DevSecOps Terms and Conditions

1. Party Bus operates from 0800 - 1800 Central Time during normal business hours, excluding federal government holidays. Party Bus customers should not expect timely help for staging or production workloads outside of these working hours.

2. The Party Bus multi-tenant environment only supports the technologies listed on the Service Catalog.

   • Party Bus does not guarantee any technology outside of what is currently captured in the "Supported Tools" section.
   • Party Bus reserves the right to make architectural or technology changes due to evolving and ever-changing cybersecurity landscape.
   • Customers should know changes are inevitable, but Party Bus will coordinate changes as early as possible through the Mattermost IL2/4/5 notification bots.
   • Customers are responsible for reading these notifications.
   • If services are deployed that are outside the listed "Supported Tools" section, then these services must be updated continuously to the same standard as those that are supported by Party Bus. Platform One will monitor the application team's updating of these services and will enforce cybersecurity compliance via CtF award/renewal.

3. Party Bus engineers will coordinate application-specific communications through the defined COT Epic , provided during the onboarding process and managed through the Party Bus journey by the Mission DevOps (MDO) team.

   • The expectation is that the customer provide their Government Point of Contact (POC) information. It is the responsibility of the team to have a current Government Sponsor and up-to-date POC in the COT.
   • Each customer shall identify a POC with whom Party Bus can engage. Add others on the team as "watchers" and provide a comment in the Customer Onboarding Ticket (COT) to inform so these users can be added to the users' field for notifications.
   • Access your epic on this COT Epic board.
   • Every member of your team will have IL2 Jira, Confluence, and Mattermost access. This is where the community information resides, including how-to videos, the help desk, and other information resources for self-learning.

4. Any and all requests for customer/application support will use the Jira Service Desk](https://jira.il2.dso.mil/servicedesk/customer/portal/1) referencing the application [COT Epic so your team can be validated as funded before support will be provided. This is essential for routing, service, and understanding of support requested.

   • Open Pipeline Request tickets.
   • Open JIRA/Confluence/Mattermost tickets.

5. The customer's application team will be deployed to the Party Bus Mission Application Cluster, and have access to current run-time logs.

   • Access to Party Bus infrastructure services will be locked down in order to prevent access to other tenants.
   • The Customer will have access to create the application manifests only.
   • Pipelines and deployment artifacts are generated by Party Bus compliant pipelines.
   • Customers do NOT create their own pipelines or deployment artifacts. If custom pipelines are created, they will be deleted immediately and all pipelines will be turned off until a meeting with the MDO team occurs to address the need for customized pipelines.
   • Party Bus reserves the right to remove non-compliant deployments without notice.

6. The Customer application team will be responsible for tracking their customer and developer-licensed seats.

   • Developer-licensed seats will be subject to audit as necessary.
   • To track licenses, one member of each team is assigned a Team Lead responsibility.
   • The Team Lead opens an Application Access Update ticket to grant and remove Atlassian and Gitlab permissions for each user.
   • The Customer is responsible for accepting and acting in accordance with the software licenses/end user agreements associated with all products obtained through Party Bus. The agreements can be accessed by submitting a request to the Platform One Party Bus Government Lead.

7. Please review the MDO Party Bus Service Level Agreement.

8. Any application hosted in the Party Bus environment will be penetration tested and continually assessed for adherence to cyber security practices.

   • This may happen at any time, and as often as necessary.
   • Party Bus reserves the right to remove any application deemed "unsafe" without notice.

9. If your requirements change (e.g., additional pipelines, RDS, additional staging deploy, and/or storage) the customer application team will be subject to another technical fit and potential increase in funding.

   • Please open a ticket with the Customer Success Team (CST) to make a request for additional services. To contact CST, navigate to Platform One's website and select Contact Us.

10. Patch and Vulnerability Management Policy (i.e., the Platform One Vulnerability & Patch Policy ) will be followed.

    • Party Bus performs continuous monitoring of its entire environment.
    • CVEs wil be dealt with swiftly and securely.
    • If a critical CVE is found in the Party Bus infrastructure, we reserve the right to mitigate in order to protect our environment regardless of application impact.
    • Each Party Bus-hosted production application will automatically run through a pipeline at least once per week or as needed to identify vulnerabilities.
    • This may create an ever-changing environment, but it is set in place to keep the Party Bus-hosted multi-tenant applications safe from malicious actors.

11. Party Bus does not offer infrastructure or support for High Availability workloads (e.g., Elastic Search and/or Redis).

    • Party Bus does not provide Backup and Recovery for technologies stated as Unsupported on the Service Catalog.
    • Backup and Recovery for Unsupported technologies are the responsibility of the Product Team.
    • Party Bus expects the Product Team to provide resource usage and constraints during the technical fit.

