DOD Expands DevSecOps to Accelerate Software Deployment

The Defense Department is using successful DevSecOps pilot programs to integrate agile software development across the department, DOD Information Networks (DODIN) Capabilities, Information Enterprise Director George Lamb said Tuesday during the 2025 Carahsoft DevSecOps Conference in Reston, Virginia. DOD is using increased continuous authorization (cATO) processes, automation and other applications for software development, Lamb said.

“[DevSecOps] success at the CIO level [means] … more programs that are modernizing and getting into production,” Lamb said. “The forcing function [is] that we’re hoping to get some of these larger programs into a modern software construct.”

Lamb – whose new consolidated role within the CIO’s office now spans infrastructure, networking, cloud and software modernization – said that DevSecOps is not merely a technical framework but a fundamental enabler of mission success. DOD programs like Platform One and Netcom demonstrate the technical feasibility and speed that DevSecOps can achieve, Lamb said, with patches delivered to production in as little as an hour.

“And in that report, we prove the technology works,” Lamb said. “We talk about Netcom, we talk about Platform One, they are amazing technical success stories.”

The DevSecOps Infinity Loop

Lamb said that the DOD’s State of DevSecOps publication, released in March, proves “the technology works.” He highlighted the report’s DevSecOps Infinity Loop, a figure-eight concept illustrating the continuous DevSecOps cycle. Lamb said that the “development” side often garners the most attention, but that the “operations” side is where the DOD frequently falters.

“The ‘ops’ part is where we fail,” Lamb said. “You think about software. The key is taking something that exists, is a software, a constructible thing, and then pushing into operations, and then getting feedback and then feeding it back [within the DevSecOps Inifinty Loop]. And that’s the part that people mostly miss. How do you get it into production?”

He added that the power of DOD’s DevSecOps Infinity Loop lies in its feedback mechanism. The goal is to view production as a starting point, Lamb said, with continuous feedback loops driving iterative improvements.

“That feedback loop, that’s really the heart of DevSecOps,”s aid Lamb. “It’s that feedback loop, the breaking down silos and wrapping the process around a repeatable loop. And then you get the cycle times: That’s where the scaling is, and that’s where we’re hitting the problem.”

Lamb said that DevSecOps feedback loops provide better deployment for rapid development cycles and the often years-long delays in deploying changes to critical systems like those in the F-35.

“We can get patches out within an hour … but they can’t get into operations. If you try and put a production change into an F-35, you can make that change in like, an hour, two hours, and then two years later it goes into production,” he said. Breaking down silos and embedding this repeatable feedback loop is crucial for achieving the desired speed and scalability of software development, Lamb added.

Accelerating Authorization Through cATO

Speed and scalability are critical to DevSecOps successes throughout DOD, Lamb said. The department is working toward continuous authorization to operate (cATO) within DevSecOps to shorten development cycles, he added. According to DOD, cATO is a significant shift in DOD cybersecurity practices that incorporates real-time assessment, zero trust principles and DevSecOps to secure the nation’s supply chain against emerging threats and improve overall cybersecurity posture.

Lamb said that cATO is not about eliminating the DOD’s risk management framework but rather about transforming its application to remove impediments and accelerate processes.

“ATO is where you start, cATO doesn’t stop,” said Lamb. “The next part of cATO is that we’re going to be running in production. In a modern world we understand what the production environment is.”

Lamb underlined the importance of dashboards and tools to provide real-time visibility into anomalies, allowing for rapid remediation of security issues. Lamb added that the Army has finally nominated three software factories for cATO approval, a process that has been “struggling” for two years.

“[Army CIO Leonel] Garcia, he’s got the process in place. He’s very comfortable it,” Lamb said of pushing down authority to the services will enable broader scaling. “The CIO is now evaluating those. Leo approved them for the Army and we’re going to make sure that they are approved at the DOD CIO level. This is like a transition. It took forever to happen.”

Commercial Software in the DevSecOps Process

Lamb stressed that DevSecOps is not only for software developed internally at DOD. Like all software, commercial off-the-shelf (COTS) software requires automation and management, especially when patches and configurations are applied. DOD Acting CIO Katie Arrington, he added, has emphasized the Software Fast Track (SWFT) process to get COTS software into the DevSecOps pipeline and operational more quickly.

“Commercial technology is just software,” Lamb said. “How do we get that commercial software into our pipeline? SWFT is a process for going to look at the authorization process, and Katie comes from the [Cybersecurity Maturity Model Certification] process … The key to that process is scaling the authorization process.”

Iron Bank, the container repository for Platform One, serves as a prime example of this process. With over 1,500 mostly commercial containers, Lamb added, Iron Bank scans and evaluates software, providing a risk assessment rather than a simple pass/fail, which makes for a better adaptation of the risk management framework and brings secure commercial software into the infinity loop faster.

“We put insecure software in production all the time,” Lamb said, “Iron Bank scans it … We don’t stop it. We just put caveats around it. We check it. We’re very careful about where it’s used. That’s how the scaling works and that’s where the security needs to come from.”

Bringing AI into the DevSecOps Infinity Loop

According to Lamb, AI can accelerate the DevSecOps infinity loop with assisted code development, testing to anomaly detection in operations and other applications. While DOD’s Chief Data and AI Office focuses on the broader application of AI, the DOD OCIO is primarily concerned with how AI can accelerate the DevSecOps infinity loop and enhance DOD missions, Lamb said, adding that “AI is just software” for OCIO purposes.

“It’s just software, and then we want to push it through that infinity loop and get it into production faster,” he said. “Our job at OCIO is to get software in production fast, whether it’s AI, whether it’s test algorithms, whatever it is.”

The Evolving Landscape of Software Development Activities

Lamb added that software factories are evolving within DOD and the DevSecOps processes. Initially, there was a widespread desire to establish software factories within the military services, followed by a period of retraction due to congressional scrutiny over their proliferation.

“There was a time when everyone wanted to be a software factory, and then there was a time where nobody wanted to, because Congress is saying we have too many software factories,” Lamb said. “The new term is a software development activity.”

The term, Lamb said, is part of a foundational concept driving modernization efforts. He said that the activities are more about managing full lifecycles — including configuration, cloud integration and patching.

“Software is everything,” Lamb said. “Business systems, logistics platforms, even routers — everything now requires secure configuration and ongoing management.”

Codified Policy and Cultural Shift

Lamb underscored the need for codified DOD instructions to mandate and further scale DevSecOps practices across the department. While guides and reference designs exist, a formal instruction is the “forcing function” that will compel legacy programs, he added. Some DOD offices are still using older development methods and need to transition to modern software constructs, agile processes and integrated testing, Lamb said. Shifting culture and making codified DevSecOps processes may be part of the implementation of DOD guidances.

“There’s no instruction that says, ‘Thou shalt use DevSecOps.’ The closest thing that’s happened recently is in the acquisition space, with the software acquisition pathway,” Lamb said. “They need to start transitioning, by fiat, by directive from the department, into using an infinity loop, using agile processes, using testing that’s more integrated.”