The Defense Department won’t see the return on investment DevSecOps systems development practices can provide without cultural and procedural shifts, according to DOD officials.
Katie Arrington, chief information security officer for DOD’s acquisition office, said DOD has more work to do on changing workforce culture within the Pentagon around DevSecOps. DevSecOps is not just the latest in a long line of buzzwords—from waterfall to agile to DevOps—but a priority, according to Arrington.
“You think about long-term sustainability, if we don’t start to really emphasize DevSecOps as we go forward and build on the good work that has been done, we’ll never see the actual return on investment in the life cycle that we need,” Arrington said at a webinar hosted by AFCEA International’s SIGNAL Magazine Wednesday.
Arrington added the department needs to educate the workforce around what DevSecOps means for them. She wants the workforce to understand that DevSecOps is not something that will replace jobs, but enhance the work they are currently doing.
The DevSecOps methodology requires implementation of security protocols at every iteration of the development cycle. The result is more comprehensive security at speeds needed to stay ahead of adversaries looking to exploit vulnerabilities. Platform One, originally an Air Force project, is DOD’s flagship DevSecOps initiative.
In order to use DevSecOps more widely across DOD components, contracting procedures have to adapt. Arrington touted DOD’s new Adaptive Acquisition Framework as key to enabling adoption of DevSecOps. The framework, which has a dedicated software pathway, is a signal that DOD is committed to “baking in” security at every step of the process, according to Arrington.
Defense Undersecretary for Acquisition and Sustainment Ellen Lord officially approved the software acquisition pathway for operation earlier this month. The interim software acquisition policy it subsumes had been in use since January 2020. The pathway is meant to enable the kind of iterative development methodologies on which DevSecOps is based.
Lord and Arrington have both pointed to the Air Force’s Ground Based Strategic Deterrence, or GBSD, system as an example of a program already using the new pathway successfully. Arrington on Wednesday said the acquisition strategy ensured a capable DevSecOps environment. But broadly speaking, it’s still a challenge to work DevSecOps requirements into contracts, Arrington said.
“It’s becoming a larger part of a lot of acquisition strategies,” Arrington said. “It’s a little bit hard right now because it’s a burgeoning case.”
Daniel Holtzman, the Air Force authorizing official for GBSD cloud and DevSecOps, said during the webinar that he is working with industry partners to develop better metrics around innovative development protocols.
Holtzman said he is working on creating better criteria, observables and behaviors standards. He plans to hold an industry summit to hash out how to create a kind of common measuring stick so contractors can have a clear understanding of DOD requirements, allowing them to innovate and compete more effectively.