ATARC Federal DevSecOps Landscape Survey

The Advanced Technology Academic Research Center (ATARC), in partnership with the U.S. Air Force, conducted a large scale survey on the current status, challenges, successes, and vision for the future in the Federal DevSecOps landscape. Here is a summary of this 2021 survey findings, including major challenges hindering the adoption of DevSecOps methodologies, as well as successes experienced by many agencies. Scroll down to download the detailed survey results in full. 

ATARC, in partnership with the U.S. Air Force, recently conducted a survey (underwritten by GitLab and Red Hat) of nearly 300 technical professionals in over 27 federal departments, government entities, and state and local governments. The survey uncovered a complex DevOps landscape in the public sector, with teams frequently hampered by the need to manage a multitude of disparate tools while operating under legacy development models. Technology leaders at both the federal and local level will need to take steps to simplify their development toolchains and embrace agile methodologies if they are to keep pace with changing mission requirements and better serve the needs of the public.

Survey Highlights:

Too Many Tools. Just 28% of survey respondents reported using five or fewer tools in their software development lifecycles and nearly 40are using a whopping 10 or more tools! This cacophony of tools results in a complex development process, with teams forced to spend a substantial amount of time on tool management instead of building and delivering the applications critical to their organizations’ success.

Internal Resistance to Change. Development teams are hampered by more than just a cumbersome process for writing and shipping code. Internal barriers to the adoption of development best practices play just as large a role, if not a larger one, in inhibiting improvements. To illustrate, survey respondents most often selected cultural resistance to change as the top barrier to IT modernization and digital transformation within their organizations. Organizational and IT leadership need to do more to pave the way for the introduction of not just the latest technologies but the latest methodologies as well.

The Enduring Presence of the Waterfall. Where development teams in the private sector have increasingly turned to Agile methodologies like Scrum and Kanban to build, test, and deploy software in smaller, more frequent releases, many of their colleagues in the public sector remain frozen in time. Less than a third of survey respondents reported using an Agile methodology like Scrum and Kanban for software development, with a quarter continuing to rely on some form of waterfall methodology.

A mere 11% of survey respondents reported deploying to production at least once a day, with 28% saying they pushed code to a production environment only once every few months. At a time when mission requirements are more demanding than ever before, many teams are failing to move faster. In fact, a majority of survey respondents did not report that they were releasing code faster today than they were six months ago, with nearly a third saying they didn’t even have a way to measure the pace of their releases over time.

The Challenge of ATO. Government entities typically require that applications meet stringent security requirements prior to being granted Authority to Operate (ATO). While there are good reasons for this, the result is further delay in getting applications into the hands of business users and the public. In fact, nearly half of survey respondents reported that it typically takes over four months for their organizations to grant an application ATO.

What Makes a Difference. Enterprising development teams in the public sector have found ways to securely build and deliver applications despite the challenges inherent in their work. These innovative teams have displayed a remarkable degree of homogeneity in highlighting the technologies and processes that have helped them succeed. To illustrate, when asked what changes were implemented in their organizations that led to increased speed in code release, fully 57 % of respondents pointed to an automated CI/CD pipeline and 57% cited establishing source code management. Other common responses included automated testing (39%) and toolchain integration (36%).