The DoD Office of the Chief Information Officer provides policy and guidance regarding the development and utilization of software and hardware. These resources, paired with industry best-practices, play a significant role in shaping the DoD’s adoption of DevSecOps and Zero Trust Architecture.
The Importance of DevSecOps
Notably, the November 2021 release of the DoD Software Modernization Strategy and the January 2022 release of the DoD Software Development and Open Source Software Memo signal the government’s intent to not just shape policy but ensure its execution at the mission level.
The successful deployment of these tactics will depend on a myriad of factors, key among which are:
• Individual agency prioritization,
• Accessibility of actionable guidance to leadership,
• Comprehension at the mission level, and
• Ability to enact best-practices.
Organizations across the DoD have acted quickly in their commitment to Modernization and DevSecOps but there is a frequent disconnect at the mission and field layer.
Team capacity and technical ability are often barriers to proper deployment. Additionally, the new guidance is predominantly forward-looking but there remains significant difficulty in identifying and reconciling historical vulnerabilities.
To resolve this weak point, teams must commit to dedicated and focused modernization campaigns. However, the persistent siloization of teams and agencies inherently prevents wide-spread consistency and efficiently in attacking this problem.
This is where commercial organizations must commit to the DoD CIO’s call for shared responsibility. As creators, implementors, users, experts, and sellers of the various tools the government utilizes, we must leverage our expertise to become leaders in the adoption of DevSecOps, Modernization, and Zero Trust Architecture.
We must empower the government user with Resilient Software solutions. Borrowing from the DoD Enterprise DevSecOps Strategy Guide we can summarize this to mean:
• Security: Secure software detects and resists cyberattacks, offering the warfighter a quantified degree of cyber survivability
• Stability: Stable software performs well without breaking or crashing, & dynamically scales to match demand
• Quality: Quality software maximizes user requested feature sets and minimizes functional defects
How can we be better DevSecOps practitioners?
Contegix has been a thought leader in this space, not only as a provider of secure hosting solutions but also as a provider of DevOps / DevSecOps services and consulting. With the 2021 acquisition of Ascend Integrated, Contegix bolstered it strength in this space by adding a proven federal team to the organization.
But while proven commitments in this space are strong credentials, the true commitment must always be revised and re-affirmed through adherence to evolving policy and best-practices. For this reason, our team challenges itself to not just follow but also evangelize the practices we know lead to secure operations. That means we must continually educate ourselves, implement solutions with security as a priority, and make it easier for clients, partners, and the industry to do the same.
How can you be better DevSecOps practitioners?
- Culture – Create a culture that values security, even when it means additional effort on the front-end. A well and securely built application or process can avert later disaster.
- Education – The challenge of best-practices in DevOps is that they evolve so quickly, and this is exacerbated when you prioritize security. Modern organizations must determine which DevSecOps practices apply to their work and implement them as core behaviors.
- Resources – Though operationally challenging, there are strong dividends from DevSecOps commitments. Consider establishing a role in your organization responsible for cultivating and distributing DevSecOps information.