Fostering a Culture of Security in DevSecOps Teams: A Federal Government and DoD Perspective

Written By Mike 'MJ' Johnson

The concept of security in government software development has evolved from "throwing code over the wall" to security teams, to becoming an integrated, continuous part of development processes. This evolution represents not just a technological shift, but a profound cultural one. In today's high-stakes national security environment, building a security-conscious culture within DevSecOps teams isn't just good practice—it's mission critical.

The Government Security Paradigm: Where DevSecOps Meets Clearance Levels

In the federal government context, DevSecOps represents more than a methodology—it's a fundamental shift in how agencies approach software security. According to DoD guidance, DevSecOps is "a combination of software engineering methodologies, practices, and tools that unifies software development (Dev), security (Sec), and operations (Ops)". This integration is particularly crucial in environments where software supports national security, critical infrastructure, and citizen services.

Unlike commercial environments, government DevSecOps teams must navigate unique cultural challenges:

The Classification Conundrum

Government teams operate across varying classification levels, often creating what could be called "security silos of necessity." While commercial DevOps teams might share everything openly, federal teams must balance collaboration with proper handling of classified information. This creates a paradoxical challenge: How do you foster an open culture when certain team members can't access all information?

As one Pentagon developer might joke, "Our stand-up meetings would be more productive if I could actually tell you what I'm working on."

The Regulatory Gauntlet

Government DevSecOps teams don't just secure against threats—they secure against audit findings. The Federal Information Security Modernization Act (FISMA), Risk Management Framework (RMF), and numerous agency-specific directives create a regulatory environment that makes security both a technical and compliance challenge.

The Department of Veterans Affairs found that developing a model to break down traditional silos and establishing strong communication lines around the new Agile cultural mindset was essential for change. As their Enterprise Program Management Office Acting Associate Deputy Assistant Secretary noted, "Culture is the hardest problem to solve, and you've got to start early."

Cultural Foundation: Building Security Consciousness from the Ground Up

1. Reframing the Security Narrative

The first step in transforming security culture is changing how teams perceive security—from an obstacle to an enabler. This mental shift is crucial in government contexts where security has traditionally been seen as a compliance checkbox rather than a value enhancer.

According to the Government DevSecOps guide, teams must see security not as "something that happens at the end" but as "a continuous process integrated throughout the development lifecycle". This requires educating teams on how security measures protect both the mission and the public trust.

The Air Force Chief Data Officer emphasizes that creating a culture that empowers any team member to offer ideas is critical. When anyone at any level can generate a great idea that moves quickly up the chain, it streamlines important security innovations.

2. Shared Responsibility Model

In traditional government operations, security responsibilities were clearly delineated. In DevSecOps, the lines blur intentionally. The DoD Enterprise DevSecOps Fundamentals document emphasizes "a culture of shared responsibility for performance, security, and operational integrity throughout the entire software lifecycle".

This means developers need to understand security principles, security professionals need to understand development workflows, and operations teams need to understand both. It's no longer acceptable to say, "That's Security's problem" or "Development will fix it."

As one DevOps engineer might quip, "In the old days, you'd throw your code over the wall and then blame Security when your deployment got delayed. Now you have to sit in the same room with them. It's terrifying."

3. Automate What You Celebrate

What gets measured gets managed—and in government DevSecOps, what gets automated gets adopted. Federal agencies should consider:

  • Automating security scans and making results visible to all team members

  • Celebrating improvements in security metrics as much as feature deliveries

  • Creating dashboards that show the team's security posture in real-time

The DoD guidance notes that "automation is an imperative in any DevSecOps environment". This includes automation of version control, continuous integration, testing, configuration management, deployment, and monitoring.

Practical Implementation Strategies for Federal and DoD Teams

1. Security Champions Program

Establish a network of "security champions"—team members who serve as security advocates within their development teams. These individuals:

  • Receive additional security training

  • Act as the first point of contact for security questions

  • Help review code and designs from a security perspective

  • Liaison with dedicated security teams

NASA's Applications Associate CIO notes that "training is vital to any Agile, DevSecOps transformation... because we're asking people to change the way they've operated for many years". A security champions program creates a structured pathway for this knowledge transfer.

2. Immersive Security Exercises

Traditional security training in government often involves compliance-focused slideshows. Instead, implement:

  • Capture-the-flag competitions focused on government-relevant security scenarios

  • Red team exercises that simulate advanced persistent threats targeting agency systems

  • "Fix-a-thon" events where teams collaborate to resolve security vulnerabilities

As one government DevSecOps practitioner might jest, "Nothing builds team camaraderie like staying up all night defending against a simulated nation-state attack. It's like a team-building exercise, but with more caffeine and keyboard shortcuts."

