Pentagon Revamps Tech Strategies to Advance DevSecOps

The Department of Defense released a series of new guidelines and initiatives this year to advance modernization, embrace DevSecOps and enhance security.

“The department started this back in 2019,” DOD Director of Cloud & Software Modernization George Lamb said during a meeting of the GovCIO Media and Research DevSecOps Working Group on Friday. “That’s when the true transformation for DevSecOps first kicked off. A lot of what we do is at strategy and guidance level.”

In October, DOD updated its DevSecOps fundamentals document, outlining a modernized approach to software development. The revised edition emphasized faster delivery, tighter security and improved collaboration across the software development lifecycle. Lamb said the document used to be more of an “aspirational guide” and that the updated version is more practical.

“[The version released in October] takes us to the current state of where we are after four years of the journey,” Lamb explained. “This fundamentals document is designed for the department and programs that are trying to understand where they are, how to adopt cloud and how we take the different authorities and equities that are distributed across the department.”

Lamb also highlighted the Pentagon’s shift from point-in-time security checks to continuous authorization in the DevSecOps process. Lamb said that the “DoD Continuous Authorization Implementation Guide” document, released in April, outlines a more dynamic approach.

“It’s a concept that’s been around for a while, but we’re trying to drive that home as the new standard to replace [authority to operate] really looking at the supply chain, the secure supply chain, making that the fundamental premise for how you do ATO,” said Lamb. “Getting rid of that concept where ATO is something that happens at the end you hand over a product, and then your security team comes in and they look at it without context.”

Lamb noted that the continuous authorization process can identify and address security vulnerabilities much faster, reducing the time it takes to deploy software. By integrating security into the development process, DOD aims to build more secure software from the ground up, Lamb said.

“We believe that security without context is really not secure,” said Lamb. “That context is how you get a lot of the smarts, and the supply chain is where you get that context.”

Additionally, Lamb emphasized the department’s recent document, which aims to optimize cloud spending and ensure the department gets the most value for its investment in cloud. Released in October 2024, the “DoD Cloud Financial Operations Strategy” outlined ways to manage cloud computing costs within modernization plans and efficiently manage cloud resources and budgets.

“Each of the services have their own cloud service offices, and that’s where we’re seeing inconsistent ways that financial operations are happening,” said Lamb. “We’re trying to bend the best practices from using the cloud effectively into the department, turning that into department-wide policy.”

Lamb said the department’s DevSecOps updates help modernize DOD by accelerating software delivery, streamlining processes, managing cloud more effectively and prioritizing security throughout the software development lifecycle.

“[It’s a] transformational process, trying to get DevSecOps encoded through the department,” said Lamb.