GUEST BLOG: Continuous delivery, continuous advantage -- Rethinking defense software for the embedded era

Blog

March 11, 2026

Yet the U.S. Department of Defense (DoD) still treats software like hardware. We spend years fielding it while known vulnerabilities sit exposed in production, daring the enemy to strike first.

It’s not as though the DoD hasn’t tried to adapt DevOps culture – the integration and automation of software development and information technology operations – from Silicon Valley: For years, it’s churned out memos, strategies, and software factories promising warfighter-specific capabilities. But playbooks and necessary resources never arrive, and too many factories deliver artifacts instead of outcomes.

We don’t need another glossy strategy PDF. We need working software in production. If teams treated the NIST Risk Management Framework (RMF) as the structured but adaptable guide it’s intended to be, we’d be 100 times further along than we are right now.

The conundrum: cATO, double standards, and the psychology of perfection

It’s trendy to talk about continuous Authorization to Operate (cATO), but most treat it like an artifact instead of a process, which misses the point. Continuous authorization isn’t a certificate. It’s a culture of shipping securely every day.

That misunderstanding punishes new programs. They get judged against the standards of mature teams that have been iterating for years. Instead of asking the only question that matters – is today safer and faster than yesterday? – the bureaucracy now demands an idealized end state on day one.

Everyone admits systems aren’t secure, but then decision-makers block improvements as “not secure enough.” It’s absurd. If a fielded system has 100 vulnerabilities and a new build cuts it to 90, that’s an improvement. Standing still is not safer than moving. That false sense of security is the real risk.

This is the same big-bang thinking that doomed so-called waterfall development. By blocking incremental delivery until everything looks perfect, the department makes improvement impossible by demanding perfection at the start. The real benefits of DevOps – patching in hours, remediating zero-days quickly, and shrinking ATO cycles – only occur when teams are allowed to prove themselves step by step. Perfection comes from iteration. Demand it up front, and you guarantee it never happens.

Do the work

The Risk Management Framework isn’t slow by design; it’s slow by misuse. Preparing real monitoring plans, categorizing honestly, selecting and implementing controls, assessing for effectiveness, authorizing based on actual risk, and monitoring continuously enables speed through disciplined execution of hard work. The DoD’s new Cybersecurity Risk Management Construct (CSRMC) acknowledges these same truths. It’s a shift from static checklists and “snapshot-in-time” assessments to a life cycle built around automation, control inheritance, and real-time monitoring. Whether it delivers depends on disciplined execution.

In practice, that means:

• Integrate RMF into DevOps: Stop bolting on compliance. Bake it into delivery.
• Architect for control inheritance: Design systems to inherit controls.
• Fund technical assessors: Embed engineers who validate evidence in real time and keep delivery moving.
• Do continuous monitoring the right way: Scans are the easy part. Real monitoring covers organizational, process, technical, and even physical controls.

Do the work each step requires and then prove it. Practice radical transparency with authorizing officials to demonstrate that monitoring works. If your configurations drift, show that you identified and then fixed them.

That’s how you build trust: prove you can spot and kill risk faster than the enemy can exploit it. Waivers and shortcuts don’t scale: You can’t audit your way into trust. When the pressure is on, teams often seek waivers or temporary relief instead of fixing the root problem. On paper, it looks like progress. In reality, it’s just kicking the can.

That’s the problem with waivers. They let people look busy until reality slaps them in an audit or a breach, or when they can’t deploy inside a new boundary. And when shortcuts collapse, it’s the warfighters left holding the bag.

The cost of delay: Why we need technical assessors

Documentation to achieve ATO is not the time suck – the biggest drain is wait status. Based on our value stream mapping with several organizations, more than 80% of the timeline to get an ATO is wasted in queues: developers sit idle, evidence piles up, and authorizing officials are too overloaded for reviews. By the time they get feedback, it’s no longer fresh, further pushing time lines. That dead time is pure mission risk. Every day that embedded systems are delayed to the field is another day without critical capabilities. Every day that systems sit unpatched is another day adversaries get a free shot. Waiting is the most expensive thing we do, and we do it at scale.

Dedicated technical assessors are the medicine nobody wants to swallow. They break bottlenecks, slash dead time, and turn “someday” authorizations into continuous delivery. Yes, they cost money – but the cost of not adding them is far more expensive. Every stalled build, every delayed patch, and every warfighter waiting for tools is a tax we pay for not funding assessors. Even a fraction of program dollars spent on assessors pays back many times over in speed, security, and systems that actually reach the field.

You don’t win wars with strategy decks

Every day of delay is another day adversaries exploit known flaws. That’s the cost of inaction, and warfighters pay it first. We don’t need more slogans or shiny slide decks. We need software in production at a speed the enemy can’t match. That starts with disciplined execution of the fundamentals.

Incremental progress beats big-bang perfection every time. And the secret is, there is no secret. No waivers. No shortcuts. Just execution. Do the work.

Bryon Kroger is the founder and CEO of Rise8.

Rise8 · https://www.rise8.us/