Internal Status Report of the U.S. Department of Defense

Key Chapter Title List

1. Introduction: Examining the Current State of DevSecOps to Chart the Future Path
2. Celebrating Successes to Date
3. Software Factories Constitute the Digital Arsenal of Modern Warfare
4. Optimizing the Software Factory Ecosystem for Enterprise Software Modernization
5. DevSecOps Enables Continuous Authorization to Operate
6. Policy and Guidance Drive Change
7. Building a Mission-Adaptive DevSecOps Workforce
8. The Path Forward Relies on Data and Effective Metrics

Document Introduction

Since the release of the 2019 Defense Industrial Base Software Action Plan report "Software is Never Done: Recoding Acquisition for Competitive Advantage," the U.S. Department of Defense has been committed to transforming its software development and acquisition practices. At the core of this transformation is DevSecOps—a process that breaks down departmental silos, embeds security, and follows modern technology company best practices to rapidly deploy software into production. Over the past five years, the Department of Defense has made significant progress in adopting DevSecOps practices. Currently, more than 50 software factories are using DevSecOps to deliver production code, learning how to integrate these practices into the high-risk DoD environment and providing templates and patterns for broader transformation.

This report, initiated by the Office of the DoD Chief Information Officer, aims to review the transformation progress, summarize successful experiences, and provide insights for advancing the shift to modern software practices across the department. The research focuses on the current state of DoD practices, employing quantitative metrics supplemented by qualitative information from user surveys. The study finds that, when fully implemented, DevSecOps can transform the paradigm for delivering mission capabilities to warfighters at a speed that provides them with an asymmetric advantage. However, this process change must be accompanied by leadership commitment and requires overcoming the bureaucratic inertia generated by traditional methods intertwined with all delivery aspects.

The core findings of the report revolve around several key themes. First, software factories have proven to be the digital arsenal of the Department of Defense, revolutionizing software delivery through the application of continuous integration and continuous deployment workflows. These collections of personnel, tools, and processes are designed to meet the needs of specific end-user groups by deploying software and leveraging automation to replace manual processes. Second, DevSecOps drives a fundamental shift in the cybersecurity paradigm, moving from one-time risk assessments to continuous authorization to operate. This shift integrates real-time assessment, zero-trust principles, and DevSecOps practices to protect the supply chain from emerging threats and enhance the overall cybersecurity posture.

Simultaneously, the report points out that policies and guidance need to keep pace with the speed of software delivery enabled by DevSecOps and the cultural changes required for adopting new software. The Department of Defense is applying agile thinking, driving policy development based on the grassroots success of DevSecOps. Furthermore, a skilled and highly motivated workforce is crucial for DevSecOps. The DoD is building a strong talent pipeline through initiatives like the Cyber Workforce Strategy Implementation Plan, and the act of delivering capability to the defense mission itself has become a significant incentive driving recruitment and retention. Finally, to ensure DevSecOps continues to create mission value, the DoD needs to measure progress against objectives, utilizing data to support decision-making, drive improvements, and remove obstacles. The combination of quantitative data, rigorous methodology, strategic thinking, and an understanding of organizational goals is essential for effective decision-making.