As the cybersecurity landscape changes and threats evolve, the Department of Defense (DoD) has updated its Enterprise DevSecOps Fundamentals to align development practices with security imperatives further. This is part of a long-term effort by the DoD to improve how software is developed, deployed, and managed across its network, including its business systems, weapons systems, embedded software, and essential command, control, and combat support systems.
We're specifically interested in the emphasis on securing the software supply chain where NIST SP 800-204D is referenced. This focus reflects the urgency of the DoD to prioritize the security of software supply chains within Software Factories.
In this blog, we explore some of the key themes within the update, how they relate to secure software supply chains, and how Sonatype aligns with the mission needs.
Software Factories and The Software Supply Chain
In its Enterprise DevSecOps Fundamentals guidance, the DoD uses the term "Software Factory" to define a "collection of people, tools, and processes that enables teams to continuously deliver value by deploying software to meet the needs of a specific community of end users. It leverages automation to replace manual processes." These groups are associated with specific software supply chains and are responsible for providing a repeatable approach to development with the goal of improving efficiency and quality.
The DoD goes into further detail on the software capabilities of a Software Factory, which are "Infrastructure, Digital Platform, and Applications." The Digital Platform segment is most relevant for this topic, as this is where CI/CD pipelines, dev environments, repositories, and continuous monitoring operations live in the Software Factory. Some recommendations to take note of here include emphasis on automation of the SDLC, standardization across practices, processes, tools, and incorporating security and compliance checks/gates throughout development and deployment.
SBOM transparency and full dependency visibility
Automated security and compliance testing are crucial in the DoD's approach. Frequent and automated tests ensure compliance and security are maintained as new code is integrated.
With automated policy enforcement, teams can catch issues early, flagging non-compliance and vulnerabilities before they move through the pipeline. The DoD's update places a greater emphasis on software bills of materials (SBOMs), which provide transparency into software components and dependencies. This is essential for identifying and managing risks, particularly in open source components. Continuous monitoring is key to maintaining a secure DevSecOps ecosystem. The DoD's guidance stresses real-time visibility to address vulnerabilities and compliance issues before they become production risks, which allows teams to monitor for new threats or misconfigurations as they emerge.
Security as part of the development culture
The guidance underscores a culture shift where security is integral to every stage of development, aligning with the Secure by Design principle. A security-focused development culture with minimal friction means embedding best practices into the coding process through automated checks and easy-to-interpret insights. The DoD promotes collaboration across development, security, and operations teams to minimize friction and foster shared accountability for security.
Of equal importance is embedding security from the start of the development pipeline. At Sonatype, we are aligned with these principles, making security seamless, automated, and integrated across every stage of development. Developers can focus on innovation and be confident that they are building resilient, secure software in compliance with the latest standards.
This guidance applies to the DoD and the software and is intended to promote strong DevSecOps practices within the organization. It's also reflective of the high priority being placed on the stability and resiliency of software supply chains. Open source components make up as much as 90% of today's software applications, and legislation could be a motivating factor in incentivizing organizations to take a more proactive approach to security.
Enhancing DoD DevSecOps with the Sonatype platform
Meeting the requirements of the DoD DevSecOps framework calls for secure, automated, and adaptable "software factories" capable of producing resilient applications while meeting high standards for security and compliance. Sonatype Nexus Repository, Sonatype Repository Firewall, Sonatype Lifecycle — support this framework, enabling fast, secure software production by managing open source software components at every stage of the software supply chain.
- Sonatype Nexus Repository: As a central artifact storage hub, Sonatype Nexus Repository supports artifact management across development and operational stages, enhancing reliability and enabling teams to share components across DevSecOps pipelines efficiently. This robust repository infrastructure aligns with DoD's focus on consistent and secure artifact management, a key requirement for uninterrupted deployment and operational resilience.
- Sonatype Repository Firewall: Enhances compliance by preventing vulnerable/malicious open source components from entering the DevSecOps pipeline. While this type of capability is not explicitly called out, this proactive gatekeeping function ensures all incoming code components align with compliance requirements, minimizing potential attack vectors at the source. Repository Firewall uses automated policy enforcement to enforce these security controls at the ingress of new component requests. With a hardened perimeter, DoD development teams gain the freedom to innovate without compromising on security, supporting the Department's zero-trust objectives.
- Sonatype Lifecycle: The DoD emphasizes secure coding practices that integrate seamlessly into DevSecOps pipelines. Sonatype Lifecycle automates scanning and identification of vulnerable open source components, providing instant alerts on known security risks. Through automated policy enforcement, this capability meets the DoD's strict guidelines for rapid threat detection and remediation while also ensuring all components meet organizational security standards before and during deployment. Sonatype Lifecycle also enables SBOM generation at each stage of development and allows for exportation in accepted formats (CycloneDX and SPDX). Additionally, SBOMs are continuously monitored at each stage within the SDLC, which enables rapid response to new risks if discovered.
By integrating the Sonatype platform, DoD teams can accelerate development, reinforce security, and ensure compliance from source through deployment. As Sonatype tools align with the DoD's DevSecOps goals, they support a fortified software factory environment that meets both operational agility and high-security requirements.
This alignment between Sonatype's products and DoD's DevSecOps framework strengthens national cybersecurity and empowers developers to build and deploy secure software faster. This is not an endorsement by the DoD of our capabilities, but rather our take on how we can help meet the mission in the scenarios laid out above.
To learn more about how Sonatype can help your organization, connect with one of our technical experts today.
