Using Scrum To Improve Cybersecurity In The Department of Defense
Software is ubiquitous. It is no longer just embedded in hardware, infrastructure, and other invaluable assets. Software has become a critical component that defines the effectiveness of just about everything.
The modern world effectively runs on software. That is a great thing so long as cybersecurity is maintained. But, as this report from the U.S. Department of Homeland Security points out, that is no easy task. New cyber threats are emerging, and the dark web has become ‘a grand cyber arms bazaar.‘
Cybersecurity must continuously evolve, adapt, and be quickly deployed, to mitigate the risks. Failure to keep pace with the innovation of ‘bad actors’ turns the software we rely on into unguarded digital flanks ripe for exploitation and attack.
While this blog’s focus is on cybersecurity in the realm of national security and the U.S. Department of Defense (DoD), the threats are universal.
I’m willing to wager the lessons here apply as much to your industry and organization as they do to the primary audience.
Cybersecurity is National Security
A report by the Defense Innovation Board makes the stakes quite clear;
U.S. national security increasingly relies on software to execute missions, integrate and collaborate with allies, and manage the defense enterprise. The ability to develop, procure, assure, deploy, and continuously improve software is thus central to national defense.
Indeed, most of the five largest defense contractors in America are implementing Scrum and Scrum@Scale on projects to better handle changing requirements and to deliver value faster than ever before. Other DoD organizations are also adopting Scrum and Agile techniques. These moves, however, have left some to wonder how these organizations can be sure they’re not sacrificing cybersecurity as they move toward Agility? How can these organizations quickly develop high-value solutions that are also secure products using Scrum?
Let’s take a moment to address these concerns.
Debunking the Speed or Security Fallacy
Traditional development teams may address cybersecurity late in the development cycle. Each specific department works independently, which can cause a lack of integration while failing to identify potential security issues in the early stages of development.
Cybersecurity is often only addressed once the product has been fully developed.
In an Agile environment, development teams have the opportunity to integrate security more fluidly and therefore catch problems earlier in the process, when they are less expensive and time-consuming to address. Some would argue that the fast-paced development of an Agile environment would hinder security, but the Agile mindset and Scrum best practices encourage including cybersecurity iteratively and incrementally.
Scrum Teams may also face challenges implementing cybersecurity in an Agile way because they have to comply with outdated processes and bureaucracy such as manual checklists used for every release or mandated standardization.
Scrum encourages the use of a Definition of Done to ensure quality and security standards are met.
Another common problem I’ve seen Scrum Teams face is access to and collaboration with stakeholders and subject matter experts, including cybersecurity specialists. By incorporating cybersecurity specialists onto the Scrum Team, potential security threats can be identified and addressed throughout the development process. Scrum encourages commitment and collaboration by having cross-functional teams work closely together.
In short, Scrum enables organizations to not only develop better products faster while also ensuring that cybersecurity is addressed in the most effective and lowest-cost way possible.
This is not just my experience or belief, the U.S. Government’s own case studies show this to be true.
Cybersecurity Case Studies
Earlier this year, the nonpartisan U.S. Government Accountability Office released its Agile Assessment Guide. This report includes several independent case studies that examine Agility and cybersecurity. I’d like to highlight two of these.
GAO Case Study 1: SPACE COMMAND AND CONTROL Comprehensive Planning and Oversight Could Help DOD Acquire Critical Capabilities and Address Challenges
In the Space Command & Control Case study, the GAO analyzed cybersecurity measures in early development. Software development industry-leading practices encourage programs to develop robust cybersecurity measures early in program development. In addition, the Space C2 program stated that it is implementing DevSecOps practices to address cybersecurity concerns in the program’s design.
Cybersecurity is at the forefront of world news and particularly important to organizations like the Space Command & Control. Moving from traditional waterfall development methods for Cybersecurity solutions to building Agility into cyber practices can strengthen an organization’s defenses against cyberattacks.
GAO Case Study 2: DOD SPACE ACQUISITIONS Including Users Early and Often in Software Development Could Benefit Programs
The Air Force’s Next Generation Operational Control System (OCX) program is designed to replace the current ground control system for legacy and new GPS satellites. OCX software is being developed in a series of blocks: Block 0 provides the launch and checkout system and support initial testing of GPS III satellites and cybersecurity advancements. Blocks 1 and 2 are planned to provide command and control for previous generations of satellites and GPS III satellites as well as monitoring and control for current and modernized signals.
The purpose of IA (also referred to as cybersecurity) is to ensure that DOD systems can resist and continue to operate during cyber-attacks by managing risks and implementing safeguards. Officials with the contractor on this project described cybersecurity threats as continuously evolving, and that both they and the Air Force have had to adapt their interpretation over time of how to meet IA requirements on OCX development to address changing threats.
Given the importance of GPS to the military and civil communities and with the increase in cybersecurity threats, the Air Force did not waive any IA requirements for OCX. Consequently, the contractor found that it had greatly underestimated the cost and time to meet these requirements. According to program officials, most of the requirements issues were resolved in early 2015.
One lesson that can be inferred from this is that leaders should align their organizations on cybersecurity goals and standards early, and ensure Agile teams incorporate these cybersecurity standards in their team’s Definition of Done. Teams can consider when and how to conduct cybersecurity practices like code reviews, vulnerability assessments, and penetration testing earlier in the process. DoD contractors should encourage cybersecurity personnel to collaborate with development teams to ensure work is done securely.
Conclusion and CMMC
Organizations in the DoD moving toward incorporating cybersecurity practices into their Scrum Teams can start small and adopt the principles of Agile security incrementally and iteratively, just as they would for any other Agile development effort. Although much of the focus in development is on functional needs, Scrum Teams should also include non-functional requirements, such as security and privacy early and throughout the development effort.
Teams overlooking non-functional requirements may develop a system that does not comply with current federal standards, such as the recently implemented Cybersecurity Maturity Model Certification (CMMC), which seeks to measure defense contractors’ capabilities, readiness, and sophistication in the area of cybersecurity.
Whether you work for an organization in the DoD or a contractor, experience and data show Agile teams are more responsive. Scrum’s use of quick feedback cycles, inspection and adaptation, and cross-functional teams reduces risk by allowing cybersecurity to be fully integrated into a product and not an add-on once production is nearing completion.
Like Agility itself, cybersecurity is a journey, not an end state. Your teams must be at least as responsive, innovative, and able to deliver value as quickly as your adversaries if you want to succeed.