"You deploy it, you own it."
It's a common phrase heard often in the DevOps community. It connotes responsibility, not passing the buck, and accountability. You not only deploy code into production that works, but also code of the highest quality, scalability, and performance.
It also signifies security. None of us want "you deploy it, you own it" to evolve into "you deploy it, they pwn it." At All Day DevOps this past October, we heard from many people across the federal government who are leading DevSecOps initiatives. Leonel Garciga at the Department of Defense's JIDO shared his organization's journey to DevSecOps, detailing how they have automated numerous ATO paths.
The GSA's John Jediny (@JJediny) also discussed his agency's journey, discussing ongoing authorizations (ATO) with component reuse and closed loop CI/CD pipelines, and how they found fertile grounds between DevOps and SecOps while under the federal government's compliance regimes.
John was also one of the architects behind the GSA's recently published DevSecOps Guide. The Guide describes "the requirements that need to be met by any specific implementation before it can be considered a Standard GSA DevSecOps Platform. It can also be used by owners of platforms in conjunction with the CTO, Deputy CIO, and CISO to define the requirements described in this framework. Furthermore, it can be used by application developers to understand and find platform implementations."
The DevOps teams at the U.S. Department of Defense and U.S. Government Services agency are among several agencies that have embarked on a journey to DevSecOps, a journey that delivers better software sooner. These teams have embraced the "you deploy it, you secure it" mindset, where security is not simply bolted on to the end of the development process, but integrated early and across their DevOps pipeline.
To learn more about DevSecOps initiatives in government (lessons that can also be applied to the private sector), I encourage you to listen to Leonel's session and read the GSA DevSecOps Guide shared above.