The Department of Veterans Affairs is transitioning to a software factory model, following in the steps of agencies like the Defense Department, to advance secure software development and deployment.

Lynette Sherrill, chief information security officer at the VA, said the software factory model will help the sprawling agency build secure applications “from the beginning.”

“We’re going to a software factory model, and that’s not new for industry, but we’re going to be standardizing on a minimum number of platforms that will become the base of the security and all of our developers will be required to build on just those platforms, and they will inherit those security controls,” Sherrill said on Federal News Network.

Sherrill said one of the platforms, called “Lighthouse,” provides VA developers with automated information on cybersecurity vulnerabilities in software applications.

“So that code with known vulnerabilities in it can’t even physically get into production until they’re remediated,” she explained.

At an enterprise level, however, Sherrill said the VA still faces challenges in understanding cybersecurity risks and threats on a real-time basis.

“It’s still a challenge, though, because what does that look like at the enterprise level, and how does all that begin to feed up and give me a risk picture of the entire enterprise? That’s a work in progress,” Sherrill said. “But I do believe those foundational things are going to get us there.”

VA’s move to a software factory model comes as more than 50% of agency systems are now cloud-based, according to Sherrill. Under President Joe Biden’s cybersecurity executive order and subsequent federal zero trust strategy, agencies have increasingly moved to the cloud for the increased cybersecurity it can provide.

Matt Smith, senior advisor to the CISO at the Department of Homeland Security, said many aspects of cloud computing are “inherently zero trust.”

“Cloud provides us reusable security so we can establish platforms and development pipelines and entire enterprise infrastructures in cloud that can be secured by design and don’t require being redone and recouped in order to get the next application secure,” Smith said.

But Smith also emphasized that cloud security is “inherently collaborative.”

“We need to increase our collaboration among customer agencies, who in use of a cloud provider, all having very similar experiences, have the same risks, have many of the same issues to respond to,” Smith said. “The efforts to collaborate in continuous monitoring in cloud environments is huge.”

Agencies also need to collaborate with cloud providers, he added.

“Responding to an incident in cloud is a team effort between the providers and the customer agencies,” Smith said. “We think cloud security is like French bread. When you’re in France, is just bread. We’re going to get to the point where security is security and differentiating ‘cloud security’ is an unnecessary moniker.”

Smith said DHS is in the midst of considering a “radically transformative look at cyber risk management” to move toward more continuous monitoring and automation.

“It’s about getting the right information collected to have the right amount of visibility,” he said. “The more that can be automated, the more that can be data driven decisions, the more efficient and effective we are at the security that we’re trying to accomplish. Certainly, there are things that are not done every day. We’re still going to have incident response exercises and contingency plans and other things that that will remain manual and those are high value, but also, if there’s manual efforts that are not high value, stop doing it. That’s the strategic approach that we’re going to take and try and implement.”

Key topics include:

• Approaches to cloud security and its role within broader cybersecurity strategies
• The role of compliance programs like FedRAMP in cloud monitoring and application security
• Integrating security into the application development process
• The role of automation and AI in continuous monitoring and environmental visibility