DevSecOps Landscape Facing Hurdles in Federal Space, Survey Says

In partnership with the U.S. Air Force, ATARC recently conducted a study of the Federal DevSecOps landscape, to better understand its current status, challenges, successes, and future.

The survey was conducted of nearly 300 technical professionals in over 27 Federal departments, government entities, and state and local governments. It found various impediments to the DevSecOps landscape that can lead to challenges in keeping pace with mission requirements. Among those impediments include:

• There are too many DevSecOps tools being used with nearly 40 percent of those surveyed using 10 or more tools and just 28 percent using five or fewer tools;
• There’s an internal resistance to change and adoption with those surveyed most often saying that the top barrier to IT modernization and digital transformation is a cultural resistance to change;
• A lack of agile development and many still relying on “waterfall methodology” with only 11 percent of respondents saying their organizations deploy to production at least once a day, and 28 percent of respondents saying they push code to production environment only once every few months;
• and Authority to Operate requirements prolonging processes.

“The survey uncovered a complex DevOps landscape in the public sector, with teams frequently hampered by the need to manage a multitude of disparate tools while operating under legacy development models,” the survey said. “Technology leaders at both the Federal and local level will need to take steps to simplify their development toolchains and embrace agile methodologies if they are to keep pace with changing mission requirements and better serve the needs of the public.”

The survey does highlight teams that are able to overcome development challenges in the public sector. To increase code release in their respective organizations, 57 percent of respondents cited an automated CI/CD pipeline and 57 percent cited establishing source code management. Additionally, other responses included automated testing (39 percent), and toolchain integration (36 percent).