Like many technology journeys agencies are on, the one to make software development faster, cheaper, better and more secure continues to evolve.

The rush to get away from the waterfall approach of old and into agile or DevSecOps came and went like most buzzwords. What has remained, however, is the continued push to change policies and processes, educate workers and institutionalize these agile or iterative development approaches.

The Government Accountability Office recently released an updated agile assessment guide to help agencies identify common challenges and solutions to increasing the speed of adoption of agile.

GAO said like most process changes it requires not only new technology, but a change in culture, as most federal employees reported struggles with collaboration and information sharing.

Since 2012, the Office of Management and Budget and other agencies have put out 16 different memos, guides, playbooks and the like to help agencies transition to agile development.

Agencies must adopt agile processes to bring efficiencies and automation while also reducing processing times, increasing speed to the end user and improving the overall security of their software.

Col. Richard Lopez, the senior materiel leader for Kessel Run at the Air Force, said the growing acceptance and use of agile development is part of a broader culture change that is all about transforming the way DoD meets warfighters’ needs.

“The real magic that has enabled agile and DevSecOps for the Air Force, and probably the rest of the DoD, is really the overarching legal and policy changes. Things like the software acquisition pathway that helps us move away from large monolithic requirements. It’s really allowing us to, over time, deliver a minimum viable capability release or a minimum viable product that then you can continue to expand on and continue to deliver capability on top of that,” Lopez said during the panel discussion Future-proofing government with agile: Unveiling benefits and overcoming challenges. “I think this goes back several decades where someone said ‘no successful complex system ever started as a complex system.’ The opposite is also true. If you start off with a complex system, you’re never going to make it successful. So agile to me is really the ability to start off with a small, simple, less complex system that you can continue to expand and continue to deliver capability over time.”

Keeping up with constant change

Lopez called the software acquisition pathway authority part of the agile magic spreading across DoD.

He said more and more DoD is realizing that the technology it is using and developing today will look a lot different in 5 or 10 years.

“We just know that we’re addressing current requirements for the current warfighter’s needs. Then over time, those needs and requirements will change, not only because of the nature of the threats, but because of the nature of the capabilities that we’re delivering,” he said. “It’s an iterative cycle where you deliver a capability that addresses a need, and then the fact that that need is being addressed enables or conceives of new needs, that then you have to continuously address over time.”

For the Navy, its Black Pearl, a platform to begin standardizing its approach to DevSecOps, has been part of that broader education campaign around DevSecOps.

Manuel Gauto, the director of engineering for Sigma Defense and who works with the Navy’s Black Pearl effort, said the good news is the Navy is shifting out of early education mode and into more advanced understanding of the processes of agile development.

“We are starting to see true adoption of some of the tooling that we’re offering. We’re seeing folks using some of the advanced task management capabilities, advanced continuous improvement/continuous delivery (CI/CD) capabilities,” Gauto said. “We’re also at a point where we’re starting to see real capabilities getting delivered through these processes instead of people just talking about delivering through this process.”

IT modernization driving DevSecOps

Through Black Pearl, the Navy is helping 17 or so software development factories take advantage of standardized infrastructure services and collaborate across the service.

While Air Force Kessel Run and Navy’s Black Pearl are ahead of the curve, the U.S. Transportation Command is closing the education gap through its IT modernization strategy.

Mike Howard, the engineering and digital transformation division chief at TRANSCOM, said both the CIO’s office and the program managers are leading the move toward an agile framework.

“We understand that’s a core foundation for us. It’s essential to establishing containerization micro services, true baked in software development lifecycle to even getting to a modern runtime environment like Kubernetes and continuous monitoring,” Howard said. “Then, of course, we also see that as the central for establishing a zero trust framework as well.”

Howard added the recent modernization memo the CIO signed out in late 2023 helps to establish some of the foundational areas to measure in the organization’s move to agile development.

“We have just a few applications that are lifted and shifted, who have developed a DevSecOps pipeline and are operating in a containerized environment. The demonstration of a DevSecOps platform with a software factory and a runtime environment, where all of our applications can modernize to a standardized set, that’s the panacea for us,” he said. “Some of our modernization memo work here is to establish a vision of how we’re going to modernize. So first and foremost, we want all of our components to develop to a DevSecOps platform capability. We’re good if they develop their own DevSecOps platform with our help. But we want them to do that first, and then we want their efforts to be focused on refactoring to achieve that DevSecOps pipeline within that platform.”

Creating trust, transparency

Each of the different DoD organizations’ agile journey is buoyed by strong metrics. Jimmy Norcross, the senior vice president of agile digital solutions at CACI, said understanding the impact your organization is having on delivering capabilities is an important aspect of the DevSecOps framework.

“The metrics and understanding what you are delivering and measuring those things are things any business can align to,” Norcross said. “In an industry like information technology, specifically, cloud development, where you talk about we’re doing things faster, the CEO says, ‘big deal, what does that mean to me?’ But when you can apply metrics that are fast, that are customer-centric, that have feedback, where you’re not waiting six-to-nine months, and then getting told, ‘I’m sorry, we didn’t deliver,’ versus one to two weeks to know that we failed on this, but we learned some things and we’re ready to pick up and get started on something else.”

Another key aspect of creating a strong agile environment is transparency between the product owner and the development team. Norcross said the constant feedback and collaboration with the users creates a level of trust that builds over time that ensures successful delivery of capabilities.

“Change is inevitable and that’s where agile comes in. Requirements are going to constantly change, and agile provides us that adaptability to move in that direction,” he said. “Where we’re focused on is getting better and better and better, whether it’s around people, processes, tools, culture or all of those things, and then really doing that at scale.”

Learning objectives:

• How agencies are using Agile, DevSecOps to modernize applications
• Measuring success in an Agile, DevSecOps environments
• Building trust and confidence across teams