Delivering Innovative Solutions for the U.S. Department of Defense: Shift5's Journey with Chainguard

Introduction: Creating a Secure Development Environment

Shift5 is an observability platform for onboard operational technology (OT), enabling smarter, faster decisions for its customers in aerospace, rail, and defense. While every organization building software needs to prioritize security, Shift5’s customer base consists of organizations in highly regulated industries, which makes creating a secure development environment paramount. With Chainguard, Shift5 has been able to maintain continuous compliance with critical frameworks like FedRAMP and CMMC, while building deep trust with its customers.

Challenge: Maintaining Compliance While Moving at the Speed of a Startup

Shift5 is a startup and its primary customer is the United States Department of Defense (DoD). The DoD operates in the most highly regulated environments – and for Shift5 to deliver the best possible solutions to the DoD, it needed to prioritize the security of its platform. That means effectively managing and remediating Common Vulnerabilities and Exposures (CVEs).

The engineering team at Shift5 faced two major challenges: 1) moving quickly to build, test, and deliver new features to improve its platform, and 2) remediating all CVEs from its container images to be compliant with government standards. Balancing these two priorities is extremely difficult and companies often sacrifice one for the other.

As a small engineering team, maintaining continuous compliance required dedicated headcount to keep Shift5’s containers up-to-date. This took already limited resources away from building on Shift5’s platform, slowing down innovation and business growth.

“Shift5 is a startup, and we are selling a new product, trying to get new customers. So when we're spending so much time on maintenance, it makes it harder to add value and features to our product or add value to the platforms that our product is built on so that we create a better product.”

-Shaun McDonnell, Director of Platform Engineering at Shift5

Federal regulations also mandated the creation of Security Technical Implementation Guides (STIGs) for all of Shift5’s container images. STIGs are an infrastructure hardening standard that varies by use case, but requires significant engineering investment in all scenarios. This presented an additional challenge for Shift5, as the engineering team needed to manually build STIGs for each of its containers from the ground up and seek approval by the Defense Information Systems Agency (DISA) — all before getting to executing the hardening work itself. 

“With our customer being the Department of Defense, every time we were in pre-deployment or wanted to make a software update for the customer, we would have to prepare STIGs,” said Sam Rajachudamani, Senior Director of Products and Partnerships. “We would have to do scans of the software, as well as the underlying dependencies.” 

Another important compliance regulation that Shift5 needed to account for was NIST’s requirements for the implementation and validation of Federal Information Processing Standards (FIPS). FIPS is a set of cryptography library and algorithm standards that DoD vendors must follow in order to ensure appropriate security of data within the compliance boundary. Like STIGs, building and maintaining FIPS compliant containers from the ground up required a staggering amount of time and effort from Shift5’s engineering team – not only with the upfront lift, but on an ongoing basis for continuous compliance.

Vice President of Field Engineering James Hoscheit described the process: “In order to deploy Shift5 software within the federal space, we have a number of standards that we have to meet. Not only is that things like STIGs, but at the beginning, it starts with FIPS validation, and that's a whole process that you have to go through to validate that the cryptography algorithms that you're using in your container actually meet government standards.”

STIGs, FIPS, and the need to remediate all CVEs in Shift5’s environment came together as part of the company’s pursuit to achieve an authority to operate (ATO) within federal government environments. An ATO is required for any software vendor to be able to operate or deliver software for government customers in both classified and unclassified settings. At Shift5, securing an ATO was directly tied to significant revenue opportunities and the overall success of the business.

"We were able to shortcut the vulnerability management back and forth for all of the dependencies and the base images by saying, ‘Here are the Chainguard Images that we are using.’ And it was a one-time ‘done’ without needing to go through a huge back and forth. That saved us quite a bit of time as we went through this ATO process."

-Sam Rajachudamani, Senior Director of Products and Partnerships at Shift5

Shift5 needed to keep up the pace of its product development while still maintaining its ATO with limited resources. The manual processes currently in place were not sustainable, and a better way forward was necessary to keep the business growing.

Solution: Chainguard Images as a Foundation for Securing Critical Infrastructure

Shift5 sought a container solution that would allow it to maintain necessary compliance for its ATO and give time back to its engineering team to build and ship products. These needs ultimately led Shift5 to Chainguard’s minimal, zero-CVE Container Images that offer FIPS-validated cryptography and OS-level STIGs.

Making Compliance Easier

Upon implementation, Chainguard Images were able to immediately relieve the pain of vulnerability management. Previously, the Shift5 engineering team was dealing with thousands of CVEs in the company’s container images. After implementing Chainguard Images, that number went to zero.

“Chainguard takes the heartache away from building and maintaining images because they do all the hard work for you and just deliver you a clean product,” Shaun said.

Switching to Chainguard Images enabled Shift5 to deliver better security to its customers, many of which are working on critical, highly sensitive projects both in the field and in the cloud. With Chainguard, Shift5 could utilize a uniform deployment approach free of CVEs no matter the use case, whether its software is being deployed in a resource constrained edge environment (like an aircraft or rail car) or an infinitely scalable cloud environment.

Shift5 also utilized Chainguard’s FIPS Images, and the STIGs that accompany them, to be immediately compliant to the strict cryptography and hardening regulations needed for its ATO. Combined with the reduced burden of vulnerability management, Shift5 was able to utilize these features to get its platform in the hands and systems of its federal customers sooner, thereby accelerating revenue, which was critical for the business to continue growing.

James put it simply: “For Shift5 customers, the biggest thing that they've noticed is not necessarily that we're using Chainguard containers, but that we're far more responsive and quick to meet all their requirements, which for them, makes their lives easier because we can go faster.”

Unlocking Engineering Resources

With Chainguard Images, Shift5 moved its limited engineering resources away from vulnerability management, and empowered its developers to build on and expand the platform to better serve the needs of its customers.

“Chainguard has allowed our team to focus on delivering features and product capabilities that are core to our product strength that we need to get out the door, and doing it in a secure way.”

-Sam Rajachudamani, Senior Director of Products and Partnerships at Shift5

Shift5 estimated that the adoption of Chainguard Images saved its engineering team over two and a half months worth of man hours per person around remediating CVEs and maintaining other important compliance standards. For a startup with limited resources, this huge time savings allowed Shift5 engineers to get back to doing what they love to do: building software.

An Unexpected Additional Benefit

As Shaun highlighted on X, this time savings not only led to increased productivity, but an unexpected benefit: a stress-free date night with his wife.

Conclusion: Time Savings and Security That Lasts

Shift5’s utilization of Chainguard Images aligns with the organization’s core mission to build a smarter, safer, and more secure world. Ensuring that the software being deployed into critical infrastructure is CVE-free helps Shift5 give its customers peace of mind, and allows it to achieve compliance and product goals faster.

Chainguard Images enable Shift5 to continue growing and improving its platform, utilizing a streamlined, resource-friendly base to build secure for the future.