Cybersecurity and DoD System Development: A Survey of DoD Adoption of Best DevSecOps Practice

DoD is moving from the Waterfall Model of software development to modern methods such as Agile, DevOps, and especially DevSecOps, which emphasizes considering cybersecurity early. In 2020, OUSD/R and E tasked the Institute for Defense Analyses to study DoD organizations practicing DevSecOps and other non-Waterfall methodologies, to capture their successes and failures, to report actions organizations should take to adopt DevSecOps, and recommend DoD-wide actions to promote DevSecOps practice. IDA developed and distributed a survey, received 18 responses, and conducted follow-up telephone interviews. IDA heard many success stories, including increased up-front planning and incorporation of testing processes, and implementation of pipelines that lowered the time from coding to deployment; furthermore, several respondents reported their metrics objectively demonstrated improvement. At the same time, some respondents felt DoDs current acquisition model and ATO processes are not truly compatible with DevSecOps; that forming teams is difficult; and that the role of developmental testing is unclear within DevSecOps. Part of the problem is that DevSecOps is still new and lacks standard concepts and terminology. IDA recommends DoD take eleven actions to promote adoption of DevSecOps. These actions will clarify and help acculturate DevSecOps concepts throughout DoD. The actions will also simplify creating and using pipelines, lessening the up-front costs of a DevSecOps-based project.