The Department of War continues to expand its adoption of DevSecOps practices as the traditional software acquisition lifecycle proves too slow for modern threat environments. For defense organizations managing classified systems and intelligence platforms, implementing DevSecOps requires navigating unique challenges that commercial best practices don’t fully address.
Why DevSecOps Matters for Defense
Traditional defense software development follows lengthy acquisition cycles where systems can take years to move from requirements to deployment. In a threat landscape that evolves daily, this timeline creates a dangerous gap between capability needs and capability delivery. DevSecOps closes this gap by integrating security into every phase of the software development lifecycle and enabling continuous delivery of tested, secured software.
The DoD’s Software Modernization Strategy emphasizes DevSecOps as a cornerstone of transformation, and programs like Platform One provide shared infrastructure for DoD-wide adoption. However, implementing DevSecOps in practice — especially in classified environments — requires solving problems that go beyond installing CI/CD pipelines.
Key Challenges in Classified Environments
Air-Gapped Networks. Many classified systems operate on networks with no internet connectivity. Standard DevSecOps toolchains that depend on cloud-hosted repositories, container registries, and package managers must be adapted to function entirely within air-gapped environments. This means maintaining local mirrors of dependencies, container images, and security vulnerability databases.
Cross-Domain Data Movement. Intelligence systems often operate across multiple classification levels, requiring carefully controlled data movement between domains. DevSecOps pipelines must account for cross-domain transfer requirements, ensuring that artifacts, configurations, and deployment packages move through approved cross-domain solutions.
Accreditation and Compliance. Defense systems require Authority to Operate (ATO) through the Risk Management Framework (RMF). DevSecOps practices must integrate compliance scanning, vulnerability assessment, and documentation generation into automated pipelines so that security posture is continuously maintained rather than assessed as a one-time gate.
Container Security. Containerized deployments on Kubernetes and similar orchestration platforms introduce new attack surfaces. Base images must be hardened, continuously scanned, and sourced from trusted registries. Runtime security monitoring must detect and respond to anomalous container behavior in production.
Practical Implementation Approaches
Organizations succeeding with DevSecOps in defense environments share several common practices:
- Shift Security Left: Integrate static analysis, dependency scanning, and security unit tests into the developer workflow, catching vulnerabilities before code is committed
- Automate Compliance: Generate RMF documentation and STIG compliance reports as pipeline artifacts, reducing the manual burden of accreditation
- Infrastructure as Code: Define all infrastructure configurations in version-controlled code, ensuring environments are reproducible and auditable
- Continuous Monitoring: Deploy runtime security monitoring to detect threats in production, complementing pre-deployment scanning with operational security awareness
Building the Right Team
DevSecOps transformation requires people with both deep technical skills and an understanding of defense operational requirements. Engineers need to understand not just Kubernetes and CI/CD pipelines, but also RMF, STIGs, NIST 800-171, and the classification handling requirements that govern defense software systems.
At Zapata Technology, our software engineering and DevSecOps teams bring this dual expertise to every engagement. Our ISO 9001:2015 quality management system provides the documentation and continuous improvement structure that defense programs require.
Zapata Technology provides DevSecOps, software engineering, and cybersecurity services for classified defense environments. Contact us to discuss your DevSecOps transformation.
Frequently Asked Questions
Can DevSecOps run on classified networks?
Yes. DevSecOps pipelines can and do run on classified networks up to TS/SCI. However, implementation requires air-gapped CI/CD toolchains, locally hosted artifact repositories, and security scanning tools that operate without internet connectivity. Container registries, code repositories, and automation servers must all be deployed within the accredited boundary. Zapata Technology has direct experience building and operating DevSecOps pipelines in classified environments.
What is Continuous ATO and how does it relate to DevSecOps?
Continuous ATO (cATO) is an approach where systems maintain their Authority to Operate through ongoing automated security monitoring and compliance validation rather than periodic reassessments. DevSecOps enables cATO by embedding security controls directly into the CI/CD pipeline, automatically generating compliance artifacts, and continuously monitoring the system security posture. This allows faster software delivery while maintaining the rigorous security standards defense systems require.
What container platforms are approved for IL5?
For Impact Level 5 (IL5) workloads, approved container platforms include Red Hat OpenShift on DoD-accredited infrastructure, Kubernetes distributions deployed within FedRAMP High / IL5 authorized cloud environments (such as AWS GovCloud, Azure Government, and Google Cloud for Government), and Platform One Big Bang deployment on Iron Bank hardened containers. The specific platform choice depends on the program security requirements and hosting environment. Learn more about our approach at Software Engineering Services.