May 12, 2025—DevSecOps practices foster collaboration among software development, security, and operations teams to build, test, and release software quickly and reliably. A high-stakes, high-security environment has challenged the implementation of these practices within the Department of Defense (DoD). A study conducted by the Software Engineering Institute (SEI), released last week by the DoD Chief Information Officer (CIO), baselines the state of DoD DevSecOps, highlights successes, and offers insights for next steps.

The report The State of DevSecOps within the Department of Defense cites the Defense Innovation Board (DIB) 2019 Software Acquisition and Practices study and the Software Acquisition Pathway (SWP), issued as DoD Instruction 5000.87 in 2020, as triggers for the DoD’s push to modernize their software development and acquisition practices. In response, the DoD has invested in DevSecOps recruiting and training, created relevant work roles, and integrated security into its software development lifecycle, according to the report.

Though the DoD has been making progress, challenges remain, and the threat landscape continues to change. “The state of DevSecOps within DoD is evolving rapidly as we recognize its critical importance to our mission readiness and security posture,” says the report.

Last summer, the DoD CIO tasked the SEI with baselining the state of DevSecOps adoption within the Defense Department and gaining insight to enable future planning. For decades, the SEI has led research in the empirical measurement and analysis of software engineering, including in the high-stakes national security domain. This body of work includes identifying and determining key metrics and applying them to software pipelines and organizations. Such expertise, plus research and extensive experience in acquisition innovation and continuous deployment of capability, led SEI researchers to contribute to both the foundational DIB study on software acquisition and the resulting SWP instruction.

As part of the study, SEI researchers met with more than 75 leaders from 19 DoD software development and test organizations, analyzed data from DoD and military department-level activities, and engaged with practitioners in multiple DoD DevSecOps and community forums. “It was important to identify opportunities to optimize investment, processes, and policies that enable the DoD to scale up successful practices,” said Eileen Wrubel, technical director of software acquisition policy and practice at the SEI’s Software Solutions Division (SSD). “This will help ensure that software factories are sufficiently staffed and resourced to scale for innovation and consistently and effectively deliver mission value.”

Wrubel and her colleagues worked with the DoD CIO’s office to establish a quantitative baseline of DevSecOps transformation, augmented by qualitative insights. They organized the study around the department’s portfolio management, policy and guidance, and workforce and culture.

The study found that the DoD has made substantial progress with DevSecOps amid rapid changes: “A combination of significant strategic initiatives and smaller, fast-moving efforts continue to demonstrate successful DevSecOps implementations and point the way forward for the DoD.” At the time of the study, 78 acquisitions programs had adopted the SWP. This number will likely increase in the wake of the March 2025 memo directing all DoD components to adopt the SWP as the preferred pathway for software development components of business and weapon systems.

The study found that pockets of the DoD have had significant success with DevSecOps practices, enhancing deployment speed, security, and operational efficiency. To move forward, the DoD needs to implement those successes at scale. Major themes include the following:

• DevSecOps achieves success amid rapid change.
• Software factories are our digital arsenal and the catalyst to enabling software modernization.
• DevSecOps enables continuous Authority to Operate.
• Policy and guidance based on successful grassroots efforts have enabled change.
• Success rests on forging a mission-ready DevSecOps workforce and strong leadership committed to driving to creative solutions.
• The path forward relies on data and effective measurement.

The report provides DoD leaders at all levels goal-oriented guidance for collecting DevSecOps program data and linking it to mission outcomes. Applied more broadly, this method can provide continuous insight into progress toward strategic objectives.

Maintaining the nation’s strategic advantage over fast-moving adversaries requires security, efficiency, and speed. Because DevSecOps enhances these qualities in software development and acquisition, the DoD views DevSecOps as critical to mission success, according to the report. “DevSecOps enables DoD to continue to deliver advanced warfighting capabilities, such as Project Overmatch, the F-16, the F-35, and a broad range of other key weapons systems.”

Wrubel said that in today’s rapidly changing environment, it is critical to get the right capabilities to warfighters at the right place and time. “This study provides an important baseline, as well as data collection recommendations, to enable decision making at all levels,” Wrubel said. “Research like this ensures that the DoD's software ecosystem is effective, scalable, and adaptable enough to meet the challenges of today and tomorrow.”

Join Wrubel, SEI researcher Brigid Petrie O’Hearn, and George Lamb, the DoD’s Director of Cloud and Software Modernization, for the free webcast The State of DevSecOps in the DoD: Where We Are, and What’s Next on Monday, May 19, from 1:30-2:30 p.m. EDT. They will discuss key results of the study and how they will help the DoD ensure that its software ecosystem is effective, scalable, and adaptable to meet the challenges of today and tomorrow. Register to attend.

Read a brochure about the study in the SEI Digital Library, or download the complete report at https://dodcio.defense.gov/Portals/0/Documents/Library/DevSecOpsStateOf.pdf. Learn more about the SEI’s work in empirical measurement and analysis of software engineering, acquisition innovation, and continuous deployment of capability on our website.