Protect the Organization (PO)

Protect the Organization (PO) Post Deployment CI/CD Steps

Protect the Organization (PO)

Organizations should ensure that their people, processes, and technology are prepared to perform secure software development at the organization level. Many organizations will find some PO practices to also be applicable to subsets of their software development, like individual development groups or projects.

PO.1 Define Security Requirements for Software Development: Ensure that security requirements for software development are known at all times so that they can be taken into account throughout the SDLC and duplication of effort can be minimized because the requirements information can be collected once and shared. This includes requirements from internal sources (e.g., the organization’s policies, business objectives, and risk management strategy) and external sources (e.g., applicable laws and regulations).

To satisfy SSDF PO.1 in a post-deployment context using open-source tools, the focus shifts from just defining to:

Maintaining and enforcing PO tasks in live systems.
Making task requirements visible and traceable across deployed environments.
Auditing and updating methods and procedures as internal and external policies change.

Tasks	Tools
P.O.1.1: Identify and document all security requirements for the organization’s software development infrastructures and processes, and maintain the requirements over time. PO.1.2 Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time.
	Open Policy Agent Supports definitions of security policies as code and enforce them in pipelines, CI/CD, and runtime. Enforces runtime policies via integrations with Kubernetes, Terraform, and CI/CD platforms.
	InspecLog Periodically audits deployed environments against internal and external security standards.
	Ortelius Evidence Store Associate and version security requirement metadata per service and deployment, enabling continuous visibility.
	DefectDojo Maps security findings back to specific policy controls or regulatory frameworks.

PO.2 Implement Roles and Responsibilities: Ensure that everyone inside and outside of the organization involved in the SDLC is prepared to perform their SDLC-related roles and responsibilities throughout the SDLC.

To satisfy SSDF PO.2 in a post-deployment context using open-source tools, the focus shifts to:

Defining and assigning roles for who is responsible for remediation and runtime configurations.
Maintaining evidence of what was deployed, who deployed it, and impact across all software assets.
Ensuring security and patch management with restricted post-deployment actions.

Tasks	Tools
PO.2.1: Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed. PO.2.2: Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed. PO.2.3: Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development related roles and responsibilities.
	Git Tracks authorship and code reviewers, and tags releases and documents who triggered them.
	Ortelius Evidence Store Associates deployed services with responsible individuals or teams, with historical record of changes, deployments and roles.
	Backstage Lists service owners, on-call teams and escalation paths making post-deployment responsibility transparent across the organization.
	DefectDojo Track security findings and assign resolution responsibilities.
	Kubernetes RBAC / OPA Gatekeepr Enforces access policies and role boundaries in runtime environments.
	ArgoCD Ensures only authorized commits/deployments affect production and logs every promotion and rollback.
	Falco Detects unauthorized activity at runtime.
	Prometheus + Alertmanager Alerts based on ownership/roles

PO.3 Implement Supporting Toolchains: Use automation to reduce human effort and improve the accuracy, reproducibility, usability, and comprehensiveness of security practices throughout the SDLC, as well as provide a way to document and demonstrate the use of these practices. Toolchains and tools may be used at different levels of the organization, such as organization-wide or project-specific, and may address a particular part of the SDLC, like a build pipeline.

To satisfy SSDF PO.3 in a post-deployment context using open-source tools, the focus shifts to:

Ensuring toolchains support vulnerability detection, SBOM tracking, compliance, and policy enforcement to function after release.
Keeping automation tooling secure, updated, and integrated with the live environment.
Maintaining evidence that the toolchain’s outputs (e.g., SBOMs, scan reports) remain trustworthy and current.

