DISA Embraces DevSecOps for Future Contracts
The Defense Information Systems Agency (DISA) is moving toward requiring rapid, agile and secure software development processes for new systems.
Brian Hermann, director and program executive officer, Services and Development Directorate within the agency, said he wanted to make it clear that the process known as DevSecOps will be increasingly essential for new contracts.
“When we develop capabilities, we will use the DevSecOps methodology. The process of using a pipeline instead of tools to transform initial code into operating services and deploy that code as quickly as possible will allow us to move from release cycles in the months and weeks timeline to release cycles closer to daily,” Hermann said during a Forecast to Industry as part of the AFCEA TechNet Cyber conference, a virtual event held Dec. 1-3. “That challenges some of our other processes, but I want to make sure everybody understands that our goal is to move to that agile DevSecOps methodology because that’s going to be core to any of the contracts that we require for new development efforts.”
He added that the organization is building a Mobility Enablement prototype, which he described as a “DevSecOps-like pipeline” for developing mobile applications across the department. We just recently are wrapping up a prototype contract to put that capability in place. We’ve developed a business case, and we’re working through how that continues to provide that capability for the department.”
The first program to fully adopt the DevSecOps practice is the Joint Planning and Execution Services contract. It is an effort to modernize the existing Joint Operational Planning and Execution System that provides global force management support for the department. “It allows force planners to input scenarios and needs and to look at options for which forces should be used in those conditions. Both of those capabilities are used at the combatant command level and at the task force level below that. We are actively working the JPES modernization development, and that is the first program, actually, to fully take advantage of our DevSecOps pipeline as we move toward that modernized approach,” Hermann reported.
Modernizing the Global Command and Control System-Joint also will use DevSecOps processes. “It has been in existence for 25 years or so, and it is providing capability to hundreds of sites around the world. We are endeavoring as much as possible to modernize a client server kind of approach that’s used to host it in local enclaves to more of an enterprise solution that will allow us to take advantage of speedy, DevSecOps delivery of capability to the warfighters,” Hermann said. “To do that will also require that we take advantage of all of the levers of capability that DISA provides, to include high-speed redundant transport to make sure the services are available to anyone anywhere.”
That modernization contract is expected late in the 2021 fiscal year, and the organization intends to take a different approach. “As we move toward a data-centric future, we will likely have companion contracts that create accessible data links and modular decision making functions in accordance with the JADC-2 or Joint All-Domain Command and Control, vision for situational awareness, which means there will likely be additional contracting opportunities that accompany the sustainment of the existing capability,” Hermann stated. “We expect this to become the basis of providing data for many developers around the department to create smaller applications that produce the situational awareness that is required.”
Additionally, the directorate intends to move away from the continuity of operations approach to backing up systems and instead to “leverage clouds’ elasticity and distributed delivery for efficiency and improved availability and reliability,” he added.