Skip to main content
CybersecurityVulnerability Management

DevSecOps Becomes Essential for Modern Government IT

Government IT developer's workstation with code on laptop screen, notes, and coffee cups, in a large office space.

Vulnerability disclosures directly related to AI-assisted development increased dramatically month over month in 2026.

AI-assisted software development and rising disclosures

AI coding assistants have cut development timelines “that took quarters into weeks,” according to the source material, accelerating delivery while introducing new risks. The rapid uptake of AI in the pipeline has security leaders alarmed: the source reports that most security leaders are concerned about risks from AI-generated code, and that disclosures tied to AI-assisted development rose sharply through 2026. At the same time, adversaries are using AI to accelerate attacks against government networks and software supply chains, creating simultaneous pressure to go faster and to harden defenses.

Software supply chain practices: SBOMs and Supply-chain Levels for Software Artifacts (SLSA)

DevSecOps in government increasingly treats the software supply chain as a primary security surface. Agencies are producing software bill of materials (SBOMs) throughout development and verifying provenance against frameworks such as Supply-chain Levels for Software Artifacts (SLSA). That process is intended to show not only what is in a build but “how and by whom” it was constructed. The source emphasizes that agencies are extending these supply-chain testing processes to AI-generated code itself, treating AI-produced artifacts as assets that must be scanned, attributed, and verified.

Continuous Authorization to Operate (cATO) and continuous monitoring

Static, years-long accreditation cycles are described as incompatible with modern delivery. The source identifies Continuous Authorization to Operate (cATO) as a key component of DevSecOps evolution: through continuous monitoring, active cyber defense, and mature DevSecOps practices, cATO keeps authorization current rather than locking a system’s security posture in place after a one-time approval. The shift moves authorization models toward continuous, risk-informed approval and ties governance to delivery velocity.

Department of War guide, platform engineering, and unified platforms

The source notes that the Department of War has formalized many DevSecOps practices in its DevSecOps Strategy Guide, demonstrating how software factories and continuous authorization can function at scale in a highly regulated environment. In practical terms, agencies are adopting platform engineering to provide developers with secure, self-service infrastructure and embedding automated security testing inside continuous integration and continuous delivery (CI/CD) pipelines. The piece frames these unified platforms—where development, security, and operations merge—as the operational backbone for resilient, mission-ready digital services.

Carahsoft DevSecOps Conference — July 28, 2026

The Carahsoft DevSecOps Conference on July 28, 2026, is presented as a gathering point for government and industry leaders to discuss these shifts. The agenda includes sessions on AI coding assistants, AI-enabled software development, streamlining the Authority to Operate (ATO) process, and the future of DevSecOps across government. Attendees will hear from leaders representing the National Institute of Standards and Technology, the Department of the Navy, and the Government Accountability Office, among others, each offering perspectives on implementation and remaining challenges.

What this means for CIOs, CISOs, and application development leaders; policymakers and regulators; developers and security teams

  • CIOs, CISOs, and application development leaders: The source states the tradeoff between speed and security is “no longer acceptable.” Mission success, it says, depends on doing both—delivering faster with AI while embedding security and continuous authorization so systems do not become brittle or non-compliant.
  • Policymakers and regulators: Static, point-in-time accreditation is being replaced by cATO and continuous monitoring models. The Department of War example is cited as a blueprint for how continuous authorization and software factories can operate at scale in regulated contexts.
  • Developers and security teams: Agencies are encouraged to adopt platform engineering, secure self-service infrastructure, and automated testing inside CI/CD. They must also extend supply-chain verification—SBOMs and SLSA provenance checks—to AI-generