The State of DevSecOps in the DoD: Where We Are, and What’s Next
A high-stakes, high-security environment has challenged the implementation of these practices within the Department of Defense (DoD).
DevSecOps practices foster collaboration among software development, security, and operations teams to build, test, and release software quickly and reliably.
A high-stakes, high-security environment has challenged the implementation of these practices within the Department of Defense (DoD).
The DoD Chief Information Officer (CIO) organization partnered with the Software Engineering Institute (SEI) to conduct the first study to baseline the state of DoD DevSecOps, highlight successes, and offer insights for next steps.
George Lamb, DoD’s Director of Cloud and Software Modernization, joins the SEI team to discuss key results and how they will help the DoD ensure that its software ecosystem is effective, scalable, and adaptable to meet the challenges of today and tomorrow. Speakers: Brigid O’Hearn, Eileen Wrubel, and George Lamb.
Software Factories
The U.S. Department of Defense (DoD) has embraced DevSecOps, a framework integrating development, security, and operations, to modernize software delivery and enhance mission-critical capabilities. This strategic shift, guided by policies like the DoD Enterprise DevSecOps Fundamentals (updated October 2024) and the Software Acquisition Pathway (SWP), established in 2020, prioritizes automation, collaboration, and continuous security.
By 2025, 78 acquisition programs, including Project Overmatch, F-16, and F-35, have adopted the SWP, showcasing faster deployment and improved security.
The DoD’s focus on software factories—cloud-based, automated pipelines—has been pivotal, enabling rapid, secure software development through continuous integration and deployment (CI/CD). These factories, exemplified by the Navy’s Compile to Combat in 24 Hours initiative using Red Hat’s OpenShift, embed security early via practices like shift-left, where vulnerabilities are addressed during development.
A key advancement is the transition to continuous Authority to Operate (cATO), replacing traditional, time-intensive approvals with ongoing security assessments. This ensures compliance in dynamic threat environments, supported by tools like cloud-native vulnerability scanners and container orchestration platforms.
However, challenges persist, including differing interpretations of DevSecOps, segmented operational environments (e.g., ships and aircraft), and acquisition processes that separate development and integration contracts. These hurdles complicate unified implementation and require tailored solutions. The DoD is addressing these through workforce training, cultural shifts toward shared responsibility, and investments in cloud infrastructure.
Conclusion
By scaling successful practices, standardizing software factories, and linking DevSecOps to mission outcomes, the DoD aims to establish a resilient software ecosystem. Despite barriers like workforce readiness and organizational alignment, the department’s progress, driven by policy updates and industry partnerships, positions it to deliver secure, agile software to meet warfighter needs effectively.
