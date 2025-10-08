The concept of DevSecOps has been around long enough that it’s now firmly established in most federal agencies as one of the key underpinnings of producing secure software, and even small agencies increasingly have their own DevSecOps pipelines in place to meet that goal.

But getting the results they need takes more than just having that pipeline. It also takes planning — including a lot of “shifting left” of the processes that agencies have used in the past.

At the Export–Import Bank, for example, it means treating security as a baseline development requirement from the very beginning, along with the infrastructure that’ll be needed to support the system.

“You can’t build a great application and have it sit on top of infrastructure that has issues. So from a shift left perspective, we make sure we’ve got all our requirements at project initiation,” Darren Death, chief information security officer for the Export-Import Bank, said during Federal News Network’s Cyber Leaders Exchange 2025.

“Historically, security requirements were always those things that are the negotiables, like they’re not required. Well, they are required. They should be treated like functional requirements. And that’s one of the cultural things that we do here at ExIm: We treat them as functional requirements. And the reality is when you’re doing them during design, you can design the functional requirements and security requirements together, and then a lot of those issues — of fear, uncertainty, of doubt — they may go away because you’re building them together. You’ve got a high performing system that’s also secure.”

Addressing supply chain risk

That same mindset has taken hold at the Bureau of Safety and Environmental Enforcement, the small Interior Department component that oversees the offshore oil and gas industry.

Madhuri Sammidi, BSEE’s deputy associate chief information officer, said the agency has moved to a model that incorporates security by design.

“Security starts really early, even before we start implementing a system,” she said. “It really starts at the planning phase, and the planning phase could be procuring something, which includes software supply chain risk. That is a huge risk that we all are facing, and some of the incidents that we all have seen are caused by the supply chain risk. And we have to think ahead. The security personnel — the security operations team and the cybersecurity assessment team — should be included in all these conversations, as applicable, wherever they can be so that we are not bolting the security on later, we are thinking about the security in every single phase of the software development life cycle, starting from the planning.”

And mitigating that supply chain risk also requires early conversations with vendors, Sammidi said.

“It has to start with publishing their inventory before we even start acquiring their software,” she said. “We as a government heavily rely on external vendors and their software and integrators. So it is very important to have all these expectations and engage with the vendors right from the beginning on these aspects of the cybersecurity and incorporating security in every single phase of the life cycle of the software system, as well as having them come on to the same page as you with your DevSecOps model. How their software bill of materials can be integrated and consumed into your continuous integration, continuous delivery pipelines is very important, and something we can all take advantage of.”

Incorporating security in acquisition

And particularly in the case of small agencies, the personnel conducting the development work may be, by and large, contract employees themselves.

That means all the considerations that go into the DevSecOps planning process also need to be brought into the contracting process too, Death said.

“If you don’t do your contract right, you get a thing, not a secure thing,” he said. “We’re about to go into 2026, and you’d think we’d just be getting secure things by default. But you don’t, which highlights the importance of a responsible manager to take the time to build out those security requirements. You can’t assume. And at the end of the day, what you ask for is what you’re paying for. You need to have that integration with your procurement team so that the appropriate person — the CIO, the CISO or someone else — is reviewing that contract to make sure that these things have been accounted for and that you’re trying to get a secure thing.”

Taking AI ‘baby steps’

Meanwhile, agencies are also thinking through how new artificial intelligence–assisted approaches to secure code development could help with the task of incorporating secure design principles early in the process.

Sammidi said BSEE is still taking “baby steps” toward using AI as an enabler on the software security front, but that there are promising signs.

“Right now, there are so many manual processes in things like code repository evaluations and scanning and vulnerability reporting, and the dashboards we see aren’t always live data,” she said. “AI could be an answer to some of these challenges that we all are facing right now because false alarms and false positives are creating sort of a fatigue in the security community. AI could be a great aid in reducing some of that fatigue. AI still needs human intervention because there are some challenges within terms of things like data quality reporting, but it could be a great enabler, and we have to start small and go with that until we automate things using completely AI-driven cybersecurity.”

At the ExIm bank, officials are already in the early stages of using AI tools for code analysis, Death said.

“When we’re doing our code reviews as part of the CI/CD pipeline, when software is discovered that we suspect could be vulnerable, the tools will actually suggest software code changes,” he said. “You’re still responsible for your results and the software developer ultimately has to have the skills to determine whether or not those updates and changes are actually valid, but the tools are able to accelerate the time. It used to be that when you would run a security scan, it wasn’t the developers doing that. That’s another key thing we do here: We make sure that developers are running the scan. We [in the security community] control the configuration, we understand how it’s configured, but then we give them the ability to run it. Because there’s nothing special about me pushing the start button versus them. They can push it, but then they get the results of the scan, and then the tool is able to actually give them that information.”

