DevSecOps Strategy
DevSecOps Strategy
CLEARED
For Open Publication
May 19, 2021
UNCLASSIFIED
Department of Defense
OFFICE OF PREPUBLICATION AND SECURITY REVIEW
DoD Enterprise
DevSecOps Strategy
Guide
March 2021
Version 2.0
Unclassified
UNCLASSIFIED 1
UNCLASSIFIED
UNCLASSIFIED 2
UNCLASSIFIED
Document Approvals
Approved by:
Jo herman
Chief nformation Officer of the Department of Defense (Acting)
Approved by:
Stacy A. Cummings
Principal Deputy Assistant Secretary of Defense (Acquisition)
Performing the Duties of Under Secretary of Defense for Acquisition and Sustainment
3
Unclassified
UNCLASSIFIED
Contents
Executive Summary ...................................................................................................................... 6
Document Set Structure................................................................................................................ 7
DevSecOps Strategy Guide Document ..................................................................................... 9
DevSecOps Fundamentals Document ...................................................................................... 9
DevSecOps Reference Design Document(s) ............................................................................ 9
Assumptions ............................................................................................................................... 10
DevSecOps Defined ................................................................................................................... 11
Formal Recognition of the Software Supply Chain ..................................................................... 12
Construction of Software Factories ............................................................................................. 14
DevSecOps Guiding Principles ................................................................................................... 16
Relentless pursuit of Agile ....................................................................................................... 16
Software factories mandate baked-in security ........................................................................ 17
Integrated, automated & continuous end-to-end testing and monitoring ................................. 18
Immutability of infrastructure achieved via “x as Code” design patterns ................................. 18
Adoption of Cloud-smart and data-smart architectural motifs throughout ............................... 18
DevSecOps Process Overview ................................................................................................... 18
DevSecOps Management and Governance ............................................................................... 19
Management Structure ............................................................................................................ 20
Recommended Governance ................................................................................................... 20
Assessment and Authorization ................................................................................................ 22
Conclusion .................................................................................................................................. 23
UNCLASSIFIED 4
UNCLASSIFIED
Figures
Figure 1 Pillars to Achieve Resilient Software Capabilities ........................................................... 6
Figure 2 DevSecOps Document Set Overview ............................................................................. 8
Figure 3 DevSecOps Distinct Lifecycle Phases and Philosophies ............................................. 11
Figure 4 Notional Software Supply Chain ................................................................................... 13
Figure 5 Normative Software Factory Construct ......................................................................... 15
Figure 6 DevSecOps Lifecycle Phases, Continuous Feedback Loops, & Control Gates ........... 19
Figure 7 Notional expansion of a single DevSecOps software factory Pipeline.......................... 21
UNCLASSIFIED 5
UNCLASSIFIED
Executive Summary
Many programs and missions across the Department of Defense (DoD) lack software
development practices that meet industry standards for agility. The majority of current
cybersecurity frameworks (NIST Cybersecurity Framework, ODNI Cyber Threat Framework,
NSA/CSS Technical Cyber Threat Framework v2 (NTCTF), MITRE ATT&CK, etc.) focus
predominately on post-production deployment attack surfaces. Furthermore, every release cycle
is perceived as an uphill battle between development teams that attest to functionality,
operational test and evaluation teams trying to confirm specific functionality, operations teams
struggling to install and operate the product, and security teams bolting on protection
mechanisms as an afterthought. To deliver resilient software capability at the speed of
relevance the department needs to implement strategies that focus on cybersecurity and
survivability across the development process. The DoD isn’t alone in this journey; industry has
already minimized deployment friction through a cultural shift to DevSecOps (development,
security, and operations).
The DoD CIO and the Office of the Under Secretary of Defense for Acquisition and Sustainment
(OUSD A&S) recognize the urgent need to rethink our software development practices and
culture by leveraging the commercial sector for new approaches and best practices.
DevSecOps is such a best practice as it enables the delivery of resilient software capability at
the speed of relevance, a central theme of software modernization across the DoD. DevSecOps
is a proven approach widely adopted by commercial industry and successfully implemented
across multiple DoD pathfinders. DevSecOps is a core tenant of software modernization,
technology transformation, and advancing an organization’s software development ecosystem
to be more resilient, while ensuring cybersecurity and metrics/feedback are paramount.
The DevSecOps software lifecycle approach creates cross-functional teams that unify
historically disparate evolutions – development (Dev), cybersecurity (Sec), and operations
(Ops). As a unified team they follow Agile principles and embrace a culture that recognizes
resilient software is only possible at the intersection of quality, stability, and security, as depicted
in Figure 1.
UNCLASSIFIED 6
UNCLASSIFIED
• Reduced mean-time to production: Reduces the average time it takes from when new
software features are required until they are running in production;
• Increased deployment frequency: Increases how often a new release can be deployed
into the production environment;
• Decreased mean-time to recovery: Decreases the average time it takes to identify and
resolve an issue after a production deployment;
• Decreased change-fail rate: Decreases the probability that a new feature delivered in
production will result in a failure in operations;
• Fully automated risk management: Well defined control gates perform risk
characterization, monitoring, and mitigation as artifacts are released and promoted
through every step, from ideation through production;
• Baked-in Cybersecurity: Software updates and patches delivered at the speed of
relevance.
