DevSecOps in the DoD: Embedding Security at the Speed of Innovation

The Department of Defense is undergoing a fundamental transformation in how it develops, secures, and deploys software, moving from delivery timelines measured in years to just minutes through DevSecOps adoption. This strategic shift integrates security throughout the software development lifecycle, enabling defense agencies to maintain compliance while dramatically accelerating innovation cycles. By establishing department-wide software factories, implementing continuous authorization processes, and fostering cross-functional collaboration, the DoD is demonstrating how government organizations can deliver resilient software capabilities at the speed of relevance while maintaining the highest security standards.

The Strategic Imperative for DevSecOps in Defense Systems

With increasingly sophisticated cyber threats targeting defense systems, the traditional approach of bolting security onto software as an afterthought is no longer viable. As the DoD CIO and the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) recognize, there is an urgent need to rethink software development practices and culture by leveraging commercial sector approaches and best practices.

The growing adoption of DevOps and the rise of containerization and Continuous Integration/Continuous Deployment (CI/CD) in the software development lifecycle have brought significant changes to defense IT. While these methods offer many advantages, they also present unique security challenges, as containerized applications can be more susceptible to cyber attacks than traditional deployments. This reality has made security a paramount concern in the DoD's software modernization strategy.

The DoD Software Modernization Implementation Plan Summary outlines three main goals:

1. Accelerate the DoD enterprise cloud environment

2. Establish a department-wide software factory ecosystem

3. Transform processes to boost resilience and speed

This approach is designed to deliver software capabilities that drive mission performance, promote safety and resilience, and improve the end-user experience across defense environments.

Understanding the DoD's DevSecOps Framework

DevSecOps represents a cultural and engineering shift that breaks down barriers between developers, security specialists, and operations teams. It creates cross-functional teams that unify historically disparate functions – development (Dev), cybersecurity (Sec), and operations (Ops). As a unified team, they follow Agile principles and embrace a culture that recognizes resilient software is only possible at the intersection of quality, stability, and security.

The DoD Enterprise DevSecOps Strategy Guide, along with supporting documents, provides comprehensive education, best practices, and implementation guidance for IT capability providers, consumers, product teams, and Authorizing Officials. This framework builds upon modern technology trends of the past two decades:

• The shift from waterfall software development methodology to Agile

• The transition from tightly coupled monolithic systems to loosely coupled modular services

• Integration of security across the lifecycle of technology

• Incorporation of testing throughout the software lifecycle

• Evolution from traditional data centers to cloud

The DoD DevSecOps lifecycle consists of ten phases that proceed in a cyclical manner, with each cycle resulting in a software product release. Each release includes new functionality, performance enhancements, and/or security improvements, building upon the results of previous cycles.

The Architecture of a DoD Software Factory Ecosystem

There are several critical components in implementing DevSecOps within defense contexts. These include the software supply chain, software factories, DevSecOps platforms, CI/CD pipelines, and Infrastructure as Code (IaC).

Software Factories

A software factory functions as an assembly line of tools, policies, processes, and people that operates in an automated fashion to help build software more efficiently and provide rapid delivery to a specific community of end users. Software factories can incorporate multiple software assets including data analytics, automation, artificial intelligence and machine learning (AI/ML), and advanced software technologies.

The use of software factories is still maturing in the DoD, with the Air Force leading through examples such as Kessel Run, which was created in 2017. Kessel Run's Acquisition Strategy, the Kessel Run Air Domain DevSecOps Portfolio, consolidates 21 separate program efforts under a single acquisition strategy and establishes five Software Acquisition Pathway programs of record.

Secure Software Supply Chain

A Secure Software Supply Chain (SSSC) is critical "to prevent any combination of human errors, supply chain interdictions, unintended code, and support the creation of a software bill of materials (SBOM)". The Iron Bank provides Platform One and any DoD agency with a hardened and centralized container image repository that supports the end-to-end lifecycle needed for secure software development.

Iron Bank is responsible for the integrity and security of 1,800 base images that are provided to build and create software applications across the DoD. Their collaboration with Anchore since 2020 has focused on balancing deployment velocity and policy compliance while maintaining rigorous security standards and adapting to new security threats.

