CLIENT STORY

A unified combatant command within the Department of War (DoW) provides global air, land, and sea mobility to move troops, equipment, and supplies for military operations worldwide. It ensures the Joint Force can meet the nation’s security objectives.

With over 50 programs of record and thousands of systems supporting tens of thousands of users worldwide, the command must ensure that systems are secure and can respond to crises, deter adversaries, and support national objectives at any time, anywhere. Two key objectives are to sustain high-level cloud security and software Supply Chain Risk Management (SCRM) programs.

PROBLEM

The command needed to:

1. Develop customized security checklists for a prioritized list of Amazon Web Services (AWS) cloud service offerings that align with security technical implementation guides (STIGs),
2. Leverage Infrastructure as Code (IaC) for the automated deployment and secure configuration of critical cloud resources, and
3. Create a containerized software evaluation tool to quickly and effectively assess supply chain risk for new and existing software vendors and products.

However, the combatant command had historically faced institutional challenges when seeking to mature the security of two critical ecosystems: its Unclassified GovCloud (UGC) and its unique Continuous Integration/Continuous Deployment (CI/CD) pipeline. One obstacle is the lack of a unified approach for creating and enforcing configuration guidance within its cloud enterprise and CI/CD pipeline. This deficit led to inconsistent security postures and slower, riskier software development lifecycles. In fact, the absence of a unified approach created complexities, often requiring an entire week to produce one product. Moreover, the lack of a standardized process for assessing supply chain risk created inconsistencies and potential security issues.

SOLUTION

The command recognized that Electrosoft’s DevSecOps team was a flexible partner capable of overcoming institutional challenges and forging new solutions and innovations. The Electrosoft team proactively engaged with stakeholders to address the identified gaps, architecting a plan to standardize secure configurations of the command’s most critical cloud services while also defining the Department of War 8140 work roles required to execute and maintain this ongoing initiative into the future.

The Electrosoft DevSecOps team also engineered a multi-pronged solution to address the other identified weaknesses.

• First, to solve the lack of unified configuration guidance, the team authored comprehensive Security Configuration Guides for 19 critical AWS services.
• These STIG-aligned guides served as the blueprint for the second initiative: leveraging IaC to create an automated compliance framework. This framework codified 467 distinct command-line interface (CLI) commands across 372 security rules, establishing a standardized, enforceable baseline for its two environments (UGC and CI/CD pipeline).
• Last, the team developed a detailed SCRM analysis tool and used it to assess multiple software products, including the 7-Zip utility.

When evaluating 7-Zip, Electrosoft’s DevSecOps team identified a significant supply chain risk: the tool relied on a sole developer, creating a potential vector for compromise by a nation-state actor. The team’s finding was not theoretical; it was contextualized within the Common Vulnerabilities and Exposures list (CVE-2025-04110) documenting an exploitation by Russian state-sponsored actors that bypassed the Mark-of-the-Web (MoTW) security feature.

By framing the 7-Zip issue as an inherent risk in its development model — one validated by real-world threats and later by a National Institute of Standards and Technology advisory (CVE-2025-11001) — the Electrosoft DevSecOps team provided the needed justification to implement mitigating controls to safeguard the environment against both active and future threats.

RESULTS/BENEFITS

The Electrosoft DevSecOps team delivered transformative results through the implementation of the frameworks delineated herein. They not only promoted efficiency and cost savings but also achieved proactive risk reduction.

The compliance automation initiative, for example, achieved over $10,000 in annual cost savings by reducing the quarterly check effort from 26 person-hours to just 12 minutes — a 99.2% reduction. In parallel, the SCRM evaluation tool produced equally significant value by slashing software risk evaluation time from one week to a single hour. The effectiveness of this new capability was immediately demonstrated when its analysis disclosed the 7-Zip utility vulnerability. This actionable intelligence enabled the Electrosoft DevSecOps team to implement mitigating controls and verifiably reduce the command’s enterprise attack surface, an action of incalculable value.