"You deploy it, you own it."
It's a common phrase heard often in the DevOps community. It connotes responsibility, not passing the buck, and accountability. You not only deploy code into production that works, but you deploy code that is of the highest quality, scalability, and performance.
It also signifies security. None of us want "you deploy it, you own it" to evolve into "you deploy it, they pwn it".At All Day DevOps this past October, we heard from a number of people across the federal government who are leading DevSecOps initiatives. Leonel Garciga at the Department of Defense's JIDO shared his organizations journey to DevSecOps, detailing how they have automated numerous ATO paths.
The GSA's John Jediny (@JJediny) also discussed his agency's journey discussing ongoing authorizations (ATO) with component reuse and closed loop CI/CD pipelines and how they found fertile grounds between DevOps and SecOps while under the federal government's compliance regimes.
John was also one of the architect's behind the GSA's recently published DevSecOps Guide. The Guide describes "the requirements that need to be met by any specific implementation before it can be considered a Standard GSA DevSecOps Platform. It can also be used by owners of platforms in conjunction with the CTO, Deputy CIO, and CISO to define an implementation of the requirements described in this framework. Furthermore, it can be used by application developers to understand and find platform implementations. This framework is set alongside a template that captures the requirements for any platform implementation."
The DevOps teams at the U.S. Department of Defense and U.S. Government Services agency are among several agencies that have embarked along a journey to DevSecOps -- a journey that delivers better software, sooner. These teams have embraced the "you deploy it, you secure it" mindset -- where security is not simply bolted on to the end of the development process, but integrated early and across their DevOps pipeline.
To learn more about DevSecOps initiatives in government (lessons that can also be applied to the private sector), I encourage you to listen to Leonel's session and read the GSA DevSecOps Guide shared above.