CI/CD Pipelines with Integrated Security

CI/CD pipelines include the tools, process workflows, scripts, and environments to produce software deployable artifacts with minimal human intervention. Security scanning is an essential aspect of DevSecOps pipelines, involving the analysis of software images deployed to cloud environments to identify vulnerabilities and mitigate security threats.

The integration of security tools into CI/CD pipelines helps ensure that security is built into the software from the beginning. This integration includes:

• Static Application Security Testing (SAST) to analyze source code for security vulnerabilities

• Dynamic Application Security Testing (DAST) to detect vulnerabilities in running applications

• Software Composition Analysis (SCA) to identify known vulnerabilities in third-party components

• Container scanning to detect vulnerabilities in container images

Implementing Continuous Security in the Development Lifecycle

DevSecOps mandates baked-in security via integral and comprehensive security practices across the entirety of the software supply chain, leveraging Zero Trust (ZT) and behavior detection principles.

Static and Dynamic Security Testing Integration

Combining automated static and dynamic security testing helps ensure system security by identifying vulnerabilities early in the development process. Static analysis examines source code, while dynamic analysis tests running applications, providing complementary security coverage.

A study on integrating security into DevOps methodology highlights the shift towards shared security responsibility, the strategic implementation of security tools, and the adoption of security-focused practices from the inception of development. This approach is critical for defense systems where security cannot be compromised.

Continuous Testing and Monitoring

DevSecOps emphasizes integrated, automated, and continuous end-to-end testing and monitoring, from ideation through production, with clearly defined control gates for release candidate promotion. Software development testing, government developmental testing, and operational testing should be integrated, streamlined, and automated to the maximum extent possible to accelerate delivery timelines based on risk strategies.

Automated test scripts and results should be made available to the test community so that critical verification functions (e.g., performance, reliability) and validation functions (e.g., effectiveness, suitability, and survivability) can be assessed iteratively and incrementally.

Continuous Authorization to Operate (cATO): Moving Beyond Traditional Security Approvals

For defense agencies to deliver new features rapidly, they need an authorization process that keeps pace with continuous change for a developing capability – a continuous Authorization to Operate (cATO). Many defense agencies have identified obtaining an "authorization to operate" as the longest step in developing and deploying software.

The DoD CIO released the DevSecOps Continuous Authorization Implementation Guide on April 11, 2024, which seeks to guide defense agencies in achieving cATO for DevSecOps platforms and applications produced by a software factory as part of efforts to counter cyber threats.

According to the guidance, "An organization with a cATO is allowed to continuously assess and deploy subsystems that meet the risk tolerances for use within a system authorization boundary". This approach ensures a software factory includes a holistic set of information to enable continuous risk analysis, feedback from cyber operations, and continuous security posture and risk reporting.

To achieve cATO, authorizing officials must demonstrate three competencies:

1. Continuous monitoring of Risk Management Framework controls

2. Active cyber defense

3. Use of an approved DevSecOps reference design for a software factory with a secure software supply chain

Additionally, systems seeking a cATO must have already achieved authorization and have entered the Risk Management Framework monitor stage.

Success Stories: DevSecOps in Action

Platform One and Iron Bank

The Platform One project with the U.S. Air Force (USAF) has broken new ground in many ways, such as insider threat checks on container images and the integration of an entire security pipeline specific to container images. The capabilities developed in this project surpass even those of many enterprise customers.

For the USAF, the goal isn't just to have unparalleled deployment velocity that enables them to deploy the latest software to fighter aircraft across the globe. They also need additional layers of security with a zero trust model, monitoring for insider threat within the software supply chain, and integration of strict software security best practices into container images.

The partnership between Iron Bank and Anchore Enterprise has yielded impressive results:

• Reduced false positives: The introduction of an exclusion feed captured over 12,000 known false positives, significantly reducing the security assessment load

• Improved SBOM accuracy: Custom capabilities enhanced the accuracy of Software Bill of Materials

Kessel Run

Kessel Run, officially known as Air Force Life Cycle Management Detachment 12, has a proven track record in enhancing efficiency, saving cost, and modernizing Air Force operations through agile software development.

