REI Insights

DevSecOps: The Ultimate Solution to Software Vulnerabilities for DOD & DHS
May 22, 2023
Reading Time: 4 minutes

In the era of increasing cyber threats, software vulnerabilities have become a major concern for the federal government. To counteract these threats and bolster overall security, agencies have adopted DevSecOps — the ultimate approach against software vulnerabilities that integrates security into every aspect of the development process.

In the defense and national security ecosystem, DevSecOps helps agencies respond to and counter threats faster and more effectively. By integrating security into every stage of the software development lifecycle, from design and coding to testing and deployment, DevSecOps can help reduce the risk of security breaches and improve the security posture of these organizations. National security organizations are often subject to strict security regulations and guidelines. DevSecOps can help these organizations ensure their software systems comply with these regulations, slashing the risk of fines, penalties, or other legal consequences.

The Defense Department (DOD) has been reaping the benefits of DevSecOps through its Enterprise DevSecOps Initiative and Platform One, a cloud-based DevSecOps platform that supports software development and deployment. This central platform provides a standardized, secure, and scalable environment for developers to build, test, and deploy software applications quickly and efficiently.

As the DOD enterprise service provider for DevSecOps, Platform One builds on the Pentagon’s Digital Modernization Strategy, a roadmap to faster deliver software capabilities in support of DOD priorities. It provides a unified platform for software development across all DOD branches, enabling faster delivery of mission-critical applications. It’s been used by the Air Force, the Navy, and the Joint Artificial Intelligence Center, to mention a few:

  • The Air Force’s Kessel Run program and Platform One signed a memorandum in November 2021 to work together and share technical roadmaps and more as part of a sweeping effort to help prevent silos and duplication in DOD. The memo highlights how the future of DevSecOps and Agile software development relies on collaboration toward identical goals.
  • The Navy deployed a DevSecOps environment in AWS Secret Region to deliver new capabilities to its sailors. Known as the Overmatch Software Armory, this environment meets Impact Level 6 requirements.
  • The Joint Artificial Intelligence Center teamed with Platform One in July 2020 to leverage DevSecOps “in leading-edge, transformative ways,” including making it easier to secure and quickly authorize artificial intelligence (AI) and machine learning (ML) capabilities and create general DevSecOps automation capabilities for the dataset work and the model work.

Additionally, the Defense Information Systems Agency said last April it plans to use DevSecOps to implement the Joint All-Domain Command and Control (JADC2) initiative. This approach involves delivering new capabilities and tools at mission speed, then adapting, refining, and expanding those capabilities across DOD components and military service branches. The agency also last November announced the Vulcan program, a set of tools that help DOD agencies implement DevSecOps and Agile practices.

On the Department of Homeland Security (DHS) side:

  • The Federal Emergency Management Agency (FEMA) leveraged DevSecOps to modernize its Community Information Systems (CIS) web application.
  • U.S. Customs and Border Protection Cargo Systems Program Directorate (CSPD) has 105 applications that help enforce trade laws, protect borders, and facilitate legitimate trade. To deploy changes and updates to these applications, CSPD uses DevSecOps techniques, completing around 50 deployments every month.
  • The Coast Guard is slated to launch its first software factory later this year. Its Software Factory Implementation and Sustainment task contract was also awarded last December.

Although DevSecOps has been beneficial across DOD and DHS, this approach comes with its challenges. Unlike the traditional approach of adding security as an afterthought, DevSecOps requires holistic thinking about software development, from culture to design and automation. There is often resistance to change, and DevSecOps demands a shift in mindset, work practices, and organizational culture.

Teams may struggle to collaborate or communicate because of a siloed culture, and there might be a lack of ownership because everyone needs to own security, not just a separate team. This shift can be significant for organizations used to handling security separately. Beyond these hurdles, DOD and DHS have unique challenges with DevSecOps implementation. Many of their agencies require security clearances for employees and contractors, which is a lengthy and resource-intensive process. This can slow down hiring and limit available DevSecOps talent.

Strict regulations and policies around security, data protection, and information sharing can make it difficult for DOD and DHS agencies to implement DevSecOps practices that prioritize speed and agility. However, DOD has a DevSecOps playbook with steps to take to introduce DevSecOps practices successfully. Likewise, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence have a guide for developers on DevSecOps best practices.

Finally, defense and national security agencies face threats from nation-states, cybercriminals, and other adversaries actively seeking to exploit vulnerabilities in their systems. This requires a heightened level of security and risk management that must be integrated into DevSecOps practices. Despite this, expect DevSecOps to pick up even more steam in DOD and DHS. As these agencies continue to prioritize cybersecurity and modernization efforts, they are poised to further embrace DevSecOps to accelerate their software development cycles and bolster their security posture. Expect also these agencies to increase the adoption of technologies like automation, AI, and ML to enhance their DevSecOps capabilities. Training and upskilling employees will also be important to close the skills gap and build a strong DevSecOps workforce for years to come.

Switching to a secure mindset is a huge transition for government agencies, but you don’t have to go it alone. To learn more, visit www.reisystems.com for information on how we can help.

 

Andy

Andrew (Andy) Zeswitz serves as the Chief Technology Officer for REI Systems. He leads corporate strategy to identify and adopt new technologies, champions innovation and delivery evolution, and is responsible for building capacity and mentoring talent within the organization.

 

Andy Zeswitz Full Bio