The DoD Enterprise DevSecOps Strategy, along with its supporting document set, provides
education, best practices, and implementation and operational guidance to Information
Technology (IT) capability providers, IT capability consumers, application teams, and
Authorizing Officials.
UNCLASSIFIED 7
UNCLASSIFIED
UNCLASSIFIED 8
UNCLASSIFIED
1
Defense Innovation Board (DIB), “Software Acquisition and Practices (SWAP) Study.” May 03, 2019,
[Online]. Available: https://innovation.defense.gov/software.
UNCLASSIFIED 9
UNCLASSIFIED
Assumptions
This document set makes the following assumptions:
2
M. Flower, “Don’t get locked up into avoiding lock-in,” [Online]. Available:
https://martinfowler.com/articles/oss-lockin.html [Accessed 8 February 2021].
UNCLASSIFIED 10
UNCLASSIFIED
The cultural principles espoused by this strategy and within the DevSecOps Fundamentals
document are universally and equally applicable to every DoD Enterprise DevSecOps reference
design.
DevSecOps Defined
DevSecOps describes an organization’s cultural and technical practices, aligning them in such a
way to enable the organization to reduce the gaps between a software developer team, a
security team, and an operations team. Adoption improves processes through daily
collaboration, agile workflows, and a continuous series of feedback loops. Figure 3 visually
depicts DevSecOps distinct phases and philosophies, the specifics of which are elaborated
upon in the DevSecOps Fundamentals document.
Pioneering programs using DevSecOps for several years have concretely demonstrated that its
adoption can deliver resilient software capability at the speed of relevance; and by integrating
cybersecurity at every step, as depicted in Figure 3, the cyber survivability of the artifacts and
applications produced is enhanced. DevSecOps strives for faster and more secure software
delivery while achieving consistent governance and control.
UNCLASSIFIED 11
UNCLASSIFIED
The document set construct acknowledges that there is no uniform set of DevSecOps practices
or tooling. Each DoD organization is expected to tailor its culture and align its DevSecOps
practices to its own unique processes, products, security requirements, and operational
procedures. DevSecOps platforms and their underlying software factories are expensive,
and every DoD organization is encouraged to seek out an existing Reference Design
platform and leverage the cATO that comes with it. Embracing DevSecOps requires
organizations to shift their culture, evolve existing processes, adopt new technologies, and
strengthen governance.
UNCLASSIFIED 12
UNCLASSIFIED
UNCLASSIFIED 13
UNCLASSIFIED
3
DISA, “Department of Defense Cloud Computing Security Requirements Guide, v1r3,” Mar 6, 2017
UNCLASSIFIED 14
UNCLASSIFIED
UNCLASSIFIED 15
UNCLASSIFIED
These guiding principles represent the starting point for establishing common nomenclature and
a curated and versioned approach to DevSecOps adoption. The DevSecOps Fundamentals
document builds on these guiding principles by formalizing each phase of the DevSecOps
lifecycle. The DevSecOps Tools and Activities Guidebook defines the activities individuals
perform on a daily basis when part of a DevSecOps team, and the required and preferred types
of tools required to be considered a DevSecOps team. Further, each DevSecOps Reference
Design builds upon the principles and practices though a layer of specificity covering tool and
processes, addressing technology specific interconnects, and adding additional required and
preferred tools and activities that a team must adopt. When principles, practices, and tools
combine properly, the result is an efficient, transparent, and harmonized software factory that is
capable of delivering new features at the speed of operational relevance, while maintaining the
level of security required to operate in national security environments.
4
Beck, K. et. al., 2001. Manifesto for Agile Software Development. [Online]. Available at:
https://agilemanifesto.org.
UNCLASSIFIED 16
UNCLASSIFIED
5
Beck, K. et. al., 2001. Manifesto for Agile Software Development. [Online]. Available at:
https://agilemanifesto.org/principles.html.
6
Arkes, Hal R. & Blumer, Catherine, 1985. "The psychology of sunk cost," Organizational Behavior and
Human Decision Processes, Elsevier, vol. 35(1), pages 124-140, February.
UNCLASSIFIED 17
UNCLASSIFIED
7
National Institute of Standards and Technology, “NIST Special Publication 800-207, Zero Trust
Architecture.” August, 2020.
UNCLASSIFIED 18
UNCLASSIFIED
Build, Test, Release & Deliver, Deploy, Operate, and Monitor phases. This graphic contains the
identical set of steps depicted previously in Figure 3 as an infinite loop, but it has been
“unfolded” to effectively illustrate the multiplicity of continuous feedback loops. Visually, the
cybersecurity automation is depicted as the foundational core underpinning all lifecycle phases,
permeating each phase with multiple touch points, and directing actions that are taken based on
real-time metrics derived from actual product usage and performance.
