The Joint Improvised-threat Defeat Organization has spent the last five years implementing an agile DevOps framework, but scaling that across the DOD is another challenge altogether.
Five years ago, when the Joint Improvised-threat Defeat Organization defined its end state as getting capabilities out to warfighters more rapidly, it lacked the agile policies, contract structures and workforce to achieve that goal. But, that has all changed, according JIDO's chief technology officer.
JIDO reworked its contracts to create a better service-level partnership with industry, Leonel Garciga told FCW at the National Defense Industrial Association’s Agile in Government Summit.
Garciga said the organization then had to re-evaluate its workforce, which involved a mix of training and bringing in new people.
The hardest part though, was changing policy.
"[How do you] change your processes and your policy to be adaptable to actually push software out in an agile fashion?" Garciga posed. "I think that was probably the biggest piece, and that's just to get us to secure agile."
JIDO fought its way there, and over the last 12 months it has been working to automate its DevOps pipeline.
Garciga said that today the contracts support automated DevOps, but JIDO had to make some changes to both the government and contractor workforce.
But, the policies and processes are not there yet to allow automated DevOps.
"And that's where we've spent quite a bit of time on not just deploying the base technology to really have this not just agile, but secure agile, in a DevOps environment looking and smelling like private industry on our network," he said. "To really do that it's been a lot of work on [reworking] the way we get from a to b, the way we take requirements in, the way we think about building software and deploying it."
He said the two changes on the policy side that allowed JIDO to implement its agile framework to date are the National Institute for Standards and Technology’s cybersecurity framework and the Department of Defense shifting to a risk management framework.
"I don't think we would have been able to do this without having the NIST cybersecurity framework come out," he added. That and DOD's RMF approach have provided "policy top cover to really go and do stuff like DevOps and do secure agile in a much more mature way where you can now get it from development all the way to production and still fall within cybersecurity rules."
On top of that, he said, JIDO has seen a 35 percent drop in development costs due to workforce reductions and getting capabilities out faster.
What JIDO has done can be easily replicated at any program executive officer level, he said, but scaling it to the DOD enterprise level requires addressing many of the same challenges the smaller entity did.
"Is your human capital ready to support this? Do they understand the technologies to support this? Do they do they understand the methodologies to support this? That's one piece," he said. "I think the next piece is if you have a contractor workforce. Are you writing contracts to support getting you there?
"And then I think the bigger thing is, do you have that end-to-end ... path to production between your operational arm … and your IT folks that are really all about getting mission capability out seamlessly together?" Garciga asked.
"That really is a harder challenge," he said.