batCAVE (Platform-As-A-Service)

What is batCAVE?

Within CMS cloud, batCAVE is a secure Platform as a Service (PaaS) designed to reduce costs and accelerate the time to receive an Authorization to Operate (ATO) by offering a built-in suite of tools, resources, and security control mapping. With batCAVE being an integrated part of the CMS Cloud onboarding program, Application Development Organizations (ADOs) will benefit from reliable, templated, managed cloud architecture to achieve:

• ATO in months, not years
• Built-in, repeatable, extensible managed infrastructure
• Comprehensive security pipelines and support tooling

Benefits of batCAVE

Automation

batCAVE provides developers services and infrastructure built into an existing Authorization to Operate (ATO) which can save months' worth of time, money, and effort. batCAVE's flexible and scalable solution offers secure, shared, and managed access to the batCAVE cyber security stack (Utility Belt), which contains a suite of services and resources while maintaining regulatory compliance for the platform and its deployed applications. This includes runtime security, logging, monitoring, visualization, tracing, service mesh, policy enforcement, and more. Together, these services create a large portion of what ADOs need for real cyber security, all of which are essential for compliance.

Inheritance

With batCAVE, ADOs will inherit from six packages within CFACTS (batCAVE, AWS/CMS Cloud, IDM, EUA, CCIC, and OCISO), dramatically reducing the time it takes to achieve ATO and lightening the security and compliance burden for developers. batCAVE partners with ADOs to assess their technical needs and relieve the burdensome tasks of control mapping, saving months of work. By onboarding to batCAVE, ADOs will receive a total of 74% control inheritance, drastically reducing the work and time required by ISSOs to accredit their system.

Lower risk releases

Continuous automated testing is built into the batCAVE security pipeline, which identifies vulnerabilities early in the development lifecycle. Applications built on this platform are consistently scanned for security so developers can release new features with high confidence and low risk. Each ADO application is supported by a secure, declarative deployment of the batCAVE Utility Belt via shared services (continuous integration and deployment). By leveraging automated testing, ISSOs can buy down risk by rejecting vulnerabilities matched to CISA Known Exploited Vulnerabilities (KEV) Catalog and setting thresholds based on Exploit Prediction Scoring System (EPSS) scores. This allows for confident and frequent releases, ultimately providing a clear picture of the risks platform-wide.

Infrastructure: How batCAVE works

The batCAVE is a comprehensive platform designed to provide essential components required for infrastructure, making it easier for ADOs to streamline projects within CMS. This approach accelerates project initiation and enables quick delivery of value. A built-in, pre-approved suite of tools in the batCAVE Utility Belt in a continuously approved authorization boundary enables development teams to onboard and hit the ground running. 

To help development teams onboard swiftly and get to work with minimal delay, batCAVE provides:

Getting started

If you're looking to onboard to the batCAVE platform or want more information, contact your CMS Cloud IUSG advisor to learn more.