small-medium-large as units for assigning story points. Over time, as the teams accumulate performance data, this iterative and incremental4 process improves accuracy in allocating points. Point values are culture often run counter to those in the long-established defense acquisition enterprise. The Agile model represents a change in the way DoD conducts business, and programs must rethink how they are staffed funding models that support an acquisition are structured to support Agile. To succeed, the Agile model depends on strong commitments at all levels of the acquisition process. First, Agile requires dedicated

decisions under uncertainty, and then have the courage to face the consequences. In the plan-driven model, quality was easier to understand.  We specified what the system should do, and then measured quality that, either.  We are constantly making quality decisions, especially in a Continuous Delivery model, as we decide whether the quality of each individual feature is adequate for the feature to be deployed that we have not yet learned to take advantage of, caught up as we are in the contractor-control model of IT. Shadow IT is what happens when the IT organization is unable to meet the needs of a part of

typically structured as:1. Standardized Model – where routine and systems govern everything; including strict compliance with budget and schedule 2. Experimental Model – every day every exercise and new piece known vulnerabilities and consolidate multiple versions of the same library iii. 2014 Verizon PCI Data Breach Investigation Report – studies over 85K cardholder breaches. 10 vulnerabilities accounted environments with infrastructure-as-code and auto- scaling. Must create alternatives methods of providing the data to show auditors controls are in place and operating. 1. Work closely to identify the evidence needed

A model tries to represent reality Framework is a way of looking at reality Not a modelCategorization Frameworks Categorization Frameworks - the framework proceeds the data • Put the data in change Sense-making Frameworks Sense-making framework - the data proceeds the framework • Capture the data • Patterns emerge from the data • Provides context and awareness • Good for non-trivial

problem-solving. ii. Telemetry – An automated communications process by which measurements and other data are collected at remote points and are subsequently transmitted to receiving equipment for monitoring development. Operations don’t just monitor what’s up or down. ii. Modern Monitoring architecture 1. Data Collection at business logic, application, & environments layer a. Events, logs, & metrics b. Common 1. Authentication/authorization decisions 2. System and data access 3. System and application changes, especially privileged changes 4. Data changes (CRUD) 5. Invalid input, possible malicious injections

right” 2. Type 2 – System of Engagement – “Doing it fast” ii. DevOps helps reject the bi-modal IT model and lets you do both c. START WITH THE MOST SYMPATHETIC AND INNOVATION GROUPS i. Chrossing the Chasm environment and ensuring service levels are met v. Infosec – team responsible for securing systems and data vi. Release Managers – the people responsible for coordinating the production deployment processes PLANNING HORIZONS SHORT i. Act like a startup, strive to generate measurable improvement or actionable data within weeks f. RESERVE 20% OF CYCLES FOR NON-FUNCTIONAL REQUIREMENTS AND REDUCING TECHNICAL DEBT

appears to offer predictability, control, and efficiency, the key values of the contractor-control model. But it doesn’t. Requirements: Requirements are a way of controlling the development team by constraining Characteristics of an Agile governance and oversight model: Before we dive into an Agile governance and oversight model, let’s think about what characteristics such a model should have in order to both take advantage

emulation of common infrastructure components to achieve consistent and predictable resultConceptual Model DevSecOps LifecycleDevSecOps Pillars DevSecOps EcosystemDevSecOps Software Factory DevSecOps MVP correlated and centralized logs, container security, east/west traffic management, a zero-trust model, a whitelist, Role-Based Access Control (RBAC), continuous monitoring, signature-based continuous

outcomes • Take it to the team • Be a mirror • Master your words & face • Let there be silence • Model being outrageous • Let the team fail • Be their biggest fan Lyssa Adkins Self-Assess FirstSelf

Operations to improve outcomes 2. Ch. 9 – Create the Foundations of Our Deployment Pipeline a. Enterprise Data Warehouse program by Em Campbell-Pretty - $200M, All streams of work were significantly behind schedule Application code & dependencies 2. Environment scripts & creation tools 3. DB scripts and reference data 4. Containers 5. Automated tests 6. Project artifacts – documentation, procedures, etc. 7. Application Smoke testing our deployments – test connections to supporting services and systems, run sample data/transaction tests, fail deployment if needed 3. Ensure we maintain consistent environments – continually