Refer to what Platform One is doing. From their site: Platform One’s DevSecOps Platform (DSOP) is a collection of approved, hardened Cloud Native Computer Foundation (CNCF)-compliant Kubernetes distributions, infrastructure as code playbooks, and hardened containers. This collection implements the Platform One DevSecOps platform that is compliant with the DoD Enterprise DevSecOps Reference Design, and its source code is hosted on Repo One.

One thing to look out for is vendor intellectual property issues. From a vendor IP perspective, assuming they develop in containers, the government does not need the source code of the application inside of the containers, they can just provide the binaries. They should provide the source code for the container the Dockerfile files, so we can rebuild them. That should protect the IP with the assumption you’re protecting your binaries. As long as the government has the binaries and the source code for the Dockerfile file, then it can be rebuild and scanned and then ready for use.