3. "Shift Left" Security Policy

Implement concrete policies that embed security from project inception:

  • Security requirements defined in initial user stories

  • Threat modeling conducted during design phases

  • Static and dynamic security testing integrated into CI/CD pipelines

  • Pre-approved security controls for common scenarios

The GSA IT-approved tools list provides a framework for this approach, specifying tools across the build, test, deploy, and operations phases. Their model includes security tools like ClamAV and Nessus integrated directly into the DevSecOps workflow.

4. Continuous Authorization to Operate (cATO)

The cATO model represents a cultural achievement for government DevSecOps teams. As defined in DoD guidance, cATO is "the state achieved when the organization that develops, secures, and operates a system has demonstrated sufficient maturity in their ability to maintain a resilient cybersecurity posture that traditional risk assessments and authorizations become redundant".

This requires:

  • Robust information security continuous monitoring

  • Active cyber defense capabilities

  • Secure software supply chain management

  • Cultural acceptance of continuous security assessment

Breaking Down Bureaucratic Barriers

One of the most significant challenges in government DevSecOps is the clash between agile security practices and bureaucratic processes. The journey to implementing DevSecOps in government requires "overcoming bureaucratic inertia with continuous delivery".

Strategies for Bureaucracy-Busting:

  1. Document the Security ROI: Demonstrate how DevSecOps security practices actually enhance compliance with existing government frameworks rather than bypassing them.

  2. Create Security Acceleration Lanes: Establish pre-approved paths for common security scenarios that don't require lengthy approval processes.

  3. Engage Authorization Officials Early: Include security authorizers in sprint reviews and demonstrations so they become comfortable with incremental security improvements.

  4. Leverage DoD Software Factories: The Department of Defense's software factories are "spearheading this cultural shift, setting an example for other federal agencies by emphasizing the importance of adapting to rapid technological changes".

As one government IT professional might observe: "In commercial DevOps, you move fast and break things. In government DevSecOps, we move carefully and don't break classified systems, compliance frameworks, or federal laws. It's a subtle difference."

Measuring Security Culture Success

Cultural change needs measurement to be sustainable. Key metrics for government DevSecOps security culture include:

DORA and Google Metrics

The DevOps Research and Assessment (DORA) metrics identified in DoD guidance include:

  • Deployment frequency

  • Lead time for changes

  • Mean time to repair

  • Mean time to recovery

These should be supplemented with security-specific metrics:

  • Time to resolve identified vulnerabilities

  • Percentage of code covered by automated security testing

  • Number of security issues found in production vs. development

Cultural Health Indicators

Beyond technical metrics, measure:

  • Percentage of team members who have completed security training

  • Frequency of cross-team security collaboration

  • Number of security improvements suggested by non-security team members

Case Studies: Federal Success Stories

Air Force Platform One

The Air Force's Platform One has become a model for government DevSecOps. By focusing on team empowerment and security automation, they've achieved continuous authority to operate for critical systems while maintaining stringent DoD security requirements.

As Air Force Chief Data Officer Eileen Vidrine emphasizes, communication is critical in creating a culture that empowers team members at all levels. This approach has allowed Platform One to deliver secure software at speeds previously thought impossible in government contexts.

VA Enterprise Transformation

The Department of Veterans Affairs has been working to break down historical silos through a functional model that moves away from traditional pillar approaches. Their focus on "communication, and we had to establish kind of a drum beat early and often and consistently, just shape the culture, shape the narrative, shape the vocabulary" has been essential in transforming their security culture.

Conclusion: The Future of Government DevSecOps Security Culture

Fostering a culture of security in government DevSecOps teams isn't just about implementing technologies or processes—it's about fundamentally changing how people think about and approach security. As one quote from the DevSecOps Manifesto reminds us, "The purpose and intent of DevSecOps is to build on the mindset that 'everyone is responsible for security'".

The journey to a mature DevSecOps security culture in government agencies requires patience, persistence, and a willingness to challenge established practices while respecting the unique security requirements of federal systems. By emphasizing shared responsibility, automation, continuous learning, and cross-functional collaboration, government agencies can create DevSecOps teams that deliver both innovation and security—proving that in the world of government IT, you actually can have your classified cake and eat it too.

As federal agencies continue their digital transformation journeys, remember that DevSecOps is fundamentally "a cultural movement supported by technology". The technology enables the change, but culture makes it sustainable.

Mike 'MJ' Johnson
Next

Building Secure Infrastructure from Day 0: Automating for Compliance and Resilience