But it’s not just about numbers, it’s ensuring the employees have the right skillsets to manage a DevSecOps environment as well as work in a healthy environment.
“What you don’t want is to micromanage, but you want to set the right guardrails baked into the process. When you release software in Platform One — the way we accredit continuously and multiple times a day — contractors cannot effectively diverge from that construct. They have to stick to that construct. They cannot bypass testing, cheat cyber scans and things like that,” Chaillan said on Ask the CIO. “We know the quality. We know the productivity. We can track the velocity of work. The government people are focused on taking the big requirements and getting them to ethics, user stories and prioritizing and grooming the backlog. They also are defining the architecture of the implementation by looking at architecture diagrams, how the data flows and the different tools we will be using to ensure there is no vendor lock-in or ensure the open source tools are safe to use.”
The federal employees and military service members overseeing Platform One and Cloud One have to be able to trust the contractor performance and apply the right kinds of oversight.
This approach has led the Air Force to be able to deploy new software capabilities 21 times a day. The initiative set a requirement that it should take no more than three months to roll out new capabilities. Chaillan said the move to DevSecOps and agile methodology is ensuring the Air Force is building capabilities that meet user needs quickly and successfully every time.
IT success isn’t good
John Weiler, the founder and chairman of the IT Acquisition Advisory Council (IT-AAC), said the Air Force’s success of Platform One and Cloud One shouldn’t be underestimated as it’s the type of focus that has been missing in government for decades.
He said concepts like value streams and value stream analysis are disciplines that agencies aren’t using, but part of DevSecOps and agile.
“When we look at failure analysis, it helps you recognize failure patterns early in the process,” Weiler said. “DoD’s average success rate of delivering timely capabilities, per the House Armed Services Committee, is only 16%. A 16% success rate is terrible.”
Weiler said agencies need to move away from these “broken, industrial age” waterfall processes.
Chaillan said the DevSecOps processes breaks away from the old way of development by integrating testing, security, change management and automation to ensure every effort is meeting the goals the Air Force laid out.
He added that for a typical DoD acquisition, 40 cents of every dollar goes toward paperwork and meeting compliance requirements. He is trying to move more money into the capabilities by automating and standardizing many of these obligations.
“When you mix agile and DevSecOps into a single construct, which should be the only way to build software in 2021, that is the only way to compete with our competitors,” Chaillan said. “The biggest gap we have is we don’t invest in our people and don’t do a good job with continuous learning. Most of the technology we are using at Platform One is less than three years old. So you have to learn multiple times a day and continuously do that.”
Weiler added that, many times, failed or struggling projects first show signs of problems during the architecture, planning and market research phases.
“With high degree of fidelity of understanding the market, you can separate the ‘make or buy’ decisions. You can say, ‘this has to be built and I will control the baseline.’ Then with what you buy, you have to assemble them through DevSecOps,” he said. “We need better informed front end processes. We need better portfolio management. We need a real service-oriented architecture. Without it, we will fall short.”
Never enough project managers
Many of these struggles comes back to the lack of talent with project and product management. Agencies for more than 15 years have been trying to hire and train project managers, but always seem to need more people with these skillsets.
“We need someone who has a cloud native architect background,” Chaillan said. “A lot of people are saying the Air Force needs more airmen coders. I don’t agree with that. I think it would be great to have them and we need them. But it’s not the most important piece that we need. The most important piece that we need and don’t have, and are building curriculums now is that cloud native architect. That person can guide the project to make buy vs. build decisions, and how you interconnected all these different tools together.”
Platform One is bringing together commercial and open source tools and integrating them to create the DevSecOps pipeline.
Weiler said agencies need to do a better job looking at the lifecycle costs of a program and making risk-based decisions for how to move forward.
“The concept of increment, agile development being risk based has to continue to evolve,” he said. “There has to be political leadership at the top of the Pentagon and Congress that will put aside Congressional rice bowls, but that isn’t going to happen.”