RAISE 2.0 — Security Assessment Report (DRAFT)

Secure Runtime Environment (SRE) Platform • FIPS 199 Moderate-Moderate-Moderate • DoD/Navy Kubernetes DevSecOps

1 Executive Summary

System Identification

System Name: Secure Runtime Environment (SRE)

DITPR ID: Pending Registration

FIPS 199 Category: Moderate-Moderate-Moderate

System Type: Major Application (MA)

Environment: DoD/Navy Kubernetes DevSecOps Platform

Technical Stack

K8s Distribution: RKE2 v1.34.4 (STIG-hardened)

OS: Rocky Linux 9.7 (DISA STIG applied)

GitOps: Flux CD v2.8.1

Service Mesh: Istio (mTLS STRICT)

Policy Engine: Kyverno (7 ClusterPolicies)

Assessment Dates

Click to edit (saved locally)

SCA Team

Click to edit (saved locally)

Assessment Methodology

This assessment was conducted in accordance with NIST SP 800-53A Rev 5, Assessing Security and Privacy Controls in Information Systems and Organizations. Assessment methods included:

  • Examine: Review of system documentation, SSP, architecture diagrams, GitOps manifests, Kyverno policies, Flux configurations, Ansible hardening roles, and compliance artifacts
  • Interview: Discussions with system owner, platform engineers, ISSO, and security team regarding operational procedures and security controls
  • Test: Automated compliance scanning (Kyverno PolicyReports, NeuVector CIS benchmarks, OSCAL validation), manual verification of control implementations, and configuration review of all 16 platform services
325
Controls Assessed
280
Satisfied
30
Other Than Satisfied
15
Not Assessed
Overall Risk Posture: ● MODERATE — Recommend ATO with conditions (remediate HIGH findings within 90 days)

2 Assessment Scope

Authorization Boundary

The authorization boundary encompasses the SRE Kubernetes platform including all control plane and worker nodes, platform services, GitOps pipeline, and CI/CD security gates. The boundary is defined in docs/authorization-boundary.md. All components within the boundary are deployed on RKE2 v1.34.4 running on DISA STIG-hardened Rocky Linux 9.7 with FIPS 140-2 cryptographic modules enabled.

Components Assessed

  • RKE2 Kubernetes Cluster (1 server + 2 agents)
  • Rocky Linux 9.7 OS (STIG-hardened)
  • Istio Service Mesh (mTLS STRICT)
  • Kyverno Policy Engine (7 ClusterPolicies)
  • Prometheus + Grafana (Monitoring)
  • Loki + Alloy (Logging)
  • Tempo (Distributed Tracing)
  • cert-manager (Certificate Management)
  • OpenBao + ESO (Secrets Management)
  • Harbor + Trivy (Container Registry)
  • NeuVector (Runtime Security)
  • Keycloak (Identity / SSO)
  • Velero (Backup)
  • MetalLB (Load Balancer)
  • OAuth2 Proxy (SSO Gateway)
  • Flux CD (GitOps Engine)
  • CI/CD Pipeline (GitHub Actions + Cosign + SBOM)

Excluded / Inherited

  • Tenant applications (assessed separately per app ATO)
  • Physical facility security (inherited from host site)
  • Underlying network infrastructure (inherited)
  • DNS infrastructure (inherited from enclave)
  • Personnel security (inherited from organization)
  • Physical/Environmental protections (inherited PE family)

Assessment Methods by Control Family

FamilyMethods Applied
AC (Access Control)ExamineTestInterview
AU (Audit & Accountability)ExamineTest
CA (Assessment & Authorization)ExamineInterview
CM (Configuration Management)ExamineTest
CP (Contingency Planning)ExamineInterview
IA (Identification & Authentication)ExamineTest
IR (Incident Response)ExamineInterview
PE (Physical & Environmental)Examine (Inherited)
RA (Risk Assessment)ExamineTest
SA (System & Services Acquisition)ExamineTest
SC (System & Communications Protection)ExamineTestInterview
SI (System & Information Integrity)ExamineTest

3 Assessment Results Summary

86% SATISFIED
Satisfied (280)
Other Than Satisfied (30)
Inherited (25)
Not Assessed (15)

Finding Severity Distribution

2
8
5
High (2)
Moderate (8)
Low (5)

Control Family Breakdown

Family Description Total Satisfied OTS Inherited N/A Distribution

4 Detailed Findings (Other Than Satisfied)

Finding Control Severity Title POA&M Ref

5 Strengths Identified

6 Risk Assessment Summary

0
Critical
2
High
8
Moderate
5
Low

Overall Risk Determination

Based on the assessment of 325 NIST 800-53 Rev 5 security controls applicable to a Moderate-Moderate-Moderate system, the overall residual risk to the Secure Runtime Environment (SRE) platform is assessed as MODERATE.

The platform demonstrates strong security posture through its GitOps-driven configuration management, zero-trust network architecture (Istio mTLS STRICT), comprehensive policy enforcement (Kyverno), and full-stack observability (Prometheus, Grafana, Loki, Tempo). FIPS 140-2 cryptographic modules are active at both the OS (Rocky Linux 9.7) and Kubernetes (RKE2) layers.

Key Risk Factors:

  • HIGH: Single control plane node presents a single point of failure for availability (CP-10). Planned remediation: deploy 3-node HA control plane.
  • HIGH: No CAC/PIV integration for DoD PKI authentication (IA-2(12)). Keycloak MFA is enabled but not bound to DoD identity credentials. Planned remediation: configure Keycloak X.509 client certificate authentication.
  • MODERATE: Eight findings relate to operational maturity items (penetration testing, SIEM integration, credential rotation, etc.) that are standard for pre-ATO systems and have clear remediation paths documented in the POA&M.
  • LOW: Five low-severity findings are documentation and configuration optimizations that do not present material operational risk.

Recommendation

The assessor recommends granting an Authority to Operate (ATO) with conditions. The two HIGH findings must be remediated within 90 days of ATO issuance. All MODERATE findings should be addressed within 180 days per the POA&M schedule. LOW findings should be tracked for remediation during the next assessment cycle.

7 Assessor Recommendation

SCA Recommendation

Based on the assessment results documented in this report, the independent Security Controls Assessor recommends the following authorization decision to the Authorizing Official:

Conditions / Remarks

Click to edit (saved locally)