The Defense Information Systems Agency is looking in fiscal 2020 to expand its DevSecOps approach beyond just software development and into IT infrastructure.
Because DISA delivers IT services across the Department of Defense enterprise, there’s a large opportunity to embrace DevSecOps principles of security testing and automation on the infrastructure side to speed up delivery, said Steve Wallace, head of DISA’s Emerging Technology Directorate.
“What we want to do just beyond the development principles and code development that comes with DevSecOps, we want to take those principles and apply them to the way that we actually deploy infrastructure,” Wallace said Monday at DISA’s annual Forecast to Industry event.
DevSecOps refers to the integration of development, operations and security teams from the start to more rapidly build and constantly update a new tech capability. The methodology is most often used in software development but can also be expanded to IT infrastructure — things like networks, hardware, configurations and other resources that applications sit on.
There’s a lot of consistency and standardization across the infrastructure DISA offers to customer agencies, Wallace said, pointing to mobile devices and the configuration of their underlying operating systems as an example. “Why aren’t we starting to treat some of those things as code? Why aren’t we treating those configurations as code and then sharing them amongst the programs so we can more quickly deploy so that when it comes time for a re-accreditation, we have a history of configuration?”
He said DISA will be pushing “very hard” over the next year in this direction.
Wallace highlighted a total of 10 emerging technology areas his agency plans to focus on in fiscal 2020. In addition to DevSecOps, he pointed to assured identity, automation, browser isolation, distributed ledgers (more popularly referred to as blockchain), artificial intelligence and machine learning, mobile-desktop convergence, SOAR (security orchestration, automation and response), wireless transport (5G) and zero-trust authentication.
Assured identity is one that DOD and DISA have been focused on for several years as a replacement to the common access card. As it stands, the CAC is a very insecure concept. “You plug the card in, you put in your PIN, and away you go. I could walk away from the machine, somebody could pick it up, I could hand it off and say, ‘Here’s my credential and my PIN,’” Wallace said.
The agency is looking to bring mobile devices and machine learning into play to improve identity management. “How can we continuously monitor the user’s identity in the background … how can we build a profile of that user’s activity and their day-to-day actions,” Wallace said.
DISA hopes to pilot these technologies with help from industry partners to bring advanced capabilities to the warfighter without the hype. “We need to deliver,” Wallace said, though he didn’t detail any specific procurement opportunities at the event.
He called on vendors to be transparent about the realities and difficulties of these emerging technologies with the hopes of having “very transparent and open conversations.”
“Please don’t come promising the world, because everything’s got its challenge,” Wallace said. “Every one of these technologies … every one of them has its own independent challenges. But we can work through that and we want to work through that with you.”