Appearance

DevSecOps Terms and Conditions

Overview

Use this document to learn the DevSecOps terms and conditions for Party Bus.

Business Hours

Party Bus operates from 0800-1800 Central Standard Time during normal business hours, excluding federal government holidays. Party Bus product teams should not expect timely assistance with staging or production workloads outside these working hours.

Supported Technology

The Party Bus multi-tenant environment only supports the technologies listed on the Service Catalog.

  • Party Bus does not guarantee any technology outside of what is currently captured in the "Supported Tools" section.
  • Party Bus reserves the right to make architectural or technological changes due to the evolving and ever-changing cybersecurity landscape.
  • Product teams should know changes are inevitable, but Party Bus will coordinate changes as early as possible through the Mattermost IL2/4/5 notification bots.
  • Product teams are responsible for reading these notifications.
  • If services are deployed that are outside the listed "Supported Tools" section, then these services must be updated continuously to the same standard as those that are supported by Party Bus. P1 will monitor the application team's updates to these services and enforce cybersecurity compliance via CtF award/renewal.

High Availability Workloads

Party Bus does not offer infrastructure or support for High Availability workloads (e.g., Elastic Search and/or Redis).

  • Party Bus does not provide Backup and Recovery for technologies stated as Unsupported on the Service Catalog.
  • Backup and Recovery for Unsupported technologies are the responsibility of the Product Team.
  • Party Bus expects the Product Team to provide resource usage and constraints during the technical fit.

Communication

Party Bus engineers will coordinate application-specific communications through the defined COT Epic , provided during the onboarding process and managed by the MDO team throughout the Party Bus journey.

  • The expectation is that the product teams provide their Government POC information. It is the product team's responsibility to have a current Government Sponsor and up-to-date POC in the COT.
  • Each product team shall identify a POC with whom Party Bus can engage. Add others on the team as "watchers" and provide a comment in the COT to inform them so these users can be added to the users' field for notifications.
  • Access your Epic on the COT Epic board.
  • Every member of your team will have IL2 Jira, Confluence, and Mattermost access. Community information resides on these platforms, including how-to videos, the help desk, and other resources for self-learning.

Support Requests

Any and all requests for product team/application support will use the P1 Help Desk referencing the application COT Epic , so your team can be validated as funded before support is provided. This is essential for routing, service, and understanding of the support requested.

Pipelines and Deployments

The product team will be deployed to the Party Bus Mission Application Cluster and will have access to current runtime logs.

  • Access to Party Bus infrastructure services will be locked down to prevent access to other tenants.
  • The product team will have access to create the application manifests only.
  • Party Bus compliant pipelines generate pipelines and deployment artifacts.
  • Product teams do NOT create their own pipelines or deployment artifacts. If custom pipelines are created, they will be deleted immediately, and all pipelines will be turned off until a meeting with the MDO team occurs to address the need for customized pipelines.
  • Party Bus reserves the right to remove non-compliant deployments without notice.

Product Team Licenses

The product team will be responsible for tracking their customer and developer-licensed seats.

  • Developer-licensed seats will be subject to audit as necessary.
  • To track licenses, one member of each team is assigned a Team Lead responsibility.
  • The Team Lead requests an Application Access Update via the P1 Help Desk to grant and remove Atlassian and GitLab permissions for each user.
  • The product team is responsible for accepting and acting in accordance with the software licenses/end user agreements associated with all products obtained through Party Bus. Product teams can access these agreements by submitting a request to the P1 Party Bus Government Lead.

Service Level Agreements

Review the MDO Party Bus Service Level Agreement for more information.

Cybersecurity Practices

Any application hosted in the Party Bus environment will be penetration tested and continually assessed for adherence to cybersecurity practices.

  • This may happen at any time, and as often as necessary.
  • Party Bus reserves the right to remove any application deemed "unsafe" without notice.

The Patch and Vulnerability Management Policy will be followed.

  • Party Bus performs continuous monitoring of its entire environment.
  • CVEs will be dealt with swiftly and securely.
  • If a critical CVE is found in the Party Bus infrastructure, P1 reserves the right to mitigate to protect our environment, regardless of application impact.
  • Each Party Bus-hosted production application will automatically run through a pipeline at least once per week or as needed to identify vulnerabilities.
  • This may create an ever-changing environment, but it is set in place to keep the Party Bus-hosted multi-tenant applications safe from malicious actors.

Changing Requirements

If your requirements change (e.g., additional pipelines, RDS, additional staging deploy, and/or storage), the product team will be subject to another technical fit and potential increase in funding.

  • New teams: Open a ticket with the CST to request additional services. To contact CST, navigate to Platform One's website and select Contact Us.
  • Existing Teams: Contact your assigned BAM to request additional services.

Party Bus Retention Policies:

Tool Retention Policies

Hot (Storage/Data) means this data is actively used and needs fast access.

Cold (Storage/Data) means that this is data that is rarely accessed but still kept for compliance, auditing, or historical analysis.

