Transcription
16 June 2021Implementing DevSecOps inMDA GMDSEI DevSecOps DaysRanjit S. Mann, PEDISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited.GMD DevSecOps LeadApproved for Public Release21-MDA-10845 (3 Jun 21)
Missile DefenseEvolving Threat EnvironmentAdversaries are fielding diverse and expansive ranges ofmodern offensive missile systemsRange Developing new missiles & improving existing systems- Precision strike- Penetration aids (e.g. decoys, jamming devices) Capable of maneuvering in midcourse or terminal phase- Maneuvering Reentry Vehicle (MaRV)- Multiple Independent Reentry Vehicle (MIRV)- Hypersonic Glide Vehicle (HGV)- Long Range Cruise Missiles (Defense of Homeland)SRBMMRBMIRBM Integrating ballistic, cruise missiles and UAVsICBMNote: Range rings from Pentagon to show scaleSRBM: Short Range Ballistic MissileMRBM: Medium Range Ballistic MissileIRBM: Intermediate Range Ballistic MissileICBM: Intercontinental Ballistic MissileSpeedSubsonic: Mach 1Supersonic:Mach 1-5(300-1000 km :: 621 mi)(1000-3000 km :: 1864 mi)(3000-5500 km :: 3418 mi)(5500 km :: 3418 mi)( 770 mph)IranEmad-1 MRBM with MaRV(770-3,800 mph)Hypersonic:Mach 5-10 (3,800-7,700 mph)High Hypersonic:Mach 10-25 (7,700-19,200 mph)Ref: 2019 Missile Defense ReviewNorth KoreaHwasong-15 ICBMChinaDF-17HGVApproved for Public Release 21-MDA-10845 (3 Jun 21)RussiaKinzhal MRBM ALBM2
Missile Defense Agency MissionTo develop and deploy a layered Missile Defense System todefend the United States, its deployed forces, allies, andfriends from missile attacks in all phases of flightMissile Defense CapabilityGlobally DeployedApproved for Public Release 21-MDA-10845 (3 Jun 21)3
Missile Defense Agency FoundationsIn Support of Strategy to Defend the NationApproved for Public Release 21-MDA-10845 (3 Jun 21)4
Today’s Layered Active Missile Defense SystemApproved for Public Release 21-MDA-10845 (3 Jun 21)5
DoD Enterprise Development SecurityOperations (DevSecOps) InitiativeDevSecOps implementation value to MDA: Enhances Communication and Collaboration Continuous Integration / Continuous Delivery Rapid delivery of software capability to warfighter Deploy software within days instead of monthsor years saving cost and schedule Implement cybersecurity earlier in softwaredevelopment life cycle (SDLC)DevSecOps Software Lifecycle Transparency into SDLC activities Reduces accreditation (Authority to Operate (ATO))Source: DoD Enterprise DevSecOps Reference Design (Sept 12, 2019)timeline from months to weeks or days by continuousATO Increases software application portability Implements agile practices and principles in SDLC Hardware virtualization for early software andhardware integration (Find and Fix SW Bugs early) Enables automation to reduce the human error in SDLCApplication DevSecOps ProcessesSource: DoD Enterprise DevSecOps Reference Design (Sept 12, 2019)Create, deploy, and operate software in a secure, flexible and interoperable manner via automated softwaretools, services and standards saving cost and schedule while achieving performanceApproved for Public Release 21-MDA-10845 (3 Jun 21)6
DoD Leadership Thoughts On Software“What keeps me up at night is not North Korea, but that the U.S. has lost it’s ability to go fast.”- Gen Hyten as STRATCOM Commander at AFA in al-john-hyten-vice-chairman-joint-chiefs-staff“ the thread that runs through all of our programs and all thatwe do is software and I believe that we need to catch up with theprivate sector ” USD(A&S), HON Ellen LordLets Talk Agile AAF Pathway with Sean Brady - DefenseAcquisition University (dau.edu)If confirmed to be the next USD(A&S),what is the first thing you would doto improve how DoD acquiressoftware?Approved for Public Release 21-MDA-10845 (3 Jun 21)7
DoD DevSecOps Policy/Guidance1.2 PolicySection (f) Programs will requiregovernment and contractor softwareteams to use modern iterative softwaredevelopment methodologies (e.g., agileor lean), modern tools and techniques(e.g., development, security, andoperations (DevSecOps)), and humancentered design processes to iterativelydeliver software to meet the users’ priorityneeds.Policy does not mandate DevSecOps but it is very difficult to meet policywithout implementing DevSecOpsApproved for Public Release 21-MDA-10845 (3 Jun 21)8
