Certificate to Field Process Technical Execution Guide

Overview

This document provides detailed, step-by-step technical guidance for completing and validating all requirements necessary to obtain or renew a CtF. Product teams, DevSecOps engineers, and platform personnel responsible for implementing pipeline controls, completing security scans, and validating SDE tasks should review and follow this guide.

This guide assumes familiarity with GitLab, CI/CD pipelines, SonarQube, SDE, and P1 security tooling. It should be used in conjunction with the Path to CtF Overview to execute the required activities.

Step 1: Pre-CtF Technical Readiness

Source Code Repository Requirements

Add your code to the GitLab repository for the project.

Required access and permissions: CAT members require reporter-level access to your GitLab pipelines included in the CtF request.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• Application source code is committed to the designated GitLab repository
• Repository name follows the approved naming convention
• Default branch is protected
• CI/CD pipeline is enabled and associated with the repository
• Product team has owner/maintainer access to the repository
• CAT has at least reporter access to pipelines
• Pipeline logs and artifacts are accessible

Required Technical Documentation

Complete the following preparation documents, then store them in the Path to CtF folder of your project.

Plan of Action

Plan of Action

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• POA exists in the project repository
• POA reflects current system state

System Security Plan and Privacy Impact Assessment

You must complete both forms.

1. System Security Plan
2. Privacy Impact Assessment Form 2930

Store/Process PII?

DoD 5400.11 R (DL1.14) defines PII as information that identifies or describes an individual, such as SSN, age, rank, contact info, and other personal or demographic details.

• No - Your DD Form 2930 may be signed by your local command.
• Yes - Your DD Form 2930 must be signed by the AF Privacy Office.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• SSP is completed and stored in the repository
• PIA/DD Form 2930 is completed and signed
• PII handling is clearly documented

Architecture Diagram

You can view an example of a project architecture diagram here.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• Diagram focuses on the component under evaluation
• All integrations are shown
• Data flows are clearly indicated
• Ports and protocols are documented
• User roles are defined and described

Documentation Consistency Requirements

• All applications must be integrated with P1 Keycloak and reflected in the architecture diagram to receive a CtF.

• The architecture diagram must focus on the component being validated (you may grey out the other components). A good architecture diagram should:

  • Provide a clear overview of the system,
  • Make clear what components are being used, how they connect, and how data flows between them, and
  • All ports and protocols should be indicated for all communications/interfaces. User roles should be indicated and described.

• Documentation for components/microservices should reflect information consistently across their respective POA, SSP, and architectural diagrams. In addition, that information should be consistent with the findings in the SDE surveys. If things change during development, the SDE survey should be updated accordingly.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• POA, SSP, PIA, architecture diagram, and SDE surveys are consistent
• Any system changes are reflected across all documents
• SDE survey has been updated to reflect current implementation

Security Onboarding Meeting Prerequisite

Attend the Security Onboarding meeting.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• Security onboarding meeting has been attended
• Required onboarding actions have been completed or tracked
• No outstanding onboarding blockers exist

Step 2: CI/CD Pipeline Verification

Locating Project Pipelines in GitLab

1. In the GitLab pipeline, search for and select the application under Projects. It will be listed as [Business Unit Name]/[Project Name].

2. Select CI/CD > Pipelines on the left sidebar.

3. Verify the most current results of the pipeline are all green and have “passed."

   • If trufflehog has a yellow !, verify that no secrets or passwords are being committed. To do this, click the trufflehog button in the pipeline, then click Downloads under Job Artifacts. Once the download is complete, open the artifact in an editor such as Notepad++ and verify that no passwords/secrets are present.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• Application appears under the correct GitLab project
• CI/CD → Pipelines view is accessible
• Target pipeline(s) are clearly identifiable
• Most recent pipeline run completed successfully
• All required jobs show a “passed” status
• No required jobs are skipped or manually bypassed
• trufflehog job is present in the pipeline
• No secrets or credentials are detected
• Any warnings have been investigated
• Artifact review confirms no sensitive data exposure

How to Handle Pipeline Warnings and Exceptions

Remediate all issues when possible.

Review the Whitelist Support Levels, Responsibilities, and SLAs document for more information on requesting exceptions.

Step 3: Automated Testing Requirements

E2E Testing Verification

Review the P1 E2E testing requirements at E2E Testing and implement them.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• E2E tests are implemented
• E2E tests execute as part of the pipeline
• Test results are accessible and repeatable
• Evidence of execution is available (logs, reports, screenshots)

SonarQube Scan and Code Coverage

1. Search for the project name and select it.

2. Scroll down to Coverage and ensure the coverage is above 80%.

3. Select Issues at the top of the page.

4. Ensure that there are no Blocker, High, or Medium issues on the left panel under Severity.

5. Select False Positive on the left panel under Status.

6. Verify with the product or MDO team that the False Positive is legitimate.

7. Any false positives, won’t fix, suppressed, or hidden issues must have comments or an explanation from the product team and verification from the MDO team.

