How DevSecOps software factories are closing the delivery gap for DOD
- By Dave Erickson
- Oct 08, 2021
One of the biggest challenges facing the Department of Defense today is how to quickly get mission-critical capabilities into the hands of personnel. Much of that acceleration is dependent on software development and certification, and the reality is that too much software is already out of date by the time it reaches the field.
Commercial behemoths like Uber, Netflix and Walmart routinely deploy software at the “speed of business,” and while DOD has unique security requirements, it still can’t compromise on speed. The mission can’t afford lag times in delivering innovative software, applications and capability to the field.
Recognizing the need to develop and deploy software at the “warfighting speed,” DOD leadership has led the charge on embracing DevOps to streamline delivery cycles, empowering a continuous workflow for developers and operations specialists to collaborate as they build, test and deploy software. The need to keep pace with rapidly evolving cyber threats gave rise to DevSecOps -- integrating security teams and best practices into development efforts.
DevSecOps is regularly cited as foundational to the success of major strategic concepts like Joint All-Domain Command and Control, and the DOD Enterprise DevSecOps Initiative holds incredible promise. Its goal is to bring “automated software tools, services and standards to DOD programs so that warfighters can create, deploy, and operate software applications in a secure, flexible, and interoperable manner.”
Accelerating delivery while continuously improving cyber posture will require governance, tooling, training and collaboration across stakeholders within DOD, and all of this will have to happen fast, at the speed of the mission. The best way to achieve this kind of success for DevSecOps initiatives in the DOD is through software factories.
Why DevSecOps software factories work
A software factory is a digital version of its physical manufacturing counterpart. Software factories bring together development resources to leverage economies of scale and automation to optimize the speed and quality of software development.
DOD has been a global leader in embracing the software factory concept, using innovation hubs like Kessel Run to execute its DevSecOps vision. By bringing security teams into the same room as the developers and operations professionals, zero-trust principles are incorporated into every new release from the start. Backed by automation, this upfront security investment streamlines testing, compliance and ultimately approvals -- often the largest barriers to faster delivery. The result is preapproved tools that personnel can easily access to build new solutions.
With centralized resources in the cloud, these economies of scale can be delivered DOD-wide, empowering continuous feedback loops, continuous monitoring, continuous rapid prototyping and ultimately continuous authority to operate.
Building the data foundation to streamline the ATO process
The DOD ATO process to accredit software takes an average of eight months.
The process is rigorous for very good reasons -- there are no organizations with more critical or unique security requirements like those of DOD -- but approving individual component software tools is onerous and time-intensive. As a result, capabilities are often out of date and irrelevant to the mission by the time they are approved for use in the field.
Software factories can help usher in an “approve once, use many” operating picture. This is made possible through DevSecOps by first identifying all relevant data required for the software’s ultimate operation. Software development and eventual deployment can’t be expected to race along if those working on the project are bogged down by manually searching through the millions of datasets scattered across the DOD. Ensuring developers are set up for success can minimize changes required of the software after its development, allowing for quicker approvals and drastically speeding up the authorization process.
A great example of how software factories have transformed this process already comes from the Air Force's Platform One program. Platform One supports the Air Force’s overall DevSecOps structure to provide agencywide ATO services. Through automation, the Air Force has been able to dramatically reduce software release timelines, achieving in one week what was previously accomplished in three to eight months. Platform One has empowered a continuous ATO posture, which enables the teams to regularly push software updates, get new releases approved and make them available on an ongoing basis to the mission personnel that rely on them.
The future of software factories and industry’s role
That old adage, “everything is bigger in Texas?” Try again. Everything is bigger in the Defense Department. Due to the complicated, competitive and globe-spanning nature of DOD and its missions, the challenges defense agencies face are that much larger.
Industry has a major role to play in empowering the DOD DevSecOps evolution, and we must step up our game. As we partner on these incredibly important efforts, we must deliver tools that maximize flexibility through open platforms that ensure application portability. We have to help the DOD avoid vendor lock-in while optimizing security and agility. We have to remove hurdles to embracing our software and make procurement as fast and simple as possible. Because industry plays a key role in building future mission-critical partnerships, we have to move at the speed of DevSecOps as well.
Dave Erickson is senior director of solutions architecture at Elastic.