The Defence Science and Technology Strategy 2030, More Together, sets DSTG direction to 2030. The Strategy is supported by three pillars, including the Outstanding Research Infrastructure Powering Innovation Pillar, which in turn is divided into two spheres of effort: Physical Infrastructure and Digital Infrastructure. Our Plan for Digital Science and eResearch sets out strategic direction for implementation of the Digital Infrastructure aspects of the Pillar.

Partnering with a DSTG team led by the Group Leader, Computational and Data Intensive Sciences, we offer an opportunity to assist us to plan and facilitate co-creation of a blueprint for our target digital science environment, and win the support and commitment of our diverse stakeholders. The outcome being preparation of compelling documentation built on solid strategic, tactical and practical considerations.

DSTG is looking to evaluate its existing DevSecOps tools, processes, procedures, governance and security practices against aligned industry and best practice. The view is to deliver a platform that will improve the quality, security of infrastructure and software solutions, whilst reducing costs, time to implement and deploy capabilities.

The purpose of this engagement is to engage an independent third party to undertake a review and perform a comparative assessment of DSTG’s DevSecOps capabilities against those, as implemented under best practice, by other organisations in aligned or similar industries. A report and strategic plan are required to inform and provide recommendations that enable DSTG to evaluate and implement the required changes to the current environment.

Deliverables

1. A comprehensive review and report examining current policies, processes and procedures for the DevSecOps lifecycle within DSTG, including but not limited to:

a) Source Control
b) Planning and Collaboration (organisation internal and external)
c) Repositories, with the ability to securely source artefacts from approved repositories hosted on the internet
d) Repositories for segregated and/or isolated networks
e) CI/CD automation and orchestration tool/s
f) Configuration Management automation and orchestration tool/s
g) Infrastructure as Code frameworks

The report must encompass an assessment of DevSecOps components in use, or proposed for use within DSTG, considering compliance with the following security standards:

a) Information Security Manual (ISM)
b) Defence Security Principles Framework (DSPF)
c) Security hardening requirements
d) US Export Control Handling Measures (inclusive of ITAR and FMS)

2. Provide a roadmap and detailed work plan to enable deployment of a recommended toolsuite, integration components and automation to support DSTG’s future software development and scientific research activities. Each roadmap element must align to organisational security, policy and development/research requirements. This roadmap should consider the varied approaches and requirements of the DSTG Researcher user communities and seek to consolidate and align approaches where possible and appropriate.

3. Undertake high level cost and comparative product selection assessments between technology product options where multiple solutions may meet the identified functional and operational requirements, supporting scientific, computational research and software development activities across DSTG’s domains of interest

Activities

1. Attend discovery workshops to gather input into the resulting review and recommendations report
2. Review and consider appropriate Defence security controls and/or industry equivalents including ISM, DSPF and DSTG security hardening
3. Collaborate and consult with all key internal stakeholders to establish the parameters enabling the end-state target environment
4. Engage with similar organisations, as advised by DSTG to review, identify and consider frameworks and opportunities for uplift or enhancement of the extant DSTG environment to achieve the target end-state. DSTG will provide a list of suggested organisations upon commencement of the engagement
5. Leveraging stake holder engagements and discovered artefacts, undertake a documentation gap analysis and where appropriate provide templates and/or guidance to remediate identified deficiencies

Constraints

1. All solution options must be capable of being hosted within current DSTG on premise infrastructure
2. Stakeholder engagements must be undertaken using the consultants ICT facilities where security considerations allow