DevSecOps Essential for Defense Preparedness

The Defense Department and U.S. Armed Forces are using DevSecOps practices to facilitate the adoption of new technologies that advance preparedness and strategic advantage.

Speaking at the GovernmentCIO Media & Research Disruptive DevSecOps virtual event, representatives from the DOD’s Joint Artificial Intelligence Center and Naval Information Warfare Center outlined how automated development practices are better enabling digital transformation and overall IT security.

One of the fundamental hurdles in developing new technologies like artificial intelligence and machine learning is the scope of the design process. Relying on manual development would result in prolonged and inefficient deployment timelines, necessitating a shift to a DevSecOps approach to ensure timely completion.

“Being able to replicate infrastructure quickly and securely that is easily repeatable is what we have to get right. We want to be able to reproduce the conditions of an environment where AI developers can easily develop capabilities with a common set of tools and infrastructure so that developers and users will have the confidence that the capability will work, either in a development or production,” said JAIC Chief of Infrastructure and Platforms Col. Sang Han. “What used to take weeks to build … is now easily reproducible with infrastructure and configuration-as-code, and can be easily established within minutes to hours instead of the old approach that could take days or weeks.”

DevSecOps has also quickened the pace of technological adoption and the vetting of products developed by the private sector that need to be adjusted for use within the Armed Forces — particularly through adapting them to the low-bandwidth environments that are more common across government.

“A lot of times, industry utilizes this high-availability environmental infrastructure as well as the high-bandwidth design models that — when they were designed on the industry side — upgraded successfully,” said Edmond Kuqo, lead systems engineer for DevSecOps at the Naval Information Warfare Center – Atlantic. “When they are introduced to low bandwidth and disconnected infrastructure, they become challenging and problematic in a way where the government has to spend extra cycles to re-update the architecture or re-introduce different design and deployment models to successfully deploy on such constrained environments.”

The importance of DevSecOps in hastening the adoption of private-sector technology has also proven essential for ensuring these capacities are used in products that benefit military servicemembers — a transition that would be considerably more difficult without automated development and deployment cycles.

“We know our competitors are investing in rapidly developing AI capabilities, and the American warfighter will need trusted AI capabilities so that when the American warfighters are called upon their mission they will have that advantage to achieve their objectives,” Han said. “If the developers or the industry don’t know the left and right limits, we see all these awesome capabilities in the home environment. Then when you put it into the government network, it doesn’t work. And we spend days, if not weeks, with the developers and the engineers trying to figure out why those capabilities aren’t working in production.”

The ultimate outcome of DOD’s embrace of DevSecOps has been the rapid delivery of new capacities and the overall maintenance of a strategic edge during an era of accelerating technological change.

“I remember when I was deployed a couple of years ago, as we tried to make changes to an application, we waited six months for an update. While you’re deployed and doing a mission, six months is just not acceptable. This DevSecOps culture is what we need to really help facilitate delivering that at mission speed,” Han said.