Defense Department's DevSecOps Initiative Is on the Move
The military is aggressively rolling out an advanced software development environment.
The Defense Department is pursuing an aggressive software development program, called the DOD Enterprise DevSecOps Initiative. The effort is focused on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy and operate software applications in a secure, flexible and interoperable manner, explained Nicolas Chaillan, chief software officer, U.S. Air Force, co-lead of the DOD Enterprise DevSecOps Initiative. The program is a joint effort of the DOD’s Chief Information Officer, Office of the Undersecretary of Defense for Acquisition and Sustainment and the services, he said.
“Leveraging industry acquisition best practices combined with centralized contract vehicle for DevSecOps tools and services will enable rapid prototyping, real-time deployments and scalability,” Chaillan stated.
The chief software officer presented the status of the DevSecOps effort to attendees at the Washington, DC AFCEA Chapter’s 2019 Technology Summit Series event, Emerging Technology and Accelerating Adoption Tech Summit, on Tuesday. So far, the effort has been applied to 29 weapon systems, and the goal is to expand to 172 in the next six months, he said.
The use of a DevSecOps model will “bake in and enforce cybersecurity functions and policy from inception through operations,” Chaillan stated. It will “ensure seamless application portability across enterprise, cloud and disconnected, intermittent and classified environments.”
The DevSecOps effort harnesses so-called software containers, a dedicated repository of code and solutions that is secure and compliant with the Federal Risk and Authorization Management Program, or FedRAMP, and National Institute of Standards and Technology (NIST) criteria. “[When] two containers talk to each other, even if the development team did not, encryption is going to hijack it and create a tunnel and you get baked-in security for free,” he clarifies. “And a lot of the NIST compliance is checked out of the box.”
Importantly, the use of open -source containers will reduce the need for the government to lock into one vendor’s technology, the chief software officer stressed.
The effort includes over 100 choices of “best of breed development tools and services,” to give developers flexibility and essentially a software factory, Chaillan noted. It also features a so-called sidecar container security stack to integrate zero-trust security as well as microservices architecture. “Everything we do is zero trust,” he said. “It’s zero trust by default at the container level. So it's not just in the VM [virtual machine] layer. It is all the way down to the container.”
The platform also utilizes Kubernetes, the Google-designed open-source container orchestration tool for automatically deploying and managing software containers. “If you don’t know what Kubernetes is, you should know,” he exclaimed. “It is the future of software. There is nothing done today that does not involve Kubernetes.”
In addition, the DevSecOps platform aims to decrease the time it takes for software systems to be accredited by creating standardized metrics and identifying acceptable thresholds that enable a “continuous” authority to operate approval environment, he suggested.
Every DOD program can have its own instantiation of the DoD Enterprise DevSecOps Platform on any cloud, Chaillan emphasized. “[It will] enable any DOD Program across the DOD services to deploy a DOD hardened software factory, on their existing or new environments including classified, disconnected and cloud [applications], within days instead of a year [and at a] tremendous cost and time savings,” he offered. “[It supports] rapid prototyping for any business."
Already, the chief software officer sees progress from rolling out the initiative. “We are already seeing a massive culture shift in testing and cyber, and even in the development teams in DevSecOps.”
Chaillan added that leaders from the initiative were working with other DOD software innovators—such as the Air Force’s Kessel Run Experimentation Laboratory—to accelerate the advancement of the DevSecOps environment. “They are all working together with us,” he noted. “Of course they can still do what they want to do, it’s informal. But the goal of the DevSecOps Initiative is to make sure we are getting consensus, challenges, culture and removing impediments and learning faster.”
Even now, it is a community of practice of about 400 people, the chief software officer said. “We don’t want to become the bottleneck, but at the same time we want to remove the ones that are too big for them to tackle.”
In addition, the initiative is developing updated DevSecOps coursework with the Defense Acquisition University, as well as new contracting language to broaden the use of agile and DevSecOps software development, Chaillan stated.