Nexus Lifecycle and Nexus Repository Now Meet Rigid Security and Compliance Standards Set by the United States Department of Defense
Fulton, MD – Thursday, Oct. 8, 2020 - Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today announced Nexus Lifecycle and Nexus Repository have been accepted into the Department of Defense’s (DoD) Platform One approved application portal. A fortified version of the Nexus Platform was released that meets DoD specifications for security - one of the most demanding certifications.
Third-party and open source software components are the backbone of federal software supply chains. In fact, nearly 90% of a modern application is composed of third party software components. Since they are free, and readily available, they allow agencies to save time and money, and in many cases improve software quality. But, not all open source is created equal. Depending on the development language, 10 - 40% of third party components are known to be vulnerable.
A project of the U.S. Air Force and the DoD, Platform One, is working to streamline Authorization to Operate (ATO) processes by providing solutions that are pre-certified and containerized. The hardened versions of Nexus Lifecycle and Nexus Repository have achieved accreditation with a Certification to Field (Ctf) from the U.S. Air Force Platform One team. The ATO certification enables DoD and other federal agencies to immediately deploy Sonatype’s Nexus Platform to automatically manage third party risk with precise intelligence across their entire software development lifecycle (SDLC).
“Being a part of Platform One means we’re readily accessible to the Department of Defense to support their mission assurance needs,” said Jason Green, vice president, federal sector at Sonatype. “Developers, operations, and security teams now have access to software supply chain intelligence enabling them to resolve application security issues faster, while staying two steps ahead of their adversaries”.
“We are very excited to have the Nexus Platform from Sonatype as part of Iron Bank and Platform One,” said Nicolas Chaillan, Air Force chief software officer and co-lead for the DoD Enterprise DevSecOps Initiative. “Being able to reduce risk and provide precise insight will accelerate our DevSecOps (development, security, and operations) teams across the Air Force and Department of Defense.”
Sonatype already has a strong track record working with federal government entities, and currently protects more than 150 DoD, civilian and intelligence agencies. Agencies that have deployed the Nexus Platform see third party governance automatically enforced and risk controlled across every phase of the SDLC. Fueled by Nexus Intelligence, which includes in-depth security, license, and quality information on more than 100 million open source components across dozens of ecosystems, the Nexus Platform precisely identifies open source risk and provides expert remediation guidance, empowering developers to innovate faster. Only Nexus secures the perimeter and every phase of the SDLC, including production, by continuously monitoring for new risk based on your open source policies.
Additional Resources
- Learn more about how Sonatype works with the federal government
- Understand why there is an imminent need to secure the federal software supply chain
- Read more about DevSecOps in the government on the Sonatype blog
About Sonatype
Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,200 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit Sonatype.com, or connect with us on Facebook, Twitter, or LinkedIn.