Your Path to CtF

CtF Process Visual

Below is a graphic that gives a high end view of the process of Onboarding for a CtF.

Note: POCs may differ from the image

Initial Requirements

The following items must be completed before the initial onboarding meeting:

CAT members require reporter level access to your GitLab Pipelines included in the CtF request

• New teams, complete a CtF Request for New Customers
• Ctf Renewals, submit a CtF Request for Existing Customers

Renewals - Click to expand for additional information

Re-CtF requirements

• New releases are created in SD Elements for all pipelines and notes are carried over from the previous CtF cycle.
• A new comment for each countermeasure is required for each CtF cycle. If the same comment applies from the previous CtF cycle, a new comment is still needed. This comment can be as simple as "the previous comment is still applicable."
• You must also verify that all the previous documentation is still accurate and up to date, such as your Plan of Action, System Security Plan, Architecture Diagram and PIA.
• All pipelines must be green and passing.

Product Team Requirements

Complete the following documents and upload to your Doc Repo:

1. CtF Onboarding Questionnaire *(new teams only)
2. CtF Checklist
3. Product Team Member List
4. Plan of Action
5. System Security Plan
6. System architecture diagram
7. List of targeted pipelines and descriptions
   • Include a basic text document with a list of targeted pipeline urls and a brief description of each pipeline with the function it performs - This information is required to issue your CtF letter
8. All apps require a signed PIA (DD 2930) prior to CtF – Privacy Impact Assessment Form 2930

• Store/Process PII?
  • No - Your DD2930 may be signed by your local command
  • Yes - Your DD2930 must be signed by the AF Privacy Office
• DL1.11. PII. Information about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information...

Initial CAT Requirements

1. Create MatterMost channel for Product and CAT team collaboration
2. Establish GitLab Repo to store above documentation and completed CtF(s).
3. Create SD Elements project for the evaluation of each application pipeline
4. Schedule your CtF onboarding meeting

Onboarding Meeting Expectations

During your initial CtF onboarding meeting, you can expect to cover the following:

• General Housekeeping
• Application Overview
• Required documentation
• CtF timeline
• Architecture - Tech stack
• SD Elements survey - See topics below

Be prepared to go over the following SD Elements survey topics in depth:

1. Application General
   • Components
   • Architecture/Environment
   • Users and Privileges
   • Context and Characteristics
   • Custom Components
2. Platform and Language
   • Language and Framework
   • Web Technologies
   • Database Technologies
   • Java Technologies
   • .NET Technologies
   • C/C++ Technologies
   • Data Formats
3. Features and Functions
   • Interfaces and APIs
   • Authentication
   • Authorization
   • Session Management
   • External Dependencies
   • More Features
4. Protocols
   • Application Layer
5. Compliance Requirements
   • Privacy (PII)
   • US Federal and NIST (Moderate Nist 800-53)
6. You may import library content from CSV, JSON, XLSX or YAML files into SD Elements. The system will automatically update the library based on the contents of your imported files. You can import library content for:
   • Countermeasures (including match conditions)
   • Weaknesses (including match conditions)
   • Amendments (including match conditions)
   • How-Tos (including match conditions)
   • Glossary Terms