The JAIC Pushes the Envelope with DevSecOps through the Joint Common Foundation

The principles of Development, Security, and Operations are not new, but the Joint Common Foundation will be utilizing them in leading-edge, transformative ways. “We will be pushing the state of the art,” said Tom Morton, Deputy Director for the JCF within the Joint Artificial Intelligence Center. “What the JCF is trying to do is democratize the whole process of DevSecOps for Artificial Intelligence/Machine Learning and make it easier to secure and rapidly authorize AI/ML capabilities.”

The effort to integrate DevSecOps into the process of developing AI/ML capabilities will shift into high gear as the JCF team kicks off its partnership with Platform One. “Platform One will provide us an infrastructure-neutral tech-stack that will enable our users to develop and deploy containerized applications and services,” Morton said.

Platform One, which is operated by the U.S. Air Force, has already been deployed with multiple security fabrics. The JCF’s relationship with Platform One will ensure that capabilities that are unique to AI/ML and provided by the JCF will be fully supported on multiple clouds.

“Our goal is to provide JCF users with the ability to utilize ‘native cloud services offerings,’ as well as Platform One, and provide access to the tools and data needed to train their models and develop AI applications and services,” said Morton.

Until now, DevSecOps has been used mostly to develop applications. “What hasn’t been done is to create general DevSecOps automation capabilities for the dataset work and the model work,” Morton said. “That’s where greater automation is needed, and that’s one of the key value-adds that we’re going to bring to the table.”

Critical to the effort is the “security” component of the DevSecOps concept. Historically, security has been bolted on, with the security team working independently from both the developers and the operators of an application late in the development lifecycle. Instead, Morton explained, security will now be “baked into” the process and will be included in “every phase of the development lifecycle.”

This intense focus on security begins with the environment itself and the ways in which the JCF’s processes, standards, tools, and automation have been and continue to be developed and operated. The JCF will utilize Department of Defense-approved cloud services, as well as commercial and open source software that have been properly reviewed, assessed, and hardened as part of its continuous integration/continuous delivery pipeline.

Security also applies to data. “It’s about integrity and the provenance of the data,” Morton said. “We want to make sure that we’re providing good data, and we will develop and utilize data pipelines that are secure and ensure that we are able to maintain the integrity of the data and securely provide it to the consumers of the data—the AI/ML developers.”

Adopting DevSecOps principles and implementing automated pipelines is key to accelerating the development and adoption of AI capabilities. Because automation extends from data onboarding and ingest all the way to capability authorization, small incremental changes are relatively inexpensive. For example, model accuracy can be continuously improved, verified, validated, and deployed with higher frequency. “As the performance of the AI improves, end user trust in the AI will go up and subsequent use (adoption) increases,” Morton noted.

One way that the JCF will drive more automation and flexibility is by utilizing what’s popularly known as Docker Containers. Containers are standalone, executable packages of code that include every dependency needed to run an application, including runtime, system tools, system libraries, and settings. As such, containers are so standard, small, reusable, and distributable that they can run in almost any environment, including any cloud.

Historically, DevSecOps grew out of the need to develop, deploy, and maintain applications that ran on a virtual machine with a heavy stack of software (e.g. operating system, middleware, and application code) that was brittle, difficult, and expensive to operate and maintain. “Containers allows us to rethink how we develop and operate software,” Morton said.

The JCF wants to promote an approach that breaks a capability into the smallest denominator of functionality, referred to as a microservice. “We’d like to see people breaking their applications into smaller pieces or containers; containers (or data for that matter) can then be exposed as a microservice,” said Morton. “We can now understand the capability as being the set of microservices it uses, not as the monolithic pile of decaying spaghetti code running on a bunch of impossible-to-maintain virtual machines.”

Morton adds: “Since we can control access at the microservice level, the capability becomes more secure. They are also easier to maintain; if there’s a bug, it’s generally in one container, allowing you to isolate and localize the change and have greater confidence that you didn’t create unintended consequences.”

Ultimately, the JCF’s decision to use DevSecOps will allow models and applications to evolve and improve over time as changes on the ground dictate. This ability to progress and change easily is critical because the expected use of AI is expanding across the DoD.

Take Machine Learning, for example. It is a discipline within AI that identifies patterns in data, whether that data is video, images, audio, documents, or numbers. Right now, it is the primary type of AI capability that the JCF is focused on because that’s what its Mission Initiative partners currently need.

However, if a new type of ML methodology were developed or corresponding model training techniques were altered or consolidated, JCF developers could easily change the workflow, change the tools used, or change their technique to keep pace.

“It’s designed to be very, very flexible,” said Morton. “And that combined with the security, the automation, and the ease of use are key value-adds that the JCF will be bringing to the table.”