search menu icon-carat-right cmu-wordmark
2020 Year in Review

DevSecOps Speeds Artificial Intelligence and Machine Learning Capability

The threat landscape for the Department of Defense (DoD) is constantly changing, as are the capabilities of the United States’ adversaries. To keep pace and advance, the DoD must further modernize, automate, and secure its defense software engineering practices.

Hasan Yasar, SEI technical director, Continuous Deployment of Capability, and his team promote this effort, providing expertise for implementation of Development Security Operations (DevSecOps) in the DoD. Yasar works closely with Nicolas Chaillan, Air Force chief software officer and co-lead of the DoD Enterprise DevSecOps initiative. Applying this approach to harness the power of artificial intelligence (AI) and machine learning (ML) is a DoD priority. Air Force missions, in particular, sometimes depend on capturing and processing real-time data streams, a task well suited to AI/ML systems.

Traditional software projects involve writing, testing, and release of code into production. AI/ML projects present additional complexity. Among other challenges, they require collecting, ingesting, analyzing, and sanitizing data so that data scientists can train the model that will be used in the application production environment.

The industry currently holds heavy technical debt in AI/ML systems deployment, with a 75 percent failure rate. “While their model generation is working well, organizations are failing seriously in deploying to the production environment,” said Yasar. “We have been starting to see successful deployment of ML systems along with the elevation and validation of the model, such as running Kubernetes-based AI components on U2 Dragon Lady Aircraft. DevSecOps is helping to speed model deployment; increase accuracy; enable reusability, traceability, and continuous feedback; and eliminate technical debt.

DevSecOps is helping to speed model deployment; increase accuracy; enable reusability, traceability, and continuous feedback; and eliminate technical debt.

Hasan Yasar
Technical director, Continuous Deployment of Capability, SEI Software Solutions Division
Hasan Yasar  (BW)

DevSecOps is an iterative, incremental approach using Agile methods. It emphasizes collaboration, eliminates process constraints to enable continuous workflow and delivery, and involves powerful tools working in an automated pipeline. Security is built into the process.

The DevSecOps best practice of continuation technologies facilitates the AI/ ML lifecycle. Continuous automated testing, monitoring, and validation enable continuous integration of developers’ merged changes, automated release to production, and continuous automated deployment to the customer. The automated phases drastically reduce time to deployment, which is crucial to the DoD mission.

In 2020, the SEI contributed DevSecOps automation to multiple DoD AI/ML projects. In one of them, the SEI developed an AI/ML deployment pipeline in which DevSecOps significantly speeded data collection and generation as well as feedback collection from end users.

Another DoD priority alignment was between AI/ML system development and deployment methods and the DoD DevSecOps Enterprise framework. Yasar’s team documented and formalized those methods and advanced the framework in the Guide to Implementing DevSecOps for a System of Systems in Highly Regulated Environments, a comprehensive roadmap to effective DevSecOps implementation. The team improved the guidelines for continuous authorization—the process that continually monitors the system to ensure compliance with requirements—by making it more secure and DevSecOps friendly.

To help determine an organization’s fitness for adopting DevSecOps, Yasar’s team developed two assessment instruments, to be released in 2021: the DevSecOps Assessment and the self-assessment version, Software Assurance Guidance Evaluation (SAGE) Tool. The SEI is the first federally funded research and development center (FFRDC) to offer such an assessment, which aids in setting an organization’s expectations and detecting possible problems and impediments.

To learn more about DevSecOps, visit