Tasks	Tools
PO.3.1: Specify which tools or tool types must or should be included in each toolchain to mitigate identified risks, as well as how the toolchain components are to be integrated with each other. PO.3.2: Follow recommended security practices to deploy, operate, and maintain tools and toolchains. PO.3.3: Configure tools to generate artifacts6 of their support of secure software development practices as defined by the organization.
	OWASP Dependency Track Continuously monitors SBOMs for newly disclosed CVEs in deployed software.
	Ortelius Evidence Store Maintains a historical record of deployed software, components, and their SBOMs; links to owners for accountability.
	Syft Generates SBOMs from deployed container images or filesystems on-demand.
	Trivy Post-deployment container, filesystem, and package vulnerability scanning; also generates SBOMs.
	Clair Continuous scanning of container registries for vulnerabilities.
	Grype Fast vulnerability scanner for container images and filesystems.
	In-Toto Validates that deployed artifacts match the cryptographic attestations from the build process.
	Sigstore cosign Verifies signatures of deployed artifacts; ensures they match approved builds.
	Sigstore Rekor Provides a public, immutable log for signatures and provenance data.
	Open Policy Agent Enforce security and compliance policies on deployed systems (e.g., Kubernetes clusters).
	Inspec Audit deployed infrastructure and applications against security baselines and compliance requirements.
	The Hive Incident response platform for post-deployment security events.
	DefectDojo Track vulnerabilities and assign remediation tasks; integrate with scanners for continuous updates.

PO.4 Define and Use Criteria for Software Security Checks: Help ensure that the software resulting from the SDLC meets the organization’s expectations by defining and using criteria for checking the software’s security during development.

To satisfy SSDF PO.4 in a post-deployment context using open-source tools, the focus shifts to:

Ensuring that security data continues to be collected after release.
Logs, SBOMs, and scan results are preserved and tamper-resistant.
Data is safeguarded to prevent unauthorized access or modification.
Data is retrievable for audits, investigations, and compliance checks

Tasks	Tools
PO.4.1: Define criteria for software security checks and track throughout the SDLC. PO.4.2: Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria.
	Falco Runtime security detection for containers and hosts; generates event logs for suspicious behavior.
	AuditD Captures system-level security events for Linux.
	OSQuery Endpoint telemetry and configuration monitoring.
	Prometheus and Loki Collect and store metrics and logs in a queryable format.
	Ortelius Evidence Store Maintains versioned SBOMs linked to each deployment.
	Syft Generates SBOMs from deployed artifacts for ongoing monitoring./p>
	OpenSCAP Collects and stores compliance scan data.
	Wazuh SIEM SIEM with audit logging, threat detection, and compliance monitoring.
	Grype Detects CVEs in deployed images and file systems.
	In-Toto Validates that deployed artifacts match the cryptographic attestations from the build process.
	Sigstore Rekor Provides a public, immutable log for signatures and provenance data.
	Inspec Audit deployed infrastructure and applications against security baselines and compliance requirements.
	Trivy Continuous vulnerability scanning + SBOM generation for running systems.
	DefectDojo Stores and organizes security scan results; integrates with Trivy, Grype, and Dependency-Track.

PO.5 Implement and Maintain Secure Environments for Software Development: Ensure that all components of the environments for software development are strongly protected from internal and external threats to prevent compromises of the environments or the software being developed or maintained within them. Examples of environments for software development include development, build, test, and distribution environments.

To satisfy SSDF PO.5 in a post-deployment context using open-source tools, the focus shifts to:

The security requirements for your development infrastructure are still relevant and enforced after software is released.
Your build, deployment, and monitoring environments remain hardened and compliant.
You continuously validate that your development infrastructure hasn’t drifted from its secure baseline.

Tasks	Tools
PO.5.1: Separate and protect each environment involved in software development. PO.5.2: Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.
	Inspec Runs ongoing compliance scans against development and build servers; enforce CIS/NIST benchmarks.
	OpenSCAP Check infrastructure against defined security baselines.
	OSQuery Monitor build and deployment nodes for unauthorized changes.
	Kube-bench Validates Kubernetes-based build/test clusters meet CIS benchmarks.
	Open Policy Agent - GateKeeper Enforce rules for infrastructure configuration (Kubernetes, Terraform, CI/CD).
	Kyverno Kubernetes-native policy enforcement for cluster security./p>
	Jenkins Hardened CI/CD pipelines with access controls and audit logs.
	Nexus Repository OSS Securely store build artifacts post-deployment; apply access controls.
	Harbor Container registry with built-in vulnerability scanning and RBAC.
	Wazuh SIEM Ingests infrastructure security logs and alerts on violations.
	Falco Detect unauthorized activity in build/deployment clusters or runner nodes.
	Prometheus + Alertmanager Monitor infrastructure security metrics and trigger notifications.
	In-Toto Validates that deployed artifacts match the cryptographic attestations from the build process.
	Sigstore Rekor Maintain an immutable, tamper-evident log of signed infrastructure configuration files.