Client Overview

‍

Challenge

The client faced four major bottlenecks that hindered their ability to deliver secure, compliant software at the speed required by DoD missions. First, the manual provisioning of IL-5 enclaves took 8 weeks per environment, with STIG hardening consuming 400+ engineer-hours—a significant drag on agility. Second, security gaps were pervasive: only 60% of containers passed DISA STIG scans, and each release introduced 200+ critical CVEs, exposing mission systems to unacceptable risk. Third, siloed workflows forced teams to manually compile ATO documentation across five different tools, delaying accreditation by 6–8 months per release. Finally, the air-gapped environment complicated software supply chains, requiring sneakernet transfers of container images and Helm charts, which introduced provenance risks and blind spots in tamper detection.

These challenges were not just operational inefficiencies—they directly impacted mission readiness. Slow deployments meant warfighters waited months for critical updates, while inconsistent security postures left systems vulnerable to exploitation. The manual compliance processes were unsustainable, creating ATO backlogs that stifled innovation. The lack of automated SBOM tracking and image signing in the air-gapped environment also meant the client could not fully verify the integrity of deployed artifacts, a major concern for IL-5 systems handling classified data.

‍

Solution

The implemented solution automated, hardened, and streamlined the entire software delivery pipeline while maintaining strict IL-5 compliance. The Air-Gapped Rancher Landing Zone used Terraform and Ansible to deploy pre-hardened RKE2 clusters in isolated VPCs, reducing provisioning time from weeks to days. ECR Private ensured secure image replication by mirroring approved containers from a staging enclave, eliminating risky sneakernet transfers. GitLab became the orchestration hub, with pipelines auto-generating signed SBOMs (via cosign) and pushing them to Harbor, ensuring full artifact traceability. Rancher Fleet enabled GitOps-driven Helm deployments, making releases immutable and auditable.

To enforce runtime security, NeuVector was deployed cluster-wide, applying layer-7 segmentation policies that blocked 97% of unnecessary east-west traffic—a major improvement over the previous permissive network model. Automated compliance checks were embedded into every pipeline, with InSpec, OpenSCAP, and Trivy scans feeding directly into eMASS. This allowed the system to auto-generate ATO packages (SSP, SAR, POA&M) and enforce 349 NIST 800-53 controls as code. Non-compliant builds would fail fast, preventing vulnerabilities from reaching production.

‍

Implementation

The rollout followed a phased, risk-mitigated approach, beginning with a 3-week discovery phase to map dependencies and design the Rancher Landing Zone. The 4-week pilot focused on core infrastructure: RKE2 hardening, Traefik/ALB integration, and NeuVector validation. Security testing took 3 weeks, including automated STIG enforcement and red-team container escape tests (which resulted in zero successful breaches). The production migration was remarkably fast—just 5 days per cluster—using a blue-green strategy to move 112 microservices with zero downtime.

The ATO process, traditionally a 6–8 month ordeal, was completed in just 90 days, thanks to automated evidence collection and documentation. Only three POA&M items were identified, all resolved within 30 days. This acceleration was possible because compliance was continuously validated, not manually assembled at the last minute. The phased approach ensured that each component was battle-tested before full deployment, minimizing disruptions to mission operations.

‍

Results & Impact

The improvements were dramatic and measurable. Environment spin-up time dropped by 90% (from 8 weeks to 5 days), enabling rapid scaling for new missions. Critical vulnerabilities plummeted by 94% (from 200+ to ≤12 per release), drastically reducing exploit risks. STIG compliance surged from 60% to 98%, ensuring consistent adherence to DoD security standards. Most importantly, ATO cycles were cut by more than half (from 6–8 months to under 3 months), allowing weekly mission updates without re-accreditation delays.

Beyond metrics, the transformation fundamentally changed how the organization delivered software. Engineers saved 65% of their time per release (400h → 140h), allowing them to focus on innovation rather than compliance paperwork. The automated, zero-trust architecture also future-proofed the system against evolving threats, ensuring long-term compliance with NIST 800-207 (zero-trust guidelines). The shift to continuous ATO meant the platform remained "evergreen," eliminating the traditional "compliance crunch" before audits.

‍

Key Takeaways

This engagement proves that even highly restricted IL-5 environments can achieve DevSecOps agility with the right automation and architecture. Rancher Prime + RKE2 + IaC provides a scalable, repeatable model for air-gapped Kubernetes, while GitLab-driven GitOps ensures every change is tracked, signed, and validated before deployment. NeuVector’s zero-trust enforcement fills a critical gap in container security, going beyond static scans to block runtime threats. Most importantly, compliance automation (InSpec, OpenSCAP, eMASS integration) turns ATO from a yearly burden into a continuous process, keeping systems secure without slowing missions.

The lessons here extend beyond defense contracting—any organization handling sensitive workloads in regulated environments (e.g., healthcare, finance, critical infrastructure) can apply similar principles. Automated SBOMs, immutable deployments, and runtime DPI are becoming industry standards for high-assurance computing. By treating security and compliance as code, teams can move fast without sacrificing rigor, ensuring both mission speed and mission safety. This project sets a new benchmark for secure, air-gapped DevSecOps at scale.

‍