8. Select Security Hotspots at the top of the page.

9. Verify that there are no hotspots to review or acknowledge. All issues should be fixed or marked safe (with justification comments).

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• SonarQube project exists and is searchable
• Code coverage is ≥ 80%
• No Blocker, High, or Medium severity issues exist
• All false positives are correctly marked
• Each false positive has verification from the product or MDO team
• Any won’t fix, suppressed, or hidden issues include comments/explanations and are verified by MDO
• No unreviewed security hotspots exist
• All security hotspots are fixed or marked safe with justification comments

Dependency Check Scans (in SonarQube)

1. Search the project name with “Dependencies” added to the application name and select it.

2. Select “Issues” at the top of the page.

3. Ensure that there are no Blocker, Critical, or Major issues on the left side panel under Severity.

4. Select False Positive on the left side panel under Resolution.

5. Verify with the product or MDO team that the “False Positive” is legitimate.

6. Provide comments on all “Fixed” items to indicate how they were fixed.

7. Any false positives, won’t fix, suppressed, or hidden issues must have comments or an explanation from the product team and verification by the MDO team.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• Dependency scan project exists in SonarQube
• No Blocker, Critical, or Major issues exist
• All false positives are correctly marked
• Each false positive has verification from the product or MDO team
• All fixed items include comments explaining how they were remediated
• Any won’t fix, suppressed, or hidden issues have comments/explanations and are verified by the MDO team

Step 4: SD Elements Task Completion

Complete and comment on all SDE tasks (Show only NIST tasks should be checked).

• Cybersecurity has identified the SDE tasks that the pipeline or platform handles. If a task has a “platform” or “pipeline” tag that cannot be removed, the product team does not have to provide an answer.

• “Complete” means the product team has reviewed the task and the component is compliant with requirements. Comments for tasks should include how the requirement is met or implemented. Associated tests in the “testing” tab verify that the component is compliant. The testing task comments should specifically document how the app team tested the component, including the steps taken.

• SDE ingests SonarQube and OWASP dependency check files to automate certain SDE tasks. If the validation causes a failure (as indicated by a red flag on the far right of the task), click on the flag to see what caused the failure. These failures map directly to NIST 800-53 requirements and therefore must be remediated regardless of severity.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• All applicable SDE tasks are reviewed
• “Show only NIST tasks” has been applied
• Tasks marked “Complete” include implementation details
• Platform- or pipeline-tagged tasks are identified
• No manual answers are provided where not required
• Official answers are referenced where applicable
• No red validation flags remain
• All failures have been investigated
• All NIST 800-53 mapped issues are remediated
• Testing tabs are completed
• Testing comments describe how compliance was verified
• Evidence supports task completion claims

Step 5: Request a CtF Review

If all the above are complete, notify the Cybersecurity team via your Product Team Path to CtF Mattermost Channel that was created for your team that the application is ready for Cybersecurity CtF Review.

1. Provide the Cybersecurity team tester with login, passwords, and URLs for the front-end, as well as any API parameters used for back-end testing. The Cybersecurity team tester will validate some of the testing answers provided by the product team using non-malicious tests.

2. Address any tasks returned by Cybersecurity with the “re-visit” tag.

3. Provide a risk mitigation strategy or burn-down plan for any POA&M vulnerabilities or SDE tasks.

4. Finalize CtF review with project-assigned assessor.

5. Work with the Cybersecurity team to schedule a CtF meeting with the CISO.

Am I ready to request a CtF?

PASS if all are true, FAIL if any are false:

• All prior sections are PASS
• Documentation repository is complete
• No known unresolved findings exist
• Login credentials are provided securely
• URLs for front-end and back-end are provided
• API parameters and test data are available

After Receiving a Signed CtF

Create a Party Bus help desk ticket to update your pipeline configuration.

• If this is your first CtF, or the first CtF for an Auxiliary Deploy, please submit a Production Deploy ticket .

• If this is a CtF renewal or extension, please submit a CtF Renewal Pipeline Update ticket .

• If you have questions about this message, or find the links inoperable, please submit a General Support ticket to receive assistance from the MDO team.

• If you are unable to reach any of the provided links, other options are:

  • Ask for help in your COT ticket or CtF channel with the CAT.
  • Reach out to us on the Party Bus Value Stream Support Channel .

Related Content/References

Submit Requests to the Help Desk and Contact Us

• Submit a General Support ticket
• Submit a CtF Renewal Pipeline Update ticket
• Submit a Production Deploy ticket
• Ask for help in the Party Bus Value Stream Support Channel

Review Supporting Documentation

• Review the NIST 800-53 requirements

Access Required Forms

• Privacy Impact Assessment Form 2930
• System Security Plan: View PDF | Download