12. Party Bus Retention Policies:

Tool Retention Policies

Policy Name	Resource/Tool	Timeframe	Cold	Responsibility
EBS Volume Snapshot	AWS	15 Days Hot	6 months	Party Bus Operations
Deployment Image	Gitlab	15 Days Hot	6 months	Mission DevOps Team (MDO)
Data Retention	RDS, S3 Buckets, Gitlab Repos	3 years		Mission DevOps Team (MDO)

Log Retention

• Security event logs: 12mo hot + 18mo cold
• Informational logs (those not specified above): 6mo hot + 12 mo cold
• PCAP: 72hrs* (at P1 we want at least 14 days)

Cyber Enforcement

Policy Name	Action	Timeframe	Responsibility
7-Day Pipeline Execution	Automation execution of pipelines every 7 days.	Every 7 days	Mission DevOps(MDO)
Critical CVE's	Enforce fixing or whitelisting Critical and High CVE's.	Every day	Mission DevOps(MDO)
CtF Expired Enforcement	Validated Signed CtF and CtF Expiration Date < 1 year.	Every time a production deployed is executed.	Mission DevOps(MDO)

JIRA/Confluence Retention Policies

Policy Name	Resource/Tool	Timeframe	Description	Responsibility
EBS Volume Snapshot	AWS	15 Days hot + 6 mo cold		Party Bus Operations
Deployment Image	Gitlab	15 Days hot + 6 mo cold		Mission DevOps Team (MDO)
Data Retention	RDS, S3 Buckets, Gitlab Repos	3 years
Jira Configuration Manager Snapshots	Jira	30 days	Configuration Manager snapshots are made when a customer requests an export of some kind. Overtime, the snapshots page fills up. Unless requested otherwise, it is best to keep that page clean. Snapshots can be recreated.	Atlassian Administrators
Jira Project Archival	Jira	6 months of inactivity, Archive Project	If an entire project has not been updated for 6 months, archive it. We plan on automating this as well as creating a Configuration Manager snapshot before it automatically archives. This does not delete the data.	Atlassian Administrators
Jira Issue Archival	Jira	3 years	If an issues has not been updated in the last 3 years, the single issue will be archived, regardless of the activity of the project. This process will be automated and guardrails can be established(i.e.: parent ticket open, subtasks open,etc). This does not delete the data.	Atlassian Administrators
Confluence Page Versions	Confluence	100 Versions	A scheduled job removes this data in small batches, every ten minutes, to minimize the impact on your site. Confluence Administrators can override the retention rules for specific spaces by adding an exemption,	Atlassian Administrators
Confluence Attachement Versions	Confluence	100 Versions	A scheduled job removes this data in small batches, every ten minutes, to minimize the impact on your site. Confluence Administrators  can override the retention rules for specific spaces by adding an exemption.	Atlassian Administrators
Confluence Trash	Confluence	3 years	A scheduled job removes this data in small batches, every ten minutes, to minimize the impact on your site. Confluence Administrators  can override the retention rules for specific spaces by adding an exemption.	Atlassian Administrators

13. Customer Product Team Funding: a. The Customer's Product Teams are expected to maintain funding to receive Party Bus support. b. Ninety days after funding is expired, Party Bus will disable and archive all Gitlab repos, remove all production and staging deployed resources, Mattermost, and Collaboration tools projects for the team. c. If a Product Team purchases services that are unused from a previous year, no refunds or credit will be given. d. Once funding has been transferred to or accepted by Party Bus, no refunds will be provided. e. All official quotes have a timeline of 90 days to send funding to Platform One. After this period of time has elapsed, a new quote and 90-day funding window would be required. f. For renewals, you have a 90-day window to submit funding or must do so before the funding expires, whichever comes first.

---

30 Days Past Funding Expiration:

Your Platform One account is 30 days past funding expiration. Unfortunately, project services are reduced.

• Decrease Service: No new prod deployments; block any new prod releases even if CTF is current.
• No new production deployments
• No production releases, regardless of CtF status
• Reduced Tier II MDO “Pipeline” ticket (P1MDOHD) support

If you no longer wish to maintain your P1 project(s), please let us know so we can assist you with off-boarding and/or archival. Please email your P1 Business Account Manager at AFLCMC.HNCX.BAM@us.af.mil to discuss options or begin the account renewal process.

It is important you act quickly. At 90 days past funding expiration, your project will be closed and archived.

60 Days Past Funding Expiration:

Your Platform One account is 60 days past funding expiration. Unfortunately, project services are further reduced:

• No new production deployments
• No production releases, regardless of CtF status
• Off-boarding support only for MDO tickets (P1MDOHD)

If you no longer wish to maintain your P1 project(s), please let us know so we can assist you with off-boarding and/or archival. Please email your P1 Business Account Manager at AFLCMC.HNCX.BAM@us.af.mil to discuss options or begin the account renewal process.

NOTICE

It is URGENT you act quickly. At 90 days past funding expiration, your project will be closed and archived.

90 Days Past Funding Expiration:

Your Platform One account is 90 days past funding expiration. Unfortunately, your project(s) are being closed and staged for archival with off-boarding support only for MDO tickets (P1MDOHD).

If you no longer wish to maintain your P1 project(s), please let us know so we can assist you with off-boarding and/or archival. Please email your P1 Business Account Manager at AFLCMC.HNCX.BAM@us.af.mil to discuss options or begin the account renewal process.

15. Party Bus Product Team Hosting: a. Each Party Bus customer hosting an application in production will have a pipeline run on their application at least once per week.

DISCLAIMER

If these Terms and Conditions cannot be met, Platform One reserves the right to re-enter pricing negotiations to right-size the level of support needed to maintain and deploy this application.