Making software more than ‘IT thing’
Software modernization has a branding problem, and it’s going to take more than the colloquial culture shift to speed up the Defense Department’s adoption of modern tech capabilities.
“Part of the marketing of this is to make sure that being good at software escapes the domain of IT people and really gets thought of in the context of making us more effective at warfighting,” Peter Ranks, the deputy CIO for information enterprise, told FCW.
“The real challenge for the leadership, I think, is not to just latch on to the tech piece of this, but to really be willing to dig in and have the sustained focus to kind of impact culture,” Ranks said.
But the bureaucracy isn’t built for software’s rapid development, increased demand and security needs — something that played a major role during the Defense Department’s response to tech needs spurred by the pandemic and teleworking.
“We’ve got folks working in a workforce lane over here, we’ve got instructions from Congress, we’ve got new acquisition authorities, we have a conversation about a color of money for software, we have lots of tools development, we have nascent conversations in places like the test community — but it wasn’t really pulled together at least from what I could see into a program of work in a highly communicative community,” Ranks said.
That “communicative community” wasn’t really possible before nationwide shutdowns for COVID-19 forced much of the Defense Department’s workforce from secure, but latently connected, offices to their homes.
“I didn’t get chat messages from these guys in the other [military] services in a way that was not actually super easy to do prior to standing up [the Commercial Virtual Remote] service,” DOD’s version of Microsoft Teams, Ranks said.
But the move has turned into a must-have capability that goes beyond an option in case virtual private networks failed.
“It turned out the need we were really meeting was not one of what if my infrastructure fails, it was just a gaping hole around legitimate collaboration capability, especially cross [military] service capabilities,” Ranks said.
‘Failure to communicate’ security
Ranks said his office is focused on two major things in the next year: intersection of DevOps and cybersecurity, and tracking the DOD’s progress as it adopts new tools and methods around software.
“Our security folks should be begging us to get to a DevSecOps model, but we haven’t yet demonstrated how all of that data that is emitted by these tools gets turned into the type of evidence that they need in order to make their risk management decisions,” Ranks said.
“That’s evidence of a failure in communication” that Ranks wants to correct in fiscal 2021 with a guidance for the cyber community on how they can implement DevSecOps model, similar to the reference guide issued for developers.
Ranks first indicated the need for a security-focused guide in January before COVID-19 lockdowns took hold, with the expectation that it would be completed by the summer.
“[DOD] put out some stuff that says here are some good models to use to build DevOps pipelines. We need the companion document that shows here’s how you can vouch for the security of the products of those pipelines and then all of the tooling that goes along with that,” Ranks said.
“We tend to measure a lot of the effort and the input, but it’s difficult for us to actually assess the impact at the other end.but we don’t really have good instrumentation to measure speed and quality delivered to the end user.”
Ranks said that is being worked on now so “the data that these systems can kind of naturally produce gets rolled up in a way so that we can track speed and quality.”
“From a culture change perspective, security-minded perspective,” said Paul Puckett, the director for the Army’s enterprise cloud management office, “there’s a lot of unknown — a new methodology, a new way of doing business. But a lot of it gets to, I think, understanding kind of how cultures were created. And if we want to change cultures, we have to understand what has created these cultures.”
That means rethinking the importance of checklists, audits and other compliance exercises when it comes to measuring true security.
“Can we actually assess our systems in the meantime to detect the security vulnerabilities in our environment? And then are we really assessing ourselves against our meantime to restore those security vulnerabilities to an actually a good state?” Puckett said.
The Army is tackling the security issue a little differently by partnering with Army Cyber Command and Army Network Command to fold the security community into the DevSecOps ecosystem and training, the Army’s enterprise cloud director said.
“To Pete’s point, the tools and the resources just are fundamentally new and so we’ve got to bring those people along when it comes to understanding how we manage risk in real time, leveraging new methodologies for building systems and therefore new tools for assessing our risk posture,” Puckett said.
But the Defense Department’s ultimate goal of overhauling its software development, fully converting to DevSecOps by 2025, can’t be done without complete buy in, and assists, from the technologists inside the DOD.