USAF DevOps Practices - 18F/g-devops GitHub Wiki

USAF has been pushing for improved software development. They are seeing fairly big and rapid success, especially with their Kessel Run and other software factories as they stand up.

More on their efforts can be found below: https://fcw.com/blogs/lectern/2019/02/kelman-kessel-run-usaf-big-deal.aspx

Other software factories are standing up in the USAF, including Soaring Buffalo, BESPIN, Kobayashi Maru, and others.

The USAF leadership pushing these initiatives (from the Pentagon) include their "Chief Transformation Officer" and "Chief Software Officer". Related to DevOps, USAF is pushing for continuous ATOs to allow for security to be "baked into" the software they create. Their interest includes not just the CI/CD pipeline, but also the organizational culture of the software group creating it. Interesting quote from the CTO of the USAF:

I’m happy to share more with you about the methodology. The short story is our model does this: _1) Empowers the engineers to build the system they really want to build and that they know best does what is needed. _ _2) Includes cybersecurity stakeholders throughout the process, with cyber table tops throughout and a penetration test prior to ATO. _ _3) Only requires documentation that is required for engineering continuity. _ _4) Includes an audit of culture and process factors that prove the team knows how to develop secure code and will be able to continue to do so as they onboard new talent. _ 5) Shifts from compliance checklists to proof and continuous monitoring and collaboration. _6) Uses peer reviews to continually push the bar. _ _7) Constantly forces a security mindset and ongoing collaboration with the security team. _

_Basically we’re replacing SCAs with hackers, peer reviews, and process audits and giving top performing development teams credit for the security they are baking in. _

_It’s a high bar but the continuous ATO has provided a great carrot for adoption of DevSecOps best practices, and that was actually the evil master plan. _

Cheers,

Lauren Knausenberger Chief Transformation Officer United States Air Force Mobile: 571-286-7835

USAF has been kind enough to share documentation related to their continuous ATO. We've uploaded the documentation on the DevOps Google Drive