DevSecOps at Naval Surface Warfare Center, Philadelphia Division is connecting three different disciplines: development (Dev), security (Sec), and operations (Ops). According to the Defense Information Systems Agency (DISA), the DevSecOps mission is “to develop a Continuous Monitoring (CM) approach for all Department of Defense (DoD) mission partners that monitors and provides compliance enforcement of containerized applications which cover all the DevSecOps pillars (Develop, Build, Test, Release & Deploy, and Runtime) for a secure posture with the focus being on automation and integration going forward.”
And per the Naval Warfare Systems Command (NAVWAR), DevSecOps “is transforming how the Navy protects and manages access to data and applications across the both the fleet and all mission areas.”
The newly signed Chief of Naval Operations (CNO)’s 2022 Navigation Plan states, “The world is entering a new age of warfare, one in which the integration of technology, concepts, partners, and systems—more than fleet size alone—will determine victory in conflict.
“Being able to deliver software over the air at speed through a DevSecOps process is a key part to ensuring that our systems are up-to-date with the latest patches and capabilities throughout the world,” said Seth Burmaster, department head for NSWCPD’s Cybersecure HM&E Control Systems & Networks Department.
According to Michael Ryan, a controls systems engineer serving as the Hull, Mechanical and Electrical (HM&E) DevSecOps lead at NSWCPD, there are four pillars within the Cybersecurity Implementation Plan, (NAVADMIN 183/15) for DevSecOps that will create a Navy cultural shift:
• Commercial Cloud: To embrace use of Cloud, taking advantage of Cloud agility and elasticity;
• Automation: The use of DevSecOps automation as part of the assess and incorporate process to help streamline Risk Management Framework (RMF) Authorization to Operate (ATOs);
• Shared Infrastructure: The use of secure shared infrastructure and shared software platforms; and
• Data Standardization: An abstraction and use of standardized digital strategy to enable data and component re-use.
Ryan has been engaged with developing existing pipelines, processes and platforms for the HM&E enclave proof-of-concept by remediating identified gaps and working with Original Equipment Manufacturers (OEMs) to update code in Programmable Logic Controllers (PLCs).
“The technical approach is to transition this technology from our labs to full-scale relevant environments, such as Land-Based Test and Engineering Sites, before deploying it to our surface fleet control systems,” he said.
Ryan pointed out the functional enclaves on ships, as well different mission requirements, technical challenges, isolation, and communications requirements.
“Today’s software factories and afloat systems have capabilities and enterprise tool suites with an 80 percent common solution and 20 percent mission-specific requirements necessary for success,” Ryan said, continuing. “The overall vision is to create a cloud-based software pipeline to accelerate development, increase reuse, and improve quality. Ideally, create cloud-based and networked hardware test environments to automate and expand capabilities. We need to enable remote updates of software to land-based test environments and the fleet to enhance fleet readiness and sustainment. We continue the development as part of a Naval Information Warfare Systems – Naval Sea Systems Command (NAVWAR-NAVSEA) partnership until transition efforts occur.”
“Maturing of this capability is instrumental to realizing the vision for our systems, Burmaster adds.
The Chief of Naval Operations (CNO)’s 2022 Navigation Plan states that we will build future platforms with modernization in mind – the hardware upgradeable and software updateable at the speed of innovation.”
“In today’s current political landscape, we now face for the first time since WWII, multiple peer or near peer competitors. We can no longer rest on an idea that we alone have the most capable military in the world. The work that Mike is executing is a key piece to expanding our advantage to protect our platforms as well as we prepare our fleet for any future fight,” Burmaster said.
NSWCPD employs approximately 2,800 civilian engineers, scientists, technicians, and support personnel. The NSWCPD team does the research and development, test and evaluation, acquisition support, and in-service and logistics engineering for the non-nuclear machinery, ship machinery systems, and related equipment and material for Navy surface ships and submarines. NSWCPD is also the lead organization providing cybersecurity for all ship systems.