The National Background Investigative System Directorate (NBIS) recently deployed its first realization of the Develop, Security, Operations pipeline; becoming one of the first to adopt DevSecOps in the Department of Defense (DoD) and the Defense Information Systems Agency (DISA).
The capability consists of standing up a series of integrated environments in Amazon Web Services GovCloud and adding DevSecOps tools to create a security-of-code culture with ongoing, flexible collaboration between developers, release engineers and security teams.
“The DevSecOps premise is that everyone in the software development life cycle is responsible for security, and we are thrilled to bring this best practice into DoD’s realm,” said NBIS Program Manager Heidi Cotter. “Our team has worked diligently over the past year to setup, test and document processes that have laid the foundation of DevSecOps implementation for this program and others at DISA and DoD.”
In addition to standing up environments for developers, testers, product managers and users, the NBIS team also installed commercial off-the-shelf tools to facilitate a fully integrated environment. The NBIS PMO held the first NBIS DevSecOps pipeline tabletop exercise for its system in January to demonstrate agile software delivery procedures for NBIS’ Position Designator Tool code through the pipeline. In addition, both the electronic applications and investigative management systems will be table-topped in the DevSecOps pipeline.
While NBIS was in the DevSecOps testing phase, the directorate received an Interim Authorization to Test from DISA’s Risk Management Executive. The program is currently seeking a full authority to operate.
“By bringing development and operations under a single automated umbrella, DevSecOps will help with everything from more frequent feature releases to increased application stability,” said NBIS Engineering and Testing Division Chief and DevSecOps Lead Ben Cox. “We have documented many lessons learned throughout our implementation phase and produced a comprehensive DevSecOps approach that has been well received within the DoD community.”
The NBIS DevSecOps implementation is receiving positive feedback. The NBIS DevSecOps Approach Process Document – which covers processes from code migration, pipeline access, tools adoption – has been peer reviewed and approved by the National Security Agency, DISA’s Risk Management Executive and the Emerging Technology Directorate.
NBIS’ DevSecOps initiative is also being touted within the larger DoD community with Cotter being featured in the March 2020 DoD Agile Acquisition Pilot Community of Practice Newsletter and Cox as one of the keynote briefers at the August meeting for the same community of practice group.
Additionally, in an effort to communicate NBIS’ DevSecOps approach and implementation, the team recently produced a short, animated video highlighting how DevSecOps is enabling faster, and more secure, software development and deployment.