As federal clients continue to wrestle with inherent challenges in traditional waterfall development — lengthy delivery, inflexibility, backlogged security elements, and limited opportunities for further automation — more agencies are turning towards embracing DevSecOps development. In particular, cybersecurity can and should evolve toward continuous risk management framework (RMF) delivery such as continuous authority to operate (ATO).
Despite promises from the federal government to simplify cybersecurity processes, delivery and integration have remained time-consuming. Agencies are weighed down by manual review processes, reliance on limited resources, decreased visibility, delivery teams needing to manage cybersecurity reviews, and a lack of authoritative methods to automate control monitoring. Meanwhile, the sense of trust among cross-functional teammates is absent.
How to Succeed with DevSecOps
Cybersecurity does not have to be not the bottleneck to continuous deployment. Continuous ATO is one ultimate outcome of a well-designed secure and lean Agile software development process that incorporates DevSecOps. By following streamlined cybersecurity recommendations, agencies instill trust in the entire lifecycle through targeted involvement and full transparency. The key to this is the involvement of security in all aspects of the process. As shown in the graphic below, ITC uses DevSecOps to accelerate software delivery by rapidly moving code from development to production and continuously monitoring security and operational vulnerabilities throughout the process
Leveraging IT Concepts (ITC) continuous ATO process experience, we recommend these four steps:
Step 1: Security Education
Starting with security education lays the groundwork for greater trust and communication down the line. At project inception, agency leaders send assessors to meet with each team and give them a brief identifying required training and providing an overview of the security process and relevant technology.
After this brief, the assessors gain full access to backlogs, repos, scanning tool rule sets, dashboards, and administrator level control over the security requirement management functions. ITC uses an early interview process and dedicated software for project categorization to inject controls and security requirements straight into Agile backlogs based on requirements. This gives full traceability of security controls throughout development.
The assessor is then part of the team and approves when security controls are met. Pulling categorization, implementation, and automated testing into the development phase allows the security team to build trust into the development process and shortens overall time to delivery.
Step 2: Adopt a PaaS implementation
A platform as a service (PaaS) with high levels of control inheritance is critical to a successful DevSecOps and continuous ATO implementation. ITC finds that strong PaaS implementations place less compliance burden on application teams so they can focus on releasing features.
Too often, the delivery team is saddled with managing elements beyond applications and data – including networks, storage, servers, virtual machines, operating systems, and middleware. By adopting PaaS, agency delivery teams can focus on the management of applications and data. High controls inheritance lowers the burden placed on application development teams and frees up time and focus for them to shift left on testing and compliance. PaaS provides the structure that reduces total cost of ownership and complexity (both organizational and technical) and focuses development and monitoring efforts on value.
At the PaaS and infrastructure as a service (IaaS) levels, using common controls, organizationally defined controls, and re-use of artifacts reduces complexity of the system itself. With PaaS in place, agencies automate the build and test processes, template their configuration, and provide a globally consistent platform to all users.
Step 3: Begin Periodic Reviews
Next, agencies focus shifts to the DevOps pipeline and performing security scans. With these scans, agencies can check for dependencies, vulnerabilities, and overall code coverage. The pipeline performs unit and integration testing while enforcing release processes.
Weekly meetings between the assessor and the development teams keep communication lines open as progress is reviewed and measured. Throughout the process, the security team performs periodic control and scan reviews to help teams remain prepared.
Step 4: Inject AIOps Data Capabilities
Timed to occur around deployment, this final step is critical to high security and trust, allowing agencies to move beyond security at release and start shifting left earlier. AIOps (or Artificial Intelligence for IT Operations) is an industry category for machine learning analytics technology that enhances IT operations analytics. By bringing in AIOps, agencies apply controls at every build and even inject security during hiring, onboarding, and training of employees, contractors, or vendors.
This streamlined approach enables continuous compliance on release and continuous lifecycle monitoring – resulting in a continuously secure quality software system in production.
Return on Investment of Continuous ATO
With the previous four steps complete, agency leaders can sit back and reap the benefits of their hard work – enjoying automated continuous ATO processes and innovative DevSecOps for years to come. Through the proper implementation of DevSecOps, federal agencies clients meet several goals:
- Realize shorter cycle times and enhance overall security for digital products by adopting secure engineering practices throughout a continuous delivery lifecycle.
- Achieve holistic digital delivery and technical objectives through consistent development processes and security testing, flexible test environments, accurate test results, advanced technology that promotes automation, visibility into deployments, and skilled subject matter experts who provide regular insights into team decisions.
- Foster a culture of ongoing collaboration between development, security, and operations teams by implementing Security by Design and Privacy by Design principles – including the left shifting of security testing threat modeling to identify risks early and managing vulnerabilities in a consistent manner across the enterprise.
If agency leaders are interested in innovating their DevSecOps processes, ITC brings nearly 20 years of federal consulting experience, offering innovative solutions to the government and private sector. ITC delivers Continuous ATO solutions, based on our deep understanding of Federal and Agency-specific security requirements (e.g., RMF, FEDRAMP, NIST 800-53, NIST 800-171, and ISO 27001), and led by ITC credentialed (CISSP, DoD 8570, Security+, Cloud+ and more) and cleared staff. ITC has experience delivering DevSecOps improvements for clients and is proud to include this work in our IT services offerings.