Original broadcast 8/20/25
Presented by Security Compass & Carahsoft
Jay Ryan, Federal Program Manager at Security Compass, has spent years working at the intersection of government missions and secure software development. In his view, the momentum building in the DevSecOps community today is the result of both bold leadership decisions and a willingness to confront some of the most persistent roadblocks to adoption. From outdated processes to cultural barriers, Ryan believes progress comes when government and industry collaborate deeply—and when both sides are willing to adapt.
One of the most common roadblocks Ryan sees is a rigid interpretation of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). The RMF was designed to be flexible, allowing agencies to adapt its principles to their specific environments. However, in practice, it is often treated as an inflexible set of rules. This rigidity slows down development and undermines the agility that DevSecOps is meant to provide. Ryan points out that the intent of the RMF was never to be a procedural obstacle; rather, it was to guide agencies toward building secure, resilient systems in a way that matches their operational realities.
Recent conversations in the community, sparked by leaders like Katie Arrington, have challenged this status quo. Proposals to “blow up” outdated acquisition and authorization processes are creating space for new thinking. Ryan sees this as a chance to take a deeper look at how the RMF is applied and to bring in industry best practices that can streamline compliance while maintaining security.
The government’s openness to soliciting ideas from industry is a positive development. Ryan observes that DevSecOps has matured as a community over the past three years, with industry practitioners bringing strong, practical approaches to complex problems. These practitioners work “in the trenches” every day, encountering roadblocks firsthand and often devising novel solutions to bypass them. By listening to these perspectives, government leaders can identify efficiencies that have already been proven in commercial and hybrid environments.
Ryan emphasizes that the current Pentagon leadership is doing more than setting policy—they are aligning incentives from the top down to ensure adoption. In the past, policies often lacked the technical guidance or delegated authority needed to make them actionable at the working level. Now, leadership is empowering decision-makers deeper in the organization to take action, fostering faster adoption and greater innovation. This empowerment is key to translating high-level intent into tangible results on the ground.
Cultural alignment is also central to DevSecOps success. Ryan notes that “culture is king” in technology development. Great people respond to great culture, and in the DevSecOps context, culture is about more than just camaraderie—it’s about integrating people, processes, and technology in a way that encourages continuous improvement. In government, where mission stakes are high and tolerance for failure is low, building a culture of trust and collaboration is essential for enabling innovation without compromising security.
Looking to the future, Ryan sees artificial intelligence as the next transformative force in DevSecOps. AI has the potential to automate repetitive tasks, accelerate decision-making, and analyze massive datasets in real time. But it also brings new security challenges. As agencies begin deploying AI technologies, they will need to ensure that these systems are secure from the ground up—an extension of the “security by design” principle that underpins DevSecOps.
Ryan also points to distributed systems and advanced networking as emerging areas where DevSecOps practices will be critical. As systems become more complex and interconnected, the ability to develop, test, secure, and deploy at speed will be vital. The same principles that drive agile, secure software development today will need to be applied to new architectures, ensuring that mission systems remain both effective and trustworthy.
The ultimate goal, Ryan says, is to empower both warfighters and civilian mission owners with technology they can trust. In defense contexts, this means enabling operators to act with speed and confidence, knowing that their systems will perform as intended. In the civilian sector, it means delivering public services that are secure, reliable, and responsive to changing needs.
Ryan’s optimism comes from seeing genuine alignment between government and industry. The current environment is one where leadership is pushing for change, industry is bringing forward tested solutions, and cultural awareness is growing. While challenges remain—especially in translating policy shifts into widespread operational changes—he believes the foundation is stronger than ever.
For Ryan, the evolution of DevSecOps in government will be shaped by a willingness to adapt frameworks like NIST RMF to be more agile, a continued openness to industry expertise, and a proactive approach to integrating emerging technologies securely. It’s a future where collaboration is the default, speed is balanced with security, and culture drives the continuous improvement needed to meet mission demands.
Key Takeaways
-
Flexible application of NIST RMF can reduce roadblocks and accelerate secure delivery.
-
Leadership alignment and empowerment at all levels are driving adoption across the Pentagon.
-
AI, distributed systems, and advanced networking will require secure-by-design approaches in future DevSecOps practices.
Please fill out the requested information below