DevSecOps OverviewDevSecOps aims to ensure quickrelease cycles and promotes acollaborative, integrated communicationplatform to include development,operational, compliance, tester,business analyst, project managers andend users who are sharing samebusiness goals to maintain world classreliability, operation, and security.Digital Engineering Artifactse.g., Requirements, Architecture, etc.Source: fm?assetid 517144DevSecOpsDigitalEngineeringSource: DoD Enterprise DevSecOps Reference Design (Sept 12, 2019)Approved for Public Release 21-MDA-10845 (3 Jun 21)9
DevSecOps Reference Design PillarsThe hardest part.DoD Enterprise DevSecOps Reference Design v1.0 Public Release.pdf (defense.gov)Approved for Public Release 21-MDA-10845 (3 Jun 21)10
SW DevSecOps Ecosystem Under ConstructionTo Support GMD Programs - VisionGovt. SW Eng. FactoryBased on Industry standardVendorVendor AdReleasedArtifactRepoDevelopment Pipeline 1Operations &RepoHW Virtualization Pipeline 2SIV&VMetricsSIV&V Pipeline 3Config.cATOMgmt.SW Assurance Pipeline ngEnvironmentTested,AgileScrumContainers DevSecOpsIntegrated,SW SafetyAssessValidated,ReleasePipelineCyber& SwAProduction,Deployment,Continuous IntegrationArtifactVendor BFeedback & Pre-production)EnvironmentSW Artifact DeliveryReleasedStaging Cybersecurity Pipeline NContinuous DeliveryVendor NRelease PipelineReleasedArtifactRepoBased on Industry standardDevSecOps TaskGov. Env.Deliver DeferredDeployNA OperateNAMonitorNA Gov. Env. Test Release DevelopBuildDevSecOps TaskDeployment PipelineVendor Env.Vendor Env.PlanSoftwareArtifact Repo DevSecOps Software Functions Government & Industry EnvironmentApproved for Public Release 21-MDA-10845 (3 Jun 21)11
SW DevSecOps Ecosystem Under ConstructionTo Support GMD Programs - VisionGovt. SW Eng. FactoryBased on Industry standardVendordVendor A movesonto GovernmentSW Eng. factoryDevSecOps TaskPlanDevelopBuildTestReleaseFeedback & Pre-production)EnvironmentDevelopment Pipeline 1Operations &HW Virtualization Pipeline 2SIV&VMetricsSIV&V Pipeline 3Config.cATOMgmt.SW Assurance Pipeline AgileScrumContainers DevSecOpsIntegrated,SW SafetyAssessValidated,ReleasePipelineCyber& SwAProduction,Deployment,Continuous IntegrationVendor B movesonto GovernmentEng. SW factoryVendor N movesonto GovernmentEng. SW factoryStaging Cybersecurity Pipeline NContinuous DeliveryRelease PipelineBased on Industry standardVendor Env.Move to Gov. Env.Move to Gov. Env.Move to Gov. Env.Move to Gov. Env.Move to Gov. Env.Gov. Env. DeliveryArtifact RepoDevSecOps TaskDeployment PipelineVendor Env.DeliverMove to Gov. Env.DeployNAOperateNAMonitorNAGov. Env. DevSecOps Software Functions in Government EnvironmentApproved for Public Release 21-MDA-10845 (3 Jun 21)12
Continuous ATO uous-ato-guidance/team6 documentation/-/tree/master/results/pdf to-guidance/team6 documentation/-/tree/master/results/pdf cATO authorizes the platform, process, and the team that produces the product under acontinuous monitoring process that maintains the residual risk within the risk tolerance of theAuthorizing Official (AO)Engagement with AO on regular basis is importantApproved for Public Release 21-MDA-10845 (3 Jun 21)13
Defense Innovation Board (DIB) StudySoftware is Never DoneProgramManagement Office(PMO) SW AcquisitionIV&VSW AssuranceSystem TestSoftware DeveloperDevSecOps(SoftwareFactory)Earned ValueManagementCyberSecurityLogisticianIT SupportConfigurationManagementSW Quality AssuranceDevSecOps Is a Multifunction Team Journey Not a Destination!Approved for Public Release 21-MDA-10845 (3 Jun 21)14
Approved for Public Release 21-MDA-10845 (3 Jun 21)
teams to use modern iterative software development methodologies (e.g., agile or lean), modern tools and techniques (e.g., development, security, and operations (DevSecOps)), and human-centered design processes to iteratively deliver software to meet the users' priority needs.
