$ stagg-solutions ~ $ cd capabilities/cybersecurity practice · for-government / 02
FRAMEWORKNIST 800-53 Rev 5 · CMMC L2 SCAPOpenSCAP · automated SUPPLY CHAINSLSA L3 · cosign

for-government / 02 / cybersecurity

Security engineered, not paperworked.

Continuous-ATO posture. Policy as code. Runtime visibility with eBPF. Evidence pipelines that author POA&Ms from machine output, not screenshots. Post-quantum migration path mapped.

$ scope_engagement ← All practice areas
STIG124 / 124 automated
VULN SLA≤ 15 min · critical CVE
EVIDENCEOSCAL · machine-readable
SBOMCycloneDX + SPDX · signed
ZERO TRUSTSPIFFE · mTLS

$ cat ato-loop.txt

Continuous ATO loop.

// not a one-time gate
STAGE 01 Author Controls authored as OSCAL components. SSPs generated from the same source as the IaC. OSCAL · trestle · OPA
STAGE 02 Implement Ansible roles, Terraform modules, and container baselines that map 1:1 to controls. Ansible · Terraform · Packer
STAGE 03 Assess SCAP scans, OPA policy checks, and IaC scanners produce assessment results. OpenSCAP · OPA · Checkov
STAGE 04 Authorize Evidence pipeline assembles SSP + SAR + POA&M from machine output. trestle · eMASS · Xacta
STAGE 05 Monitor Runtime telemetry feeds back. Drift becomes a POA&M automatically. Falco · Tetragon · Splunk

$ ls capabilities/cybersecurity/

What we operate.

// six capabilities
01

Compliance as code

OSCAL

Control implementations live in compliance-trestle. SSPs are generated from the same source as the Terraform — no parallel documentation universe.

  • OSCAL component definitions per system · diff-able in git
  • Inheritance from CSP / shared-service profiles (FedRAMP, CMS, DoD)
  • Assessment results land back as OSCAL · SAR auto-built
  • POA&Ms generated from failed controls · not authored by hand
02

STIG & SCAP automation

openscap

Ansible roles built from the DISA Ansible content, extended where the baselines have gaps. SCAP scans run on every deploy and on a 24-hour cron.

  • RHEL 8 / 9 / Ubuntu 22.04 / Windows Server 2022 baselines
  • Container CIS Benchmarks via kube-bench + trivy config
  • Deviation log lives in git · documented + signed off
  • Scan results stored as OSCAL assessment-results — not screenshots
124/124controls
≤ 5 mscan time
24 hcadence
03

Zero-trust identity

SPIFFE/SPIRE

Service identity via SPIFFE SVIDs. mTLS by default. No static service-account tokens shipped to pods. PIV / CAC at the human edge.

  • SPIRE server per cluster · workload attestation by node + selector
  • Istio Ambient mesh on the workload plane · ztunnel mTLS
  • Keycloak (RHBK) + step-up auth · WebAuthn for staff
  • OAuth client credentials short-lived · OIDC for CI
04

Runtime security

eBPF

eBPF-based runtime visibility — no sidecar tax. Falco for policy alerts, Tetragon for kernel-level enforcement. Detections route to SIEM with deduped, scored events.

  • Falco rules tracked in git · CI tested against synthetic events
  • Tetragon for in-kernel block (drop syscall, kill process)
  • Hubble for L3/L4/L7 flow telemetry · no app instrumentation
  • Alerts deduped + scored before they wake oncall
05

Supply chain integrity

SLSA L3

Every artifact is signed. Every signature is verified. SBOMs travel with the image. Provenance attestations link the binary back to the commit and the runner.

  • Cosign keyless signing via OIDC · Sigstore Fulcio + Rekor
  • CycloneDX + SPDX SBOMs · attached as cosign attestations
  • Kyverno / Connaisseur admission policies — reject unsigned
  • Renovate auto-bumps base images · auto-merges CVE patches
06

Vulnerability mgmt

closed-loop

CVEs flow from scanners into a single queue with deduplication, severity normalization, and SLA tracking. Auto-remediation playbooks fire for the noisy ones.

  • Trivy + Grype + Tenable feeding DefectDojo
  • SLA: critical ≤ 15 min · high ≤ 24 h · medium ≤ 30 d
  • Ansible auto-remediation triggered by Falco alert categories
  • Exception process is git-tracked · expires on a date, not "TBD"

$ cat policy/no-unsigned-images.rego

Policy lives in version control.

// OPA Gatekeeper · admission webhook
// rejects any pod referencing an image without a verified cosign signature package stagg.admission.signed_images import future.keywords.if import future.keywords.in # list of trusted Fulcio identities — the only signers we accept trusted_subjects := { "https://gitlab.stagg-solutions.com/groups/cleared/-/runners/12", "https://gitlab.stagg-solutions.com/groups/cleared/-/runners/13", } deny contains msg if { input.review.kind.kind == "Pod" container := input.review.object.spec.containers[_] not cosign.verify({ "image": container.image, "issuer": "https://gitlab.stagg-solutions.com", "subject": trusted_subjects, }) msg := sprintf("image %v rejected: signature not verified", [container.image]) }

$ cat stack.json

The stack we operate.

// no security-theater tooling
most popular · industry standard available · production-ready coming · trial / assess
Frameworks6 · primary first
NIST 800-53 Rev 5 CMMC L2 NIST 800-171 FedRAMP Moderate CJIS HIPAA
Compliance authoring5 · OSCAL-first
OSCAL eMASS compliance-trestle Xacta Telos Xacta 360
Hardening5
OpenSCAP DISA STIG · Ansible CIS Benchmarks kube-bench Lynis
Runtime security5 · eBPF-led
Falco Tetragon Hubble Cilium Wazuh
Identity5 · zero-trust
Keycloak (RHBK) PIV · CAC Authentik SPIFFE / SPIRE PingFederate
Supply chain5 · SLSA L3
Cosign · Sigstore CycloneDX / SPDX in-toto attestations Kyverno Connaisseur
Vuln & SAST5
Trivy · Grype Tenable Semgrep CodeQL DefectDojo
Cryptography3 + 2 PQ-ready
FIPS 140-3 modules AWS KMS · HSM Vault Enterprise CRYSTALS-Kyber Dilithium

$ radar --quarter Q2

What's on the tech radar.

// where security is going

Adopt

in production
  • eBPF runtime securityFalco + Tetragon · no sidecars
  • Cosign keyless signingOIDC-bound · Rekor transparency log
  • OPA admissionPolicy reviewed in git, not in a UI
  • OSCAL evidenceMachine-readable ATO artifacts

Trial

piloting
  • SPIFFE/SPIREWorkload identity beyond k8s
  • SLSA L3 provenanceEnd-to-end attestation chain
  • Hybrid PQ key wrapX25519 + Kyber for TLS
  • Confidential containersCC-mode pods on EKS

Assess

watching
  • CMMC L3 readinessFor programs above the L2 line
  • AI red-teamingGarak + manual prompt attacks
  • Memory-safe rewritesRust where the CVE history justifies it
  • FIPS 140-3 PQ modulesAs NIST candidates finalize

$ stagg --scope cybersecurity

Cleared work. Real engineering.

Free consultation. We map the boundary, the controls in scope, and what evidence you already have. Quote follows within 24 hours.

$ get_quote ← All practice areas

// direct comms

email[email protected]
phone(801) 917-4617
responsewithin 24 hours
formatfree consultation