DevSecOps and Planes

We may be well into 2021 but the findings of a GAO report issued in Summer 2020 on DOD acquisitions are as timely now as they were when the report was issued – maybe even more so.  

As reported by FedScoop, the GAO report took a fairly bleak look at the deployment of Agile software development across nearly two dozen major DOD weapons systems.  

In short, instead of speeding deployment, improving security and reducing costs, GAO’s Defense Acquisitions Annual Assessment found that, too often, attempts to deploy Agile software development, resulted in almost the exact opposite: i.e., slower deployments, reduced levels of system security, and higher, not lower, levels of expenditure.

If you didn’t know better, it would be possible to conclude from GAO’s report that Agile software development is a) not all that agile, and b) an almost surefire way of wasting time, reducing security, while spending a lot of money.

However, such an assessment of Agile software development would be flat-out wrong.  Which is not to say GAO’s report was incorrect or off the mark.  It is a matter of context.

What’s in a Name?

Looking ahead, what GAO’s report really reminds us — and it is something agencies, service branches, and contractors ought to be mindful of in 2021 and beyond — is that a program doesn’t become “Agile” merely by calling it Agile, or by adopting some of the protocols and operating principles of Agile software development in the belief that the full benefits of Agile will occur over time, as if by osmosis. They won’t.  Agile takes work, but if you put the work in, the benefits are manifest.

There’s an old saying, “Anything worth doing, is worth doing right.”  In the case of Agile, that saying can be updated to “And if you don’t do it right, don’t bother doing it at all.”  But when it is done right, Agile software development can serve not just as a “roadmap” for improved outcomes, it becomes the road itself — one that is headed for mission success.  

USAF CVA/H DANS: A Textbook Example of Agile Done Right

As just one example of what Agile — when properly deployed and integrated — can help bring about, look at the USAF’s success in shifting its Cyberspace Vulnerability Assessment/Hunter (CVA/H) Defensive Applications and Network Support (DANS) process from a traditional Waterfall model to an Agile approach aligned with DevSecOps (i.e., the integration of DevOpsand Security, into DevSecOps.)  

Long story short, working with Technica Corporation, leveraging the DANS contract, the CVA/H went all in on Agile. That started with personnel making a commitment to listen to one another and focus on shared missions and shared success.  A year later, via DevSecOps, USAF’s CVA/H DANS program has achieved multiple successes in deployment including instituting Continuous Integration, Continuous Delivery (CICD) practices, meeting NIST 800-53 compliance hurdles, and overcoming technical debt associated with previous releases.

The Before and After 

All in all, USAF CVA/H DANS took three previously independent contracts—feature development, product delivery, and sustaining fielded systems—and merged into one unified work structure.  Goodbye Waterfall, hello a 6x increase in the speed of deployment. In the first year, USAF achieved four complete releases within twelve months, contrasting with previous releases occurring only twice in three years.

In our shared line of work, Agile software deployment can be a powerful strategic assessment, but, like anything worth doing, it’s worth doing right.

For More Information: DevSecOps for a U.S. Air Force Cyber Weapon System (PDF)

Gerry Morelli
Director of Programs
Technica Corporation
Defense Applications & Network Support (DANS)
Cyberspace Vulnerability Assessment / Hunter Weapon System