The Kessel Run Air Domain DevSecOps Portfolio consolidates 21 separate program efforts under a single acquisition strategy and establishes five Software Acquisition Pathway programs of record. The strategy outlines how Kessel Run will employ DevSecOps as a modernization tactic to deprecate current systems and transform them into an approach that increases responsiveness to the ever-changing technology and threat landscape.

According to Rachel Mamroth, the Deputy Chief of Acquisitions for Kessel Run, "It helps us align our appropriated funds with our programs of record, in a way that allows us to maintain our DevOps Culture and approach to modernization. With this approved strategy we can keep true to the modernized development and delivery of software while still being accountable and reportable to congress".

Measuring Success: DevSecOps Metrics that Matter

The benefits of adopting DevSecOps in defense contexts are quantifiable through several key metrics:

Delivery Metrics

• Reduced mean-time to production: Reduces the average time it takes from when new software features are required until they are running in production

• Increased deployment frequency: Increases how often a new release can be deployed into the production environment

A study comparing CI/CD integration with traditional approaches found that CI/CD teams achieved 10 releases per month versus 3 for traditional teams, and time-to-market reduced from 6 weeks to 2 weeks.

Operational Metrics

• Decreased mean-time to recovery: Decreases the average time it takes to identify and resolve an issue after a production deployment

• Decreased change-fail rate: Decreases the probability that a new feature delivered in production will result in a failure in operations

The same study showed that CI/CD integration enhances software quality since defects are reduced from 1.5 to 0.5 per thousand lines of code.

Security Metrics

• Risk management: Fully automated risk characterization, monitoring, and mitigation as artifacts are released and promoted through every step

• Vulnerability remediation: Speed and completeness of addressing identified security issues

• Compliance validation: Continuous verification of compliance with security requirements

Strategic Considerations for DevSecOps Adoption

Cultural Transformation

DevSecOps requires a cultural shift that emphasizes collaboration, shared responsibility, and continuous learning. This transformation can be challenging, especially in traditional defense environments with established hierarchies and processes.

The most successful DevSecOps teams are characterized by low redundancy, high collaboration, and repeatability in their processes. Automation and auditability are prioritized, replacing subjective decision-making with consistent, reproducible outcomes.

Talent Development

Building and maintaining DevSecOps capabilities requires skilled personnel who understand both development practices and security principles. Investing in training and professional development is essential for successful implementation.

The integration of CI/CD teams showed improvement in collaboration, with teams reporting more frequent meetings and higher job satisfaction scores. However, resistance to change can be a challenge that needs to be managed through training and specific practices.

Risk Management

DevSecOps does not eliminate risk; it changes how risk is managed. By integrating security throughout the development process and implementing continuous monitoring, organizations can identify and address risks more quickly and effectively.

The DoD acknowledges that "software is never done" and that "cyberspace adversaries never quit". Therefore, the actions taken to achieve cyber survivability today may be insufficient tomorrow, justifying the need for continually updated DevSecOps reference designs linked to specific versions of cATO.

The Future of DevSecOps in Defense

The recent release of the DoD Enterprise DevSecOps Fundamentals guidance demonstrates the department's ongoing commitment to advancing DevSecOps adoption. This guidance acknowledges the importance of software and seeks to promote modern software practices across the department.

As software becomes increasingly critical to national security, the integration of security into development processes will only grow in importance. Future developments may include:

• Greater automation of security processes

• More sophisticated threat intelligence integration

• Enhanced supply chain security measures

• Expanded use of artificial intelligence for security monitoring and response

The DoD's approach to DevSecOps serves as a model for other government agencies and even private sector organizations dealing with sensitive data and systems. By embedding security at the speed of innovation, defense organizations can maintain technological superiority while protecting critical infrastructure and information.

For defense leaders navigating this transformation, the path forward involves strategic investment in DevSecOps capabilities, fostering a culture of security awareness and responsibility, and maintaining a long-term commitment to continuous improvement in software development practices. The rewards-enhanced mission capabilities, improved security posture, and greater operational agility-make this journey essential for maintaining technological advantage in an increasingly complex and contested environment.