Policy NameResource/ToolTimeframeColdResponsibility
EBS Volume SnapshotAWS15 days hot6 months

Party Bus Operations

Deployment ImageGitLab15 days hot6 monthsMDO
Data Retention

RDS, S3 Buckets, GitLab Repositories

3 years
MDO

Log Retention

  • Security event logs: 12 months hot + 18 months cold
  • Informational logs (those not specified above): 6 months hot + 12 months cold
  • PCAP: 72 hours* (at P1 we want at least 14 days)

Cyber Enforcement

Policy NameActionTimeframeResponsibility
7-Day Pipeline ExecutionAutomation execution of pipelines every 7 days Every 7 daysMDO
Critical CVE'sEnforce fixing or whitelisting Critical and High CVEsEvery dayMDO
CtF Expired EnforcementValidated Signed CtF and CtF Expiration Date < 1 year Every time a production deployment is executedMDO

Jira/Confluence Retention Policies

Policy NameResource/ToolTimeframeDescriptionResponsibility
EBS Volume SnapshotAWS15 days hot + 6 months cold

Party Bus Operations

Deployment ImageGitLab15 days hot + 6 months cold
MDO
Data Retention

RDS, S3 Buckets, GitLab Repositories

3 years

Jira Configuration Manager Snapshots

Jira

30 daysConfiguration Manager snapshots are made when a customer requests an export of some kind. Over time, the snapshots page fills up. Unless requested otherwise, it is best to keep that page clean. Snapshots can be recreated.

Atlassian Administrators

Jira Project Archival

Jira

6 months of inactivity, archive projectIf an entire project has not been updated for 6 months, archive it. We plan on automating this as well as creating a Configuration Manager snapshot before it automatically archives. This does not delete the data.

Atlassian Administrators

Jira Issue Archival

Jira

3 yearsIf an issue has not been updated in the last 3 years, the single issue will be archived, regardless of the activity of the project. This process will be automated, and guardrails can be established (i.e., parent ticket open, subtasks open, etc). This does not delete the data. 

Atlassian Administrators

Confluence Page Versions

Confluence

100 versionsA scheduled job removes this data in small batches, every ten minutes, to minimize the impact on your site. Confluence Administrators can override the retention rules for specific spaces by adding an exemption,

Atlassian Administrators

Confluence Attachment Versions

Confluence

100 versionsA scheduled job removes this data in small batches, every ten minutes, to minimize the impact on your site. Confluence Administrators  can override the retention rules for specific spaces by adding an exemption.

Atlassian Administrators

Confluence Trash

Confluence

3 yearsA scheduled job removes this data in small batches, every ten minutes, to minimize the impact on your site. Confluence Administrators  can override the retention rules for specific spaces by adding an exemption.

Atlassian Administrators

Product Team Funding

The product team is expected to maintain funding to receive Party Bus support.

90 days after funding expires, Party Bus will disable and archive all GitLab repositories, remove all production and staging-deployed resources, Mattermost, and collaboration tools projects for the team.

  • If a product team purchases services that are unused from a previous year, no refunds or credits will be given.
  • Once funding has been transferred to or accepted by Party Bus, no refunds will be provided.
  • All official quotes have a timeline of 90 days to send funding to P1. After this period has elapsed, a new quote and a 90-day funding window would be required.
  • For renewals, you have a 90-day window to submit funding or must do so before the funding expires, whichever comes first.

30 Days Past Funding Expiration

Your Platform One account is 30 days past funding expiration. Unfortunately, project services are reduced.

  • Decrease Service: No new production deployments; block any new production releases even if CTF is current
  • No new production deployments
  • No production releases, regardless of CtF status
  • Reduced Tier II MDO “Pipeline” ticket (P1MDOHD) support

If you no longer wish to maintain your P1 project(s), please let us know so we can assist you with off-boarding and/or archival. Please email your P1 BAM at AFLCMC.HNCX.BAM@us.af.mil to discuss options or begin the account renewal process.

It is important you act quickly. At 90 days past funding expiration, your project will be closed and archived.

60 Days Past Funding Expiration

Your Platform One account is 60 days past funding expiration. Unfortunately, project services are further reduced:

  • No new production deployments
  • No production releases, regardless of CtF status
  • Off-boarding support only for MDO tickets (P1MDOHD)

If you no longer wish to maintain your P1 project(s), please let us know so we can assist you with off-boarding and/or archival. Please email your P1 Business Account Manager at AFLCMC.HNCX.BAM@us.af.mil to discuss options or begin the account renewal process.

NOTICE

It is URGENT you act quickly. At 90 days past funding expiration, your project will be closed and archived.

90 Days Past Funding Expiration

Your Platform One account is 90 days past funding expiration. Unfortunately, your project(s) are being closed and staged for archival with off-boarding support only for MDO tickets (P1MDOHD).

If you no longer wish to maintain your P1 project(s), please let us know so we can assist you with off-boarding and/or archival. Please email your P1 BAM at AFLCMC.HNCX.BAM@us.af.mil to discuss options or begin the account renewal process.

Party Bus Product Team Hosting

Each Party Bus product team hosting an application in production will have a pipeline run on their application at least once per week.

DISCLAIMER

If these Terms and Conditions cannot be met, Platform One reserves the right to re-enter pricing negotiations to right-size the level of support needed to maintain and deploy this application.

Related Content/References

Submit Requests to the Help Desk and BAM Team

Review Supporting Documentation

Access Resources

Powered By Platform One