Innovation in Government: DevSecOPs Edition

Original broadcast 8/20/25

Presented by Carahsoft

The latest episode of Innovation in Government from the Carahsoft DevSecOps Conference brings together leaders from government and industry to share how they are driving cultural change, accelerating secure software delivery, and modernizing processes to meet mission needs. These conversations explore advances in automation, agile development, AI integration, and collaboration—revealing practical solutions and lessons learned that are shaping the future of DevSecOps in the public sector.

Pushing Secure, Fast, and Mission-Focused Adoption of DevSecOps

Rich Savage, Sales Director at Carahsoft, shares his view from working with government customers, OEMs, and system integrators to advance DevOps and DevSecOps adoption. He describes a community that has “seen what’s possible” and is building on lessons learned to accelerate software adoption, with AI fueling automation and speed. Savage emphasizes the need for security to run in parallel with development, integrating into the lifecycle rather than acting as a brake, while also recognizing the government’s narrower tolerance for failure compared to the private sector. The future, he says, will be shaped by agile adaptability, guided by mission needs and cultural alignment across stakeholders.

Key Takeaways

• AI is driving innovation and speed, but security must be fully integrated into development.

• Government’s risk tolerance is lower than industry’s, making secure-by-design essential.

• Agile practices and culture are critical to sustaining DevSecOps momentum.

Driving Operational Relevance Through Feedback Loops and Continuous ATO

George Lamb, Director of Cloud and Software Modernization in the Office of the CIO at the Department of Defense, explains the importance of bridging the gap between development and operations in DevSecOps. He outlines how pushing operational testing earlier in the cycle and building robust feedback loops between users and developers speeds delivery and improves relevance. Lamb highlights examples like the Army’s recent Continuous ATO pathfinders as proof that change is possible, and stresses the cultural shift needed to accept incremental solutions that improve security and delivery speed across the Department.

Key Takeaways

• Embedding operational testing early ensures production-ready solutions on release.

• Continuous feedback from users accelerates feature improvement and adoption.

• Accepting “good enough” incremental gains builds momentum for cultural change.

Focusing Collaboration on Mission Outcomes

Matthew Graviss, Public Sector CTO at Atlassian, draws on his leadership experience as the former Chief Data and AI Officer at the State Department to show how collaboration—both human and technological—is critical in a DevSecOps environment. He explains the value of leadership attention in signaling priorities, early engagement of all stakeholders, and building systems that support teamwork. Graviss stresses starting with mission and business challenges before offering technology solutions, and fostering partnerships that span privacy, ethics, cybersecurity, legal, and operations from the outset.

Key Takeaways

• Leadership endorsement is vital to drive modernization priorities and engagement.

• Early, inclusive stakeholder involvement prevents late-stage security and policy blockers.

• Technology collaboration platforms should be tied directly to mission and business needs.

Scaling Secure Testing for Continuous Deployment

Katie Bowen, Senior Vice President of Global Revenue at Synack, discusses how government organizations can use automation to reach the goal of continuous deployment. She explains that integrating security testing into the development lifecycle removes bottlenecks—particularly for penetration testing—by making it on-demand and always-on. Bowen points to advances in CI/CD integration, multiple security “paths to production” based on application risk, and the coming impact of AI copilots on software security, noting the need to anticipate and mitigate new vulnerabilities they may introduce.

Key Takeaways

• Removing humans from routine steps accelerates secure software delivery.

• On-demand, automated penetration testing reduces deployment delays.

• AI-assisted development will require stronger pre- and post-production testing.

Transforming Acquisition and Development with Operation Stormbreaker

Dave Raley, Digital Program Manager for Marine Corps Community Services, details “Operation Stormbreaker,” built to overcome the bottlenecks of waterfall development and legacy compliance processes. The program delivers containerized workloads in minutes rather than months, providing end-to-end Platform-as-a-Service capabilities—including security and zero trust—for other DoD mission owners. Raley advocates for agile acquisition models like sprint-based contracting, enabling faster, more flexible delivery while generating revenue that supports Marine quality-of-life programs.

Key Takeaways

• Replacing waterfall with agile reduces delivery timelines from years to minutes.

• Providing a certified, end-to-end platform enables mission owners to focus on capability, not infrastructure.

• Sprint-based contracting aligns deliverables with speed, flexibility, and accountability.

Integrating Industry Best Practices into Government DevSecOps

Jay Ryan, Federal Program Manager at Security Compass, identifies common roadblocks to government DevSecOps adoption, including rigid interpretations of NIST RMF and cultural challenges. He notes progress in Pentagon leadership alignment, empowering decision-making at lower levels, and fostering a culture that values people, process, and technology equally. Ryan also points to AI, distributed systems, and advanced networking as the next frontier, emphasizing secure adoption to empower both warfighters and civilian missions.

Key Takeaways

• Flexibility in applying NIST RMF can remove major adoption barriers.

• Leadership alignment and cultural change are key to sustainable transformation.

• AI and emerging tech will drive future capability—if securely integrated.

Automating Security, Quality, and Delivery in the Air Force Research Laboratory

Patrick Lorigan, Technical Director at the Air Force Research Laboratory, explains how full automation of the DevSecOps pipeline—from security scans to functional tests—has cut processes from months to minutes while improving security and quality. He underscores the need to balance rapid deployment capabilities with operational user expectations for stability, and highlights ongoing platform maintenance, tooling upgrades, and close user engagement as central to long-term success.

Key Takeaways

• Automated pipelines enable faster delivery with improved security and quality.

• Operational users may prefer controlled release schedules despite rapid capabilities.

• Continuous maintenance and user engagement are critical for sustainable adoption.

Overcoming Cultural and Contracting Barriers to Speed and Security

Matt Conner, Chief Information Security Officer at Second Front Systems, argues that technology is not the main challenge to DevSecOps adoption—culture and contracting are. He calls for broader use of existing flexible acquisition mechanisms, upskilling security personnel for cloud-native environments, and providing continuous insight into risk posture. Conner stresses that leadership tone, small bets that deliver quick wins, and an outcome-focused mindset are essential to transforming delivery speed without compromising security.

Key Takeaways

• Cultural and contracting practices, not technology, are the biggest barriers.

• Flexible acquisition vehicles exist but are underutilized.

• Continuous operational risk insight is vital for secure, agile delivery.