The other feedback loop covered below is the Continuous Monitoring loop. This loop must bring
together a deep, rich set of real-time performance metrics and supporting data to continuously
evaluate the totality of the software environment. This loop serves two main functions;
cybersecurity monitoring to ensure events and incidents are handled in accordance with DoD
mandates and policies and live data feedback and interaction between network defenders and
developers. In doing so, the antiquated snapshot view of network security is replaced with real
time feeds, allowing security actions to be taken by local defenders, monitoring teams
(Cybersecurity Service Providers, or CSSPs), incident response teams (Cyber Protection
Teams, or CPTs) and Command and Control (C2) elements of U.S. Cyber Command/Joint
Force Headquarters – DoD Information Network (JFHQ-DoDIN).
Feedback loops are critical mechanisms that overlap with specific DevSecOps lifecycle phases.
Each feedback loop is built upon transparency and speed. As an illustration, when a software
developer commits code to a branch, a build is automatically triggered to confirm the code still
builds correctly, and if it doesn’t, the developer is immediately notified of the problem. The
DevSecOps Fundamentals document covers each feedback loop and the value it adds to the
software supply chain’s software factory.
Figure 6 DevSecOps Lifecycle Phases, Continuous Feedback Loops, & Control Gates
UNCLASSIFIED 19
UNCLASSIFIED
Paramount to the DevSecOps Strategy is that cybersecurity automation must permeate the
entirety of the software supply chain, never being bolted on as an afterthought. DevSecOps
underlying software factory concept is one part of the software supply chain, but it merits
additional scrutiny because this is where sensitive, mission-specific tactics, techniques, and
procedures are converted into sensitive software algorithms. DevSecOps Management and
Governance of the software factory stipulates that a series of cybersecurity control gates
execute deep, meaningful, repeatable, and mission-relevant automated cybersecurity metrics.
In Figure 7, we see one of the pipelines. The black and red diamonds represent the automated
cybersecurity control gates that must be cleared before any artifacts can be promoted between
the disparate development environments (dev, test, pre-prod, etc.).
This automation exemplifies what it means to ensure cybersecurity permeates the entirety of
every phase of DevSecOps. Further, it visually depicts explicit gates where Operational Test &
Evaluation (OT&E) must shift left. This shift allows the team to rapidly identify quality or stability
that should be addressed prior to the promotion of any artifact to the next level. Finally, SMART
performance metrics related to both team performance and cyber survivability are collected at
each control gate, every time. These metrics form one of the bedrock principles behind
cATO, producing a certified software factory.
Management Structure
The management objective of DevSecOps must be both “top-down” and “bottom-up” to balance
the larger strategic goals of software modernization across the DoD. Senior leader buy-in is
crucial for success, though buy-in at the staff level is equally important. This engenders a sense
of ownership, which encourages the appropriate implementation of processes related to
governance and enables team members to support continuous process improvement.
Continuous process improvement – seeking opportunities to simplify and automate whenever
and wherever possible – is essential for governance to keep pace with a rapidly changing world
while implementing a continuous feedback loop to ensure that automation is not done at the
cost of security.
Recommended Governance
Early DevSecOps efforts in the DoD, such as Defense Threat Reduction Agency (DTRA) have
leveraged and adopted commercial best practices with great success. The DTRA Governance
document identifies Five Fundamental Principles of Next Generation Governance (NGG): 8
1. Run IT with Mission Discipline: Tie requirements back to your organization’s mission. Every
action should be aligned to the mission. If they are not, then an evaluation should be
performed with continuous process improvement to address how to tie actions to missions.
8
Defense Threat Reduction Agency (DTRA), "Next-Generation Technology Governance," 2018.
UNCLASSIFIED 20
UNCLASSIFIED
UNCLASSIFIED 21
UNCLASSIFIED
9
DoDI 8510.01, “Risk Management Framework (RMF) for DoD Information Technology,” March 12, 2014.
10
CJCSM 6510.01B, “Cyber Incident Handling Program,” July 10, 2012.
UNCLASSIFIED 22
UNCLASSIFIED
As the DoD works to finalize its Software Modernization Strategy there is a recognition that the
Department must continuously evaluate and update policies, regulations, and DoD standards
(collectively, “compliance”) as appropriate. Nothing within the four-corners of the DoD Enterprise
DevSecOps Strategy Guide, the DevSecOps Fundamentals document, or any specific DoD
Enterprise DevSecOps reference design can be deemed as overruling existing governance
policies of the department. However, more engaged collaboration, a recognition of the
shortcomings of the current procedures, and a documented appetite to tackle outdated
compliance approaches should be viewed in a positive light.
Conclusion
The adoption and assertion of DevSecOps cultural and philosophical practices are a central
theme of DoD software modernization that will drive the delivery of software capabilities at the
speed of relevance. This document establishes a unified set of DevSecOps guiding principles
for the entirety of the DoD. These principles are weaved throughout the fabric of the other
documents within the DevSecOps document set, visually depicted in Figure 2. In recognizing
the depth and breadth of software development activities across the entirety of the department,
specific DevSecOps Reference Designs empower specificity, demonstrating that neither a one-
size-fits-all nor a one-size-fits most approach is sufficient. The future success and global
relevance of the DoD demands an accelerated adoption of software industry best practices.
UNCLASSIFIED 23