In 2018, Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment, stated the degree to which software drives our world demands that we move toward a modern tech company model for software delivery: “As we reorganize the way we do business the thread that runs through all of our programs and all that we do is software and I believe that we need to catch up with the private sector and make sure we are using contemporary software development processes.” This shift to a modern software development paradigm requires new statues, policies, and processes and a culture of collaboration.
Software-enabled capabilities have unique technical properties that enable frequent change, unlike any other system components. As noted in the May 2019 Defense Innovation Board Software Acquisition and Practices report on reforming DoD software practices: “Software is never ‘done’ and must be managed as an enduring capability that is treated differently than hardware.” Recognizing this, OSD is leading a set of inter-related initiatives to develop policy, guidance, training, and enterprise resources that will transform the way that the Department acquires software.
The new software policy incorporates principles from the Lean Startup methodology, and commercial and Agile software development. Among these is a focus on demonstrating progress and value via more frequent, and continuous deliveries of working software, which enables the users and other stakeholders to examine and provide feedback on early capabilities of the system. A key enabling culture and technology for this approach is DevSecOps, an ecosystem-based approach and set of tool-supported practices that allow considerations from development, security, and operations to be addressed early and continuously in an integrated fashion. DevSecOps helps achieve the speed necessary to deliver meaningful versions of code more frequently than ever before. It also ensures that this increase in speed does not come at the expense of good engineering practice – to the contrary, it can improve software quality. For example, it can enable rapid fixes for software vulnerabilities in minutes or hours, instead of months or years. Additionally, by automating testing and security checks on small batches of new software, these activities are done constantly rather than as separate activities that occur at the end of the lifecycle.
Cutting-edge processes and tech alone are not enough. The best policies still require an appropriately-educated workforce to execute them. And there has already been a huge level of interest expressed in this modern approach and technology from across the workforce. Recognizing this, the DoD’s acquisition leadership, Chief Information Officer, DAU, the Air Force’s Chief Software Officer, and other key stakeholders partnered to begin addressing the need. A DevSecOps Community of Practice (CoP) was stood up in April 2019 with 94 people, and membership has risen steadily and currently stands at over 400 members.
Reflecting the cross-cutting nature of software in our systems, the CoP members represent personnel with a variety of responsibilities, including developers, program managers, cybersecurity personnel, and testers. All of the Services are represented, as well as at least 20 additional organizations, including multiple offices within OSD, multiple combatant commands, other federal agencies, and the Joint Staff.
The CoP convenes at periodic meetings for presentations and knowledge sharing opportunities, covering topics such as DevSecOps implementations within organizations like Air Force, Navy, DISA, and DIA; acquisition topics such as the Adaptive Acquisition Framework and DevSecOps contracting; training; and software supply chain assurance. A special session was held in June when the DoD CIO, Mr. Deasy, addressed the CoP and discussed the new direction DoD is going in. Content discussed and reviewed within the CoP is posted to a milSuite site (CAC login is required to access the community information page)
The CoP is not just for information sharing, however. It has been instrumental in informing Department strategy as well. For example, it was used to provide subject matter expert feedback on the now signed, published, and publicly released DoD Enterprise DevSecOps Reference Design. Published by the DoD Chief Information Officers, the Reference Design provides important technical detail on tools and activities that support a DevSecOps implementation, as well as an introduction to the DoD enterprise DevSecOps container service. Other products in development are training learning objectives, the Accelerated ATO Playbook, and a DevSecOps Playbook that will contain a maturity model and industry-based recommended metrics for programs to track.
These efforts are essential for the Department’s efforts to deploy capabilities to the warfighter at greater speed. For successful, private sector tech companies (and DevSecOps organizations) and DoD’s new software strategy, a culture of high collaboration that enables innovation is critical. Interested participants are invited to join future meetings to hear more about ongoing work and understand what resources and expertise are available. The CoP will be further expanded to bring in industry participants through industry associations such as NDIA and INCOSE. Meetings have begun in full force for 2020; and with the expansion of topics and participants, we expect to see even greater success in the future.
Required fields marked with *
Please note that you should expect to receive a response from our team, regarding your inquiry, within 1 business day.