Federal agencies with central roles in executing on President Biden’s May 2021 cybersecurity executive order are taking steps to standardize DevSecOps software development disciplines across government, agency officials said on July 12.
DevSecOps – which requires collaboration and integration of development, operations, and security teams in software development – is far from a new concept in the Federal agency arena, but at the same time the practice has not been adopted in the form of a government-wide directive. The administration’s May 2021 cybersecurity executive order that directs the Federal government as a whole to adopt secure software development practices is changing that adoption landscape.
The Cybersecurity and Infrastructure Security Agency (CISA) is now working with the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) to develop a “whole-of-government” way to measure secure software development.
As part of that effort, NIST published a secure DevSecOps framework earlier this year to help guide agency efforts, and OMB is developing implementation guidance for the procurement of secure software.
“It’s still a work in progress because there’s a lot of data, historical data, that’s not standardized,” said Steve Prukowski, security test and evaluation Federal lead at CISA, of the current effort to measure secure software development in government.
“So you are kind of starting from zero in some respects, but you’re also trying to pull together historical data and make sense of it,” he said at a Federal News Network event.
CISA is also working with components across the Department of Homeland Security (DHS) to establish a community to help teams across the parent agency share knowledge and best practices specifically for application security testing. That collaboration “ensures that we can all benefit from that collective knowledge,” Prukowski said.
On another front, officials at the Army Software Factory believe that because they can retrain soldiers in cohorts for four months at a time across different technology competencies, they have an advantage when it comes to adopting DevSecOps practices.
Angel Phaneuf, chief information security officer at the Army Software Factory, explained that soldiers go through a tech accelerator “boot camp” to test and further develop their skills before graduating to a soldier-led team that’s paired with contractors and technology experts. Eventually, the soldiers progress to working on their own.
“A big part of the reason why we do this … is so that we can deploy our soldiers downrange, and they can do everything from platform engineering, software development, UX design and build an application on the battlefield for the warfighter,” she said.
Phaneuf added that many Federal agencies are facing challenges when introducing agile software methodologies into well-established program management practices. “Now you have to teach them agile, those feedback loops are critical,” she said. “And if you’ve never been taught how to take feedback or give feedback, it can feel very aggressive.”