DOD plans for security-focused guidance for DevSecOps
- By Lauren C. Williams
- Jan 23, 2020
The Defense Department plans to release a security-focused DevSecOps reference plan by the summer.
Peter Ranks, the Defense Department’s deputy CIO for information enterprise, told FCW that DOD plans to unveil a companion document to its enterprise DevSecOps reference design, which outlined everything from concepts to tools needed to execute modern software development practices, released in August 2019.
"Last year, we actually published a DevSecOps reference design, and this year, in the first half of the year we should publish essentially the companion document for that," Ranks told FCW following MeriTalk and Unisys Smart 2020 event Jan. 23 in Washington, D.C.
Ranks said the original reference design plan emphasized "how to build software in this DevSecOps model and what it left behind was how -- in language security accreditors understand -- how to accredit and trust software on that kind of model."
Part of that model is getting the Defense Department to wholly embrace continuous authority to operate (ATO), leaning a lot on what the Air Force has done.
"We're adopting a lot of the Air Force's tooling and methodology for DevSecOps," Ranks told FCW. "We've had a lot of different folks work on something called continuous ATO to date; it's just various versions of just accepting more risk. And I think the model that we're proposing doesn't require accepting more risk. It just requires accepting evidence in a different way and ingesting it in a different way."
Part of that is finding a "common language" for ATOs so the process can be standardized, he said.
"We have to be able to make sure that every cyber control we articulate is testable in the software so that we can build that real time," Ranks said during his presentation Jan. 23. "And the communities we have, the people we've hired and trained over the years don't have that skill set. So there's a workforce aspect of this too."
Besides ATO, Ranks said DOD is focusing on defining software-defined infrastructure, a "cyber-approved version" for building and designing applications.
"We don't need to invent those, we just need to pluck them from different parts of the department and make sure that people across the department understand them," he told FCW. "A lot of reinventing the wheel that happens today is trying to figure out how we do that."
Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.