs the RPOC designation letter. This authorizes your platform to onboard applications.

• ✓Complete RPOC package compiled (all artifacts)
• ✓All 24 RPOC requirements verified with evidence
• ✓ISSM signed recommendation memo
• ✓AO briefing delivered
• ✓AO signed RPOC designation letter

With RPOC designation in hand, you can now onboard applications. Each application follows a standardized process: the Application Owner signs the SLA, registers in DADMS/DITPRDON, and the application passes through your certified CI/CD pipeline. The beauty of RPOC is that app teams inherit your platform's security controls instead of building their own ATO packages.

1. Application Owner signs SLA — The SLA (Appendix C) defines responsibilities, SLAs, and security requirements. Both parties sign.
2. Register in DADMS/DITPRDON — The Application Owner registers the application in the DoD IT portfolio management system.
3. Create tenant namespace — Use the onboarding script to create namespace, RBAC, NetworkPolicies, ResourceQuotas, Harbor project, and OpenBao path.
4. Application passes CI/CD pipeline — All 8 security gates must pass for the application.
5. ISSM reviews first deploy — Gate 6 (ISSM review) for the first production deploy of each new application.
6. Application receives cATO — Continuous Authority to Operate via the RPOC. No separate ATO package needed.

• ✓Reference application created and deployed through full pipeline
• ✓Tenant onboarding script tested and documented
• ✓Helm chart templates available for app teams (web-app, worker, cronjob)
• ✓Developer onboarding guide published
• ✓First real application onboarded and deployed
• ✓cATO granted for first application

Maintaining RPOC designation requires quarterly reviews with updated artifacts. Each QREV (1 through 7, then repeating) has specific deliverables. Prepare artifacts 14 days before each review. After 7 quarters (21 months), the cycle repeats from QREV 1.

1. QREV 1: Baseline validation — Confirm all controls are still implemented. Update SSP if architecture changed. Run full STIG scan.
2. QREV 2: Vulnerability focus — Review all CVEs from the quarter. Confirm remediation timelines met per SLA. Update POA&M.
3. QREV 3: Pipeline re-certification — Verify all 8 gates still pass with current tool versions. Update Appendix D if tools changed.
4. QREV 4: Incident review — Review any security incidents from the quarter. Document lessons learned. Update IR plan if needed.
5. QREV 5: Access control audit — Review all user/service accounts. Remove stale access. Verify RBAC policies.
6. QREV 6: Backup/recovery test — Execute a disaster recovery drill. Restore from backup. Document results and RTO/RPO metrics.
7. QREV 7: Annual review — Comprehensive review of all controls. Recategorization if needed. Full SSP update.

• ✓QREV calendar established (dates for all 7 QREVs)
• ✓Compliance reporting automated (CronJob / scripts)
• ✓QREV evidence templates created for each review type
• ✓Running QREV document started (updated continuously)
• ✓First QREV completed successfully

RPOC designation is not the end — it is the beginning of continuous operations. Your platform must maintain its security posture through continuous monitoring, vulnerability remediation, tool updates, and operational excellence. This is the steady-state that keeps your cATO valid.

1. Continuous monitoring — Prometheus + Grafana dashboards reviewed daily. AlertManager alerts triaged within SLA timelines. NeuVector runtime alerts investigated.
2. Vulnerability remediation — Trivy scans in Harbor catch new CVEs on existing images. Remediation per SLA: Critical (15 days), High (30 days), Medium (90 days), Low (180 days).
3. Platform updates — RKE2 minor versions quarterly, patch versions monthly. Platform component updates via Flux (bump HelmRelease versions). OS patches via Ansible.
4. Certificate rotation — cert-manager handles automated rotation. Monitor expiration alerts in Grafana. RKE2 internal certs rotate automatically.
5. Secret rotation — OpenBao dynamic secrets rotate automatically. Static secrets (API keys, etc.) rotate per policy schedule.
6. Backup verification — Velero backups run daily/weekly/monthly. Test restore quarterly (QREV 6). Monitor backup success in Grafana.
7. Tool updates — When updating a CI/CD pipeline tool (e.g., new Trivy version), coordinate with the TA. Minor version bumps may not require re-certification; major version or tool replacements do.
8. Incident response — Follow documented IR procedures. NeuVector + AlertManager trigger alerts. Grafana dashboards for investigation. Document all incidents for QREV 4.

• ✓Monitoring dashboards reviewed and actionable (daily rotation)
• ✓AlertManager routing tested (Slack/PagerDuty/email working)
• ✓Vulnerability triage and remediation process documented
• ✓Patch cadence established (OS monthly, K8s quarterly, components as needed)
• ✓Operational runbooks written (upgrades, DR, cert rotation, incident response)
• ✓Backup and restore tested successfully
• ✓Incident response plan documented and team trained