There is a seismic shift taking place in the Defense Department (DoD) that has been years in the making. If executed as planned, this cultural and technical shift will gradually take hold across the civilian, military and contractor workforces — saving time, money and enabling DoD to be more responsive to warfighters’ needs.
This new way forward is summed up in 89-pages of documentation released last fall, that formalize how the department will plan, develop, test, release, operate and monitor its massive investments in software. This includes the software that powers business systems for tracking things like financial and logistics operations, and weapons systems, including aircraft missiles and ships.
What DoD is moving toward is a cultural practice known as DevSecOps, which unifies software development, security and operations teams. The goal is to automate, secure and monitor all phases of the software lifecycle — reducing the chances for human error. If you’ve ever agonized over the time it takes to get seemingly simple software fixes — or large ones — completed, then you have a vested interest in the success of DevSecOps.
“DevSecOps is our methodology,” said Stephen Wallace, Systems Innovation Scientist with the Defense Information Systems Agency (DISA) Emerging Technology Directorate. What DISA wants to do beyond the code development principles is to take those principles and apply them to the way it deploys infrastructure for DoD, Wallace said during the agency’s forecast to industry event.
DoD is now operating under the assumption that “DevSecOps architecture must have the capability to scale to any type of operational requirement needing a software solution,” including intelligence analysis systems, command and control systems and autonomous systems. Cloud computing is also a key part of DoD’s new path forward, so the department has made clear that “deploying to a certified and monitored cloud environment will become their preferred solution technically and culturally.”
Although the word DevSecOps may not roll off the tongue for everyone, it is a game-changing approach that’s gaining steam across government. The Air Force, Centers for Medicare & Medicaid Services and U.S. Citizenship and Immigration Services are among the agencies using DevSecOps as mission-enablers. Companies such as Netflix and SpaceX rely on this approach to run their businesses.
To better understand what DevSecOps means for DoD and the significance of what’s to come, GovLoop sat down with Nicolas Chaillan, who was appointed as the first Air Force Chief Software Officer. Prior to that, he served as Special Advisor for Cloud Security and DevSecOps at DoD.
Chaillan isn’t just a champion of DevSecOps, he’s all in — literally. He owns a Tesla and is a fan of the autopilot feature, which benefits from continuous improvements through over-the-air software updates. At its core, DevSecOps is about continuous improvement, and from a mission perspective that is critical when lives are at stake.
Among the main takeaways from Chaillan’s interview was the ability of DevSecOps to speed the approval process for getting new and updated software capabilities into the hands of DoD personnel. Not only that, but the idea here is to level the playing field for innovative companies of varying sizes that have technology capabilities that could benefit service members. The goal is to get those capabilities into the hands of end users faster without the risk of locking the department into a single vendor.
Another unique aspect of this rollout is the fact that DoD is not mandating the use of DevSecOps. “We don’t want to mandate it because, for me, you know when you mandate things it’s usually [because] you’re doing something wrong,” Chaillan said. “If you’re pushing the right technology or the right ideas, often you know when people have a choice, they will make the right choice.” He believes the benefits provide compelling reasons for people to try a new way of doing business.
Chaillan, who has spent much of the past several months spreading the gospel of DevSecOps to both the government and industry communities, used the Air Force’s Cloud One offering as an example of the power of cloud and DevSecOps. With Cloud One, the Air Force can stand up an instance of a DevSecOps environment in a week with an authority to operate (ATO). “That used to take eight months,” he said. “Imagine the value of that for the people building weapons systems.”
Wallace echoed those sentiments. He explained DevSecOps in terms of a carrot and stick approach, adding that it is more carrot than anything else when it comes to the government’s often months-long process of approving any software or system to operate on its networks. “If you can automate it [the ATO process using DevSecOps], and you can show in your accreditation package how you got to where you got, your accreditation is going to go far easier.”
“It is continuous ATOs,” Wallace said, touting the benefits of automation to keep agencies’ IT systems in a state of continuous compliance.
Of course, with any change that spans a department the size of DoD, there will be a steep learning curve and training that will be needed for software developers, security professionals, operations teams, service members and contractors, to name a few, Chaillan said.
He explained that the DevSecOps movement within DoD was designed with scale in mind, rather than having pockets of trial and error across the department. Training is a key area where Chaillan said that DoD has learned the importance of not leaving the contractor community behind and ensuring they are properly trained alongside DoD personnel.
Chaillan estimates it could take a year or two for larger teams to move away from the waterfall method of developing software and adopt DevSecOps.
“I think everyone, every big [DoD] program is moving to a DevOps model,” he said. “What I mean by moving is, they are not there. It’s going to be a journey.”
For additional information about the DoD’s DevSecOps efforts and the technology behind it, check out a recent presentation from Chaillan and read about the Air Force’s DevOps initiatives here. You can also get insights about DevSecOps efforts governmentwide in GovLoop’s recent guide.
Photo Credit: DoD Flickr