Listen to article:
By Jeff Urlwin
Vice President, Federal Managed Services
and Neiland Wright
Cybersecurity and DevSecOps Director, Business Development
The Department of Defense (DoD) has long known that the ability to quickly deliver secure and resilient software will be a critical competitive edge that will enable the department to evolve and adapt faster than its adversaries.
The DoD has also long recognized the vital role software factories must play in the modernization of DoD software development. The adoption of software factories across the DoD, however, is yet to happen, except in small pockets.
The U.S. Air Force software development lab Kessel Run established the DoD’s first software factory in 2017. Since then, a few dozen others have cropped up in various corners of the department. But many more will be needed for the department to reach the software-development future it envisions.
At stake is nothing less than our nation’s ability to deliver a more lethal force than that of our adversaries.
“The Department’s adaptability increasingly relies on software, and the ability to securely and rapidly deliver resilient software capability is a competitive advantage that will define future conflicts.”
— Deputy Secretary of Defense Kathleen H. Hicks
What Is a Software Factory?
In its Software Modernization Strategy, the DoD defines the software factory as:
“a software assembly plant for development and integration that contains multiple pipelines, equipped with a set of tools, process workflows, scripts, and environments, to produce a set of software deployable artifacts with minimal human intervention. It automates the activities in the develop, build, test, release, and deliver phases and supports multi-tenancy.”
The preferred software-development method of Silicon Valley companies such as Google and Netflix and other private sector leaders, software factories are characterized by:
- Automation and DevOps practices — including builds, testing, integration, and deployment
- An “as-code” approach to infrastructure, documentation, policy, and configuration
- Iterative and Agile development
- Standardization of tools and processes
- Containerization and microservices architecture
- Scalability and flexibility
- Collaboration and cross-functional teams
- Metrics and continuous improvement
Better Software, Delivered Faster
Software factories streamline development processes and improve collaboration, delivering software faster, more efficiently, and more reliably than traditional software-development methods. For government enterprises, this means, among other things, faster attainment of authorizations to operate (ATOs).
Software factories aren’t just faster and more automated; they’re also just plain better. Compliance, for example, is baked right into the software development process — automated and implemented as code. Software factories codify rules and allow automated verification of policy as code, documentation as code, infrastructure as code, and so on. This reduces the back-and-forth of compliance and allows greater visibility to security and management teams, driving greater confidence in the software process.
With software factories, you get a push-button, fully integrated, secure DevSecOps-as-a-service environment that allows development teams to focus on building secure mission applications rather than standing up and configuring environments.
Software factories can also provide:
1
Enhanced transparency and visibility for your information system security officers (ISSOs), application managers, application owners, and all others responsible for inspection and approval
2
Less time spent manually building and testing software — increasing productivity, velocity, and team morale
3
Automated regression, functional, and security testing to deliver better more secure software with reduced labor
4
Integration with governance processes for increased control over releases, increased transparency, and greater confidence around more frequent, smaller releases
So, Why Isn’t Everyone on Board?
It’s natural for the organizational adoption of revolutionary technologies to be slow. The shift from traditional development methods to software factories faces a wide range of challenges across the DoD, including:
- Legacy systems in need of modernization
- Inertia of existing, functioning processes (Why change if it isn’t broken?)
- Complex procurement processes that slow the acquisition of modern software tools
- Workforce skills development and organizational change management needs
- Budget constraints
The biggest challenge to adoption may be the absence of widespread trust in software factories. Key to overcoming this challenge is developing an understanding of software factories, experiencing their benefits, and understanding the importance of achieving cultural acceptance.
Widespread Understanding and Cultural Acceptance
There’s a lot to understand about software factories — from Jira and GitLab, to Jenkins, Argo CD, and Flux, to testing tools such as Selenium, SonarQube, and StackRox. DoD software developers are still learning about these and other software-factory building blocks, and a general understanding has not yet spread through the realms of nontechnical DoD decision makers. This has hindered widespread cultural acceptance.
Also, a few software factory myths and misunderstandings seem to have taken hold. Some believe software factories will require them to surrender the control that enables them to do their jobs. They have concerns about security, governance and compliance, visibility, and interoperability. In fact, software factories yield improvements in all these areas, not compromises.
A distrust of automation is one of the factors impeding adoption. Where DoD software factories are in place, however, ISSOs and information system security managers (ISSMs) are benefiting from the automation of security scans and the automatic pushing of security artifacts to them. They no longer need to request a scan or, worse, start a scan and wait for it.
Where the governance is integrated, managers can control releases, see when they’re tested and ready, and initiate the release to production. They’ve gained trust in the transparency of the process and learned to value automation, rather than fear that it will run out of control.
It takes organizational change to develop an understanding and acceptance of revolutionary technologies, and managing that change will be worth the effort. By resisting the risk that accompanies enhanced automation, we’ll only create a barrier for technological growth and perpetuate slower, outdated software development practices.
“DoD must scale its ability to produce secure and resilient software at speed to maintain a competitive edge. The Department must pursue an enterprise-wide approach, establishing a software-factory ecosystem that takes advantage of investments already made....”
— Department of Defense Software Modernization Strategy, Nov. 2021
Manage the Change: Train, Educate, Adopt
It takes time and energy to turn a battleship. The DoD will need to invest in organizational change management to ensure the widespread adoption of software factories.
Proponents of software factories — from within the DoD and without — can hasten modernization through training and education that strengthens the DoD’s organizational grasp on the promise of software factories.
Technical and nontechnical DoD decision makers need access to software factory truths, so myths and misunderstandings can be debunked. Key players must understand that software factories don’t reduce control, visibility, or governance — that they provide all the visibility, testing capabilities, and built-in governance the DoD needs, while making software development exponentially faster and more efficient.
As those involved with the first DoD software factories already know, this is the future of software development. Software factories will be critical to the DoD’s ability to reduce software delivery times from years to minutes, evolve and adapt faster than its adversaries, and ultimately deliver a more lethal force.1
1Deputy Secretary of Defense Kathleen H Hicks memorandum, Feb. 2022
Enjoy ECS Articles Like This One? Don’t Miss Any.
Sign up for our “ECS Insights” newsletter.