Speedy, secure delivery is challenging for agency leadership to wrap their minds around, said Acting Deputy Federal CIO Drew Myklegard. But the old tenet “slower is safer” doesn’t always hold true. Building trust in quick delivery is one of the next big challenges for many agencies, but it’s key to deploying timely capabilities.
A faster process requires security and software teams to get on the same page early on, said U.S. Air Force BESPIN CISO Dave Cantrell. At the Defense Department, security experts are radically transforming to match the pace of software development and integrate into an agile process.
To operate a DevSecOps model, every member of your development team needs to be on the same page, which is why the Army is creating specialized training for team members in different roles, said Army Chief Systems Engineer for the Assistant Secretary Jennifer Swanson
Swanson wants to see government retain its top talent by opening pathways for promotion into advanced tech positions, rather than funneling high performers into management roles.
Security leaders have to win over stakeholders who believe they can achieve DevSecOps by throwing money at the problem, and sway production teams who think that their processes are too entrenched to ever change, said Manuel Gauto, chief engineer for the U.S. Navy’s Black Pearl.
DevSecOps doesn’t happen overnight. Many DOD components will have to take measured steps to fully integrate security into the development process, Cantrell said. In many instances, DevSecOps will be best achieved through evolution rather than revolution.
DOD is on the path to CI/CD, but it still has a ways to go, said Rob DeVincent, chief software officer for the Air Force 309th Software Engineering Group. Every program within DOD is unique, and every weapons system has niche requirements.
While there are “pockets of excellence” throughout the department that have successfully integrated DevSecOps practices, other components are working within rigid production environments. DeVincent pointed to the success of SpaceX’s Starlink in shutting down a Russian electromagnetic warfare attack and said that DOD needs to achieve similar a similar response time.
The U.S. Navy’s Black Pearl operates like a “software factory as a service,” said Chief Engineer Manuel Gauto, and it provides infrastructure and mentorship to enable teams to rapidly spin up software factories and see their product over the finish line.
Inspired by Platform One, the U.S. Digital Service is building out CMS’s platform as a service that will provide CMS with continuous integration, deployment, testing and containerization capabilities. With this platform, development teams that are new to the DevSecOps model won’t have to build their process from the ground up.