Software Factories Say Policy Vital to Implementing DevSecOps Across DOD

The Defense Department is making progress when it comes to incorporating true DevSecOps into its weapons systems development. Fortunately, software factories are helping DOD overcome policy and culture challenges in ways that could facilitate the implementation of new technologies.

Some defense experts believe it is crucial that DOD recognizes that DevSecOps is a mindset and embraces practices that are technology agnostic so that this framework can be incorporated more broadly.

Robert DeVincent, Chief Software Officer of the 309th Engineering Group at Maxwell Air Force Base, thinks educating senior leadership is key to enabling DevSecOps across DOD.

DOD has been looking to refine how it interprets acceptable risks between authorizing officials (AOs). This poses a challenge when collaborating on frameworks and architectures, DeVincent said during the GovCIO Media and Research Disruptive DevSecOps event.

“It doesn’t help if we have an enterprise framework or architecture if the AOs aren’t in agreement to accept the level of risk that come with those. We need to do whatever we can policy-wise that will help drive the comfort of AOs to accept or mitigate a manageable level of risk,” DeVincent said. “It’s important we figure out how to help senior leaders understand the benefits and concerns of implementing DevSecOps.”

Manuel Gauto, Chief Engineer at Black Pearl, U.S. Navy, said accreditation is also important when developing a common framework and language for negotiating with authorizing officials.

“They serve a really important purpose, and at the end of the day it’s their signature that’s on the piece of paper and it’s on us to make sure we come up with a resilient way of communicating risks and why things are going to be ok to people like that,” Gauto said.

The Navy is also looking to overcome similar challenges. Gauto believes this is due in part to a combination of technical and institutional hurdles, which will require more than a singular policy to address.

“At least on the naval side we are starting to see engagement from our leadership where they’re willing to back us up and they’re putting out strategic intent and memos and saying this is the way we need to go. Which makes our lives easier at the worker level in order to move forward,” Gauto said.

According to Dave Cantrell, CISO of BESPIN at Hill Air Force Base, the DOD DevSecOps strategy and approach needs to be practice focused rather than technology focused.

“The concern was when a document comes out from the DOD CIO’s office that is explicitly endorsing a specific technology stack,” Cantrell said. “Then the independent AOs look to that as effectively an endorsement that they should all be trying to force everyone to move in that direction. But that is not necessarily the best fit for every single mission.”

Cantrell said this will necessitate policies that overcome impediments to rapidly building and deploying mobile applications.

“In many cases, all of the policies are written from the standpoint of helping AOs’ add capabilities to their existing system baselines, whereas what we are trying to do is provide a common set of capabilities and provide mobile applications that can be used by those AOs,” Cantrell added.

Gauto also talked about how commoditization of technology comes into play, and how commoditization is part of a maturating DevSecOps landscape.

“The next step is formalizing that unification on a technology set and then packaging it up as a commoditized service and offering that to the community so they can pick up the torch and move on to the next step of automating their risk evaluation or automating their deployment,” Gauto said.  “Now that I can move this quickly, what kind of cool capabilities can offer we to the warfighter? It’s the natural next step to getting us to where we want to be.”

Meanwhile, DeVincent said he would like to see the commoditization of cloud infrastructure across the Defense Department.

“I would really like to see more centralized access to those features. I would love to get the DOD to procure unique cloud contracts at the DOD level across all the different cloud providers and then let the different weapons systems go to the DOD rather than create individual contracts with those cloud providers to get into those spaces,” DeVincent said. “So whatever we can do to help teams get into an operating space that enables them to do their jobs.”