DoD Enterprise DevSecOps Initiative (DSOP)
What is the DSOP?
The DSOP is joint effort of the DOD’s Chief Information Officer, Office of the Undersecretary of Defense for Acquisition and Sustainment and the services focused on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy and operate software applications in a secure, flexible and interoperable manner.
- Joint Program with OSD A&S, DoD CIO and the DoD Services.
- Selecting, certifying, and packaging best of breed development tools and services (over 100 options)
- Creating the Sidecar Container Security Stack (SCSS) for baked-in zero trust security
- Creating a Centralized artifacts repository of hardened and centrally authorized containers
- Designing a Scalable Microservices Architecture with Service Mesh/API Gateway and baked-in security
- Providing on-boarding and support for adoption of Agile and DevSecOps
- Developing best-practices, training, and support for pathfinding and related activities
- Standardizing metrics and define acceptable thresholds for continuous ATO
- Working with DAU to bring state of the art DevSecOps curriculum
- Creating new contracting language to enable and incentivize the use of Agile and DevSecOps
What is DevSecOps?
The software automated tools, services, and standards that enable programs to develop, secure, deploy, and operate applications in a secure, flexible and interoperable fashion.
Why should I care?
- Software and cybersecurity pervades all aspects of DoD’s mission (from business systems to weapons systems to Artificial Intelligence to cybersecurity to space) – establishing DevSecOps capabilities will:
- Deliver applications rapidly and in a secure manner, increasing the warfighters competitive advantage
- Bake-in and enforce cybersecurity functions and policy from inception through operations
- Enhance enterprise visibility of development activities and reduce accreditation timelines
- Ensure seamless application portability across enterprise, Cloud and disconnected, intermittent and classified environments
- Drive DoD transformation to Agile and Lean Software Development and Delivery
- Leveraging industry acquisition best practices combined with centralized contract vehicle for DevSecOps tools and services will enable . rapid prototyping, real-time deployments and scalability
- We cannot be left behind: China, Russia and North Korea are already massively implementing DevOps
Value for DoD Programs
- Enables any DoD Program across DoD Services deploy a DoD hardened Software Factory, on their existing or new environments (including classified, disconnected and Clouds), within days instead of a year. Tremendous cost and time savings.
- Multiple DevSecOps pipeline exemplars are available with various options to avoid vendor lock-in and enable true DoD-scale as there is not a one-size-fit-all for CI/CD.
- Enables rapid prototyping (in days and not months or years) for any Business, C4ISR and Weapons system. Deployment in PRODUCTION!
- Enables learning and continuous feedback from actual end-users (warfighters).
- Enables bug and security fixes in minutes instead of weeks/months.
- Enables automated testing and security.
- Enables continuous Authorization to Operate (ATO) process for rapid deployment and scalability. Authorize ONCE, use MANY times!
- Brings a holistic and baked-in cybersecurity stack, gaining complete visibility of all assets, software security state and infrastructure as code.
- Microservices Architecture to facilitate the adoption of microservices
- Deployed on any environment, including DoD-approved Cloud and Jedi (when available).