No Gaps, No Downtime — Connecting DevSecOps to C2

August 29, 2025

Collaboration

The DoD’s innovation teams have mastered fast, secure software delivery. Now they’re tackling the harder problem of getting that software into live mission environments…where it matters most.

By any traditional measure, DoD DevSecOps has been a stunning success story. Platform One processes thousands of builds monthly. Kessel Run applications supported the Kabul evacuation when lives were on the line. Black Pearl serves over 1,300 users across 77 projects. These numbers represent a fundamental transformation in how defense software gets built. But delivery speed means nothing if your software can’t reach the mission.

DevSecOps Has Evolved; Mission Integration Hasn’t

Teams like Platform One, Kessel Run, and Black Pearl have revolutionized the “Dev” and “Sec” parts of the equation. Platform One greatly accelerates software delivery and digital transformation by providing a secure, centralized software development and delivery platform, with Iron Bank and Big Bang creating “a streamlined, repeatable process aligned with cATO (continuous authority to operate) principles that maintains the security and agility DOD requires.” That’s genuinely impressive progress.

The challenge isn’t building software anymore, it’s bridging the gap to operational environments (Air Operations Centers, Naval combat information centers, and all other command and control systems) where software meets kinetic reality.

This isn’t a theoretical problem. As James Edmonds from Kessel Run puts it: “The mission for this DevSecOps unit, if you will, is command control of airpower on behalf of the United States Air Force and the nation.” Yet many applications developed in modern DevSecOps pipelines still struggle to bridge into operational environments where that mission control occurs.

Where the Gap Lives

The DevSecOps-to-mission gap isn’t an abstract integration challenge; it’s a collection of specific friction points that trip up even the most sophisticated software delivery pipelines.

Classification boundaries represent the most obvious barrier. Your cloud-native pipeline runs beautifully at IL4 and IL5, but the mission happens at IL6 in air-gapped environments. NAVWAR’s launch of the first IL6 Overmatch Software Armory represents a significant step forward, but it highlights the current rarity of these capabilities. When a development team works in an unclassified environment while operational users need Secret-level capabilities, every deployment becomes a complex cross-domain operation.

Tool fragmentation creates another layer of complexity. Development teams use GitLab, Kubernetes, and modern CI/CD pipelines. Operational teams work with legacy C2 systems, tactical datalinks, and mission-specific software that predates containers by decades. As Kyle Saunders, software factory engineer for Command and Control (C2) at DISA, explains: “A lot of the C2 stuff is on the high side, on the SIPRNet [Secret Internet Protocol Router Network] and at the time, there was no DOD-wide software factory on the SIPRNet side.” This means that even when software successfully jumps to operational environments, it often arrives in a format that doesn’t play well with existing mission systems.

Real-time mission requirements expose another fundamental mismatch between DevSecOps rhythms and operational reality. DevSecOps excels at planned deployments and scheduled updates. Mission environments demand instantaneous responses to changing tactical situations. When an Air Operations Center (AOC) is managing live airspace deconfliction, they can’t wait for the next sprint to implement critical updates.

Communication gaps compound all these technical challenges. Brian Beachkofski, former Kessel Run commander, emphasizes this point: “Any development effort that intends to use the tools of the digital era – including software and data – to deliver capability should be structured around seamlessly gathering feedback from operations and incorporating it into future development.” Without direct communication channels between developers and operational users, software teams end up optimizing for theoretical requirements rather than real mission needs.

What’s Working: Lessons from the Bridge Builders

Despite these challenges, some organizations are successfully bridging the DevSecOps-to-mission gap. Their approaches offer practical blueprints for others facing similar integration challenges.

The most successful approach involves embedding DevSecOps capabilities directly with operational units rather than maintaining separate development and operations organizations. Kessel Run exemplifies this organizational model: Beachkofski explains, “Any development effort that intends to use the tools of the digital era — including software and data — to deliver capability should be structured around seamlessly gathering feedback from operations and incorporating it into future development.”This structure ensures continuous feedback loops between development and mission execution because the same organization is responsible for building software and ensuring it works in operational contexts.

Infrastructure design represents another critical success factor. The most advanced teams aren’t just building for the unclassified world, they’re designing their entire DevSecOps pipeline to work consistently across classification levels. NAVWAR’s Overmatch Software Armory now operates at IL6, “accommodating DoD Classified Information up to the Secret-level” while maintaining “the same tools and automation” as lower classification levels. Teams can develop muscle memory and standard processes that work the same way whether they’re deploying to unclassified development environments or classified operational systems.

Mission awareness in the development process itself makes an enormous difference in outcomes. The Navy’s iLoc Development Team demonstrates this principle perfectly, having “six warfare-qualified P-8 operators” building software that produces “extremely impactful software with so few people because of the comprehensive mission knowledge the team possesses.” When your developers understand both what the software needs to do and how it fits into larger mission workflows, they make better design decisions at every level.

Integrated collaboration platforms provide the connective tissue that holds all of these approaches together. Platform One leverages tools like Mattermost for ChatOps— a secure collaboration layer for DevSecOps— “which allows for continuous, efficient, and timely collaboration to avoid gaps in your DevSecOps process.” These platforms become the nervous system that connects development insights with operational feedback, enabling rapid iteration that increases DevSecOps’ value in mission contexts.

A New Mission Stack Emerges

More than incremental improvement, this is the emergence of a fundamentally different approach to defense software. Call it “mission-integrated DevSecOps” or “operational DevSecOps.” The key insight is that development, security, and operations can’t be separate domains when software directly enables warfighting effects.
The most successful implementations share common characteristics: sovereign infrastructure provides full control over the entire software stack with no dependencies on commercial cloud providers for mission-critical paths. Cross-domain workflows enable seamless processes across classification levels. Real-time feedback loops create direct communication channels between operational users and development teams. Integrated security postures embed security throughout the pipeline and operational environment.

Industry integrators’ approach to JADC2 exemplifies this convergence, “accelerating the speed of decision making by delivering mission management tools, applications, and computing solutions” that connect directly to operational needs. This isn’t just about delivering software faster. It’s about delivering mission capability faster by eliminating the traditional handoffs between development and operations.

The Future is Converged

We’re witnessing the emergence of a new paradigm where the line between software development and mission execution blurs. The question isn’t whether this convergence will happen. It’s already happening at places like Kessel Run, Platform One, and Black Pearl. The question is how quickly the rest of the DoD can adapt these approaches to their own mission requirements because, ultimately, a world-class DevSecOps pipeline is worthless if it can’t reach the fight.

Read more about:

devsecops

A.J. Nash is an intelligence strategist and public speaker focused on building intelligence-driven security programs. Applying his 19+ years of experience in the U.S. Intelligence Community, A.J. is often asked to contribute to traditional and social media discussions on intelligence, security and leadership as well as being invited as a keynote speaker at conferences worldwide. AJ is the host of the podcast Unspoken Security.

Read More Collaboration Articles