The Department of Defense has issued guidance providing IT capability providers and consumers, product teams and authorizing officials with best practices to advance the adoption of DevSecOps and help build a community that could enable a warfighting force and establish resilience and security in DOD’s software delivery practices.

The document titled DoD Enterprise DevSecOps Fundamentals acknowledges the importance of software and seeks to promote the adoption of modern software practices across the department.

The guidance includes a definition of DevSecOps and a description of the methodology’s phases and lifecycle. It also covers assumptions related to the concepts of DevSecOps, offers in-depth information on the components of DevSecOps, provides guidance regarding a DevSecOps culture and metrics and outlines the next steps and identifies additional resources to support a DevSecOps journey.

The latest release came six months after the DOD Office of the Chief Information Officer issued the DevSecOps Continuous Authorization Implementation Guide.

Software Factory

According to DOD, a software factory leverages automation and is a collection of people, processes and tools designed to enable teams to continuously deliver value by fielding software to meet the needs of a particular community of end users.

The document states that an ideal DevSecOps software factory performs several functions, including standardization, automation, continuous integration and deployment, security and compliance and continuous improvement.

What Is DevSecOps?

In the document, DOD defines DevSecOps as a combination of software engineering tools, practices and methodologies, unifying software development, security and operations and “recognizing that software is never done.”

The department said DevSecOps highlights collaboration across the three disciplines to support the delivery of secure software, emphasizes the automation of processes and builds on the tech trends of the past 20 years, including the shift from waterfall software development to Agile methodology, integration of security across the technology lifecycle and the move from data centers to the cloud.

A program office within Naval Air Systems Command is working through the final steps to deliver to the fleet a system designed to modernize shipboard data management of the U.S. Navy and the U.S. Marine Corps.

NAVAIR said Thursday the command’s Aircraft Launch and Recovery Equipment Program Office, or PMA-251, Information Systems team has implemented design changes, integrated fleet feedback and demonstrated prototypes of the Marine Aviation Data Management System, or MADMS.

What Is MADMS?

MADMS is a shipboard information platform designed to digitally integrate weapons, surface operations, flight deck management, flight operations, shipboard operations and other operational systems and provide fleet users with real-time situational awareness.

The platform created a Development Security & Operations Continuous Integration/Continuous Delivery software development pipeline, enabling multiple contractors and developers to simultaneously work and field features to fleet test groups.

“It’s exciting to see such an adaptable tool make its way to our warfighters,” said Capt. Mike Kline, PMA-251 program manager. “With today’s rapidly changing global threat environment, our teams are working diligently to give the warfighters the capabilities they need now and in the future.”

Plans for MADMS

In fiscal year 2025, the PMA-251 MADMS team will distribute a Market Survey Simulation through the Consolidated Afloat Networks system, a.k.a. CANES, to collect fleet feedback and deploy MSS as a software-only prototype application on CANES.

In 2026, the program office is set to release the MADMS Capability Drop 1 to the fleet. As the office addresses input from the fleet and improves cybersecurity, annual increments of the system will be deployed.

Through AUKUS, a trilateral security agreement between Australia, the United Kingdom and the United States in the Indo-Pacific region, partners have successfully tested several autonomous maritime systems.

During a three-week span of maritime tests in Australia, dubbed Autonomous Warrior 24, AUKUS partners worked to improve the ability to jointly operate unmanned systems, share data between all three nations and provide maritime domain awareness to help inform decision-making, the Department of Defense announced Thursday.

Heidi Shyu, undersecretary of defense for research and engineering and a 2024 Wash100 awardee, said, “Autonomous Warrior/Maritime Big Play creates a unique opportunity for our three countries to work together, which will ultimately improve operational efficiency and allow us to work more cohesively against common threats.”

“This collaborative approach enables us to reduce acquisition, maintenance, and training costs by creating economies of scale,” Shyu added.

The Autonomous Warrior 24 event featured capabilities from underwater to space systems. These systems included software-defined acoustic modems, multi-model unmanned underwater and surface vehicles and low-cost autonomous surface vehicles.

The event was a part of the Maritime Big Play initiative and continued efforts to develop AUKUS Pillar II capabilities to advance maritime awareness.

“By investing in novel and innovative capabilities directly aligned to AUKUS mission priorities, as well as making future advancements in emerging technologies like AI and Quantum, we support a more stable region — one where all nations are empowered to make their own sovereign decisions free from coercion — a world that centers on hope for the opportunity and prosperity of the future,” Shyu stated.

U.S. Marine Corps Col. Jared Voneida, commander of Defense Information Systems Agency Pacific, spoke at the recent AFCEA TechNet Indo-Pacific 2024 conference, where, during a breakout session, he discussed the need for resilient communication in the region.

Communication Node Distribution

Part of that effort to ensure resilience is DISA’s move away from large command and control nodes towards smaller, dispersed sites, according to an article published Thursday on the agency’s website. Node distribution across a wider area ensures continued connectivity because, Voneida said, “[big] nodes are worthy of being attacked.”

“Small dispersion is what we’re looking for, not only for security but also to cover down on the threat,” the official added.

Agnostic Transport

Voneida also discussed the need to achieve what he described as “agnostic transport,” where communication is maintained through the use of a mix of various technologies, including terrestrial fiber and satellite communication.

“What we’re doing is looking at spreading out our capability to make sure the joint coalition force can connect, making it exceedingly difficult to be completely denied,” the DISA Pacific chief explained.

Communication Security

Protecting communication infrastructure is complex, Voneida noted, due to the many ways it can be compromised. Part of efforts to mitigate such threats is DISA collaborating with industry and government partners.

Also key to communication security is Thunderdome, the agency’s zero trust network access and application security architecture.

For Voneida, getting zero trust right would be advantageous in the Indo-Pacific in light of “all these disparate countries that we have to work with.”