DOD Advances DevSecOps, ATO Reform to Speed Mission-Ready Software

The Defense Department is accelerating its adoption of DevSecOps and agile development practices to drive innovation and streamline the Authority to Operate (ATO) process, aiming to deliver mission-critical applications at the speed of relevance, officials outlined at the Carahsoft DevSecOps Conference on July 29 in Reston, Virginia. IT leaders highlighted evolving initiatives to condense lengthy software approval pipelines and modernize outdated compliance frameworks.

The initiative reflects recent guidance from senior DOD leaders, including Acting CIO Katie Arrington, who have advocated moving away from rigid, compliance-based risk management toward a more flexible, risk-informed model. This shift aims to accelerate decision-making and improve agility, allowing the department to better support users in rapidly evolving operational environments.

DevSecOps Empowers Rapid Delivery and Real-Time Decision-Making

Marine Corps Community Services (MCCS) Digital Program Manager Dave Raley said during the event that a risk-based enables developers to see systems in real-time and make informed decisions. Operation StormBreaker, the only Marine Corps certified DevSecOps pipeline, has allowed MCCS to deploy software updates at the speed of mission operations, rather than months later.

“Agility and speed can often represent security,” Raley said. “But when you apply a point in time document centric approach to [the Risk Management Framework (RMF)], you’re losing the ability to have speed, and you’re not focusing on the cyber element.”

Operation StormBreaker is also using Rapid Assess and Incorporate Software Engineering (RAISE) to quickly deploy software. Raley said the MCCS is the first Marine Corps environment to achieve RAISE certification.

“It is such a release and freedom to be able to be in a position in an organization where you actually build products, get value from them and get feedback from actual users, as opposed to spending your time guessing,” said Raley.

Continuous ATO (cATO) enables agile software development and allows operators to focus on problems in real time. Patrick Lorigan, technical director for the Air Force Research Laboratory’s Agile Space Operations Software branch, said cATO allows his team to push code to users faster.

“We’ve been able to get [code] into the hands of our operators on their real systems in a matter of months from when we start, rather than years,” said Lorigan. “And that has allowed us to pivot based on what we see and continue what we’re doing … and move on to the next thing.”

Pushing Software Standardization, Automation and Culture Change

Software Systems Lead for the Deputy Chief Information Officer for Information Enterprise, DOD Information Networks (DoDIN) Directorate Ana Kreiensieck said during the panel that the department is turning to standardization to streamline operations. She added DOD is ready to codify software delivery within the department.

“A lot of this [work] is actually about transforming the processes, especially the authorization process,” said Kreiensieck. “Software is how we will win in the cyber domain. We have to be able to adapt and change our software … because that’s [what allows us] to give the warfighters the capabilities that they need.” 

Kreiensieck said manual processes and static documents, like the RMF, are not inherently bad because they provide the foundation for the future. Now, to keep pace with real-time threats, Kreiensieck said agencies need to become data-centric and find a way to automate cybersecurity.

“Now we’re focused on being data centric and looking at real-time security posture dashboards based on data from the pipelines,” said Kreiensieck. “We need … to bake [cybersecurity] in from the beginning.”

Former Director of Enterprise Technology Governance at the Department of Homeland Security Bill Pratt said modernization efforts must also be applied to culture. Quality assurance testers have manually tested software releases for years. According to Pratt, some still do because of the lack of trust in automated systems.

As agencies look to AI and automated processes, Pratt said everyone in the pipeline – from developers to product owners – needs to be ready for it.

“You can’t automate bad processes and unless you trust the pipeline you’re not going to get anything out the door fast,” Pratt said. “Add agentic AI and imagine how nervous folks are about that.”