Crowdsource DevSecOps Through the Cloud
Virginia Beach, VA (August 29, 2023) –
The DoD has been pushing for digital engineering for the past five years, but most IT systems across the Services have yet to take advantage of it. To overcome inertia and start realizing the benefits of this new approach, system architects can take a step forward by tapping into the power of cloud-based DevSecOps (Development, Security, and Operations) tools that can be easily shared from one command to another.
The DoD is advocating digital engineering so that its Services will create systems that are more efficient, have lower risk, and are more easily re-used. Systems developed with this approach are connected by “digital threads” across IT, OT, and cyber-physical elements, components, and subsystems. With their greater power and scalability, however, these threads also create the potential for greater cybersecurity risk.
The DoD’s approach to containing those risks requires that every system be validated for Risk Management Framework (RMF) compliance before being granted Authority to Operate (ATO). These standards can create an administrative challenge for many seasoned IT executives. When one of our US Navy clients recently transitioned its case management platform to the cloud, the project leader said that achieving ATO was “a Byzantine process I wouldn’t wish on my worst enemy.”
The surest path to ensuring RMF compliance of digitally engineered systems is to incorporate security into every step from design to deployment. That’s achieved by using a strong DevSecOps process. Some Service branches have already invested to automate DevSecOps throughout their cloud environments. Now that those toolsets have been created, they can be easily shared with other commands using a cloud broker as a conduit to make others aware that they are available. Then system developers across the DoD can accelerate their path to digitally engineered solutions.
Why DevSecOps? Within digital engineering, DevSecOps is both a methodology and a set of tools to control and automate the pipeline of code releases. This methodology enables the on-time, on-budget development, testing, and deployment of code that is functional and cyber-secure across all levels, systems, and subsystems.
While DevSecOps toolsets are commonly used by tech-savvy commercial enterprises like Amazon and Microsoft, there are significant barriers to DoD teams gaining the benefits including:
- Organizational Culture: For years, IT has been organized into separate teams for development, security, and operations. Organizational dynamics within and across these silos can create resistance, as DevSecOps is a fundamentally integrated and collaborative process.
- Legacy Systems: When a new system is based on, or integrated with, legacy software, retrofitting security can be complex and time-consuming.
- Security as an Afterthought: In traditional development processes, security is addressed in a waterfall mode AFTER the completion of initial design and initial development. System architects need to understand that this approach can create vulnerabilities that might otherwise be avoided.
- Incompatibility: Independent teams can settle on diverse development tools that are not compatible across organizations, hindering the ability to reuse code and data.
Overcoming these barriers requires a holistic approach, including education, cultural transformation, skill development, process improvement, and strategies for managing change. It takes time, resources, and leadership support to successfully adopt DevSecOps and see the benefits of highly secure systems that are completed on time and on budget.
To help overcome those barriers, I recommend the “hack” of crowdsource sharing of cloud-based DevSecOps tools. When program offices share DevSecOps or other digital transformation tools, our national defense systems can more quickly increase in power, effectiveness, and resiliency. Here’s why:
- Improved Security: By integrating security practices throughout the software development lifecycle, DevSecOps promotes a proactive and continuous approach to security. This leads to improved resilience against cyber threats, reduced vulnerabilities, and enhanced protection of sensitive data.
- Faster Time to Market: DevSecOps emphasizes automation, continuous integration and delivery, enabling organizations to deliver software and updates at a faster pace. By automating security testing and incorporating it into the development process, security checks can be conducted more efficiently, reducing delays and accelerating time to market.
- Early Risk Identification: DevSecOps promotes the concept of “shifting left” by integrating security practices at the beginning stages of development. This approach allows for the identification and mitigation of security risks at an early stage, reducing the likelihood of vulnerabilities reaching production environments.
- Continuous RMF Compliance: By integrating security and compliance requirements into the development process, organizations can ensure continuous compliance with relevant regulations and standards. This reduces the risk of non-compliance issues and associated penalties, streamlines audits, and provides better visibility into the security posture of the software.
Multiple DoD mission owners have recently created cloud-based DevSecOps platforms that are up and running with full ATO credentials. These existing DevSecOps stacks are ideal candidates for inheritance from one organization to another. Cloud brokerage firms can help make developers aware of those applications and can ease the path to getting up and running on an inherited DevSecOps stack. The result is ability to accelerate solution deployment that is digitally engineered to be secure and RMF compliant.
ABOUT THE AUTHOR
Bruce Reichard is Vice President of Cloud Engineering for G2 Ops, Inc. Bruce is a cloud engineer, Navy veteran, and earned a B.S. in Cybersecurity Engineering from Western Governors University.
For more information about G2 Ops, contact:
G2 Ops, Inc.
2829 Guardian Lane
Virginia Beach, VA 23452
Learn about Model-Based Systems Engineering and Cybersecurity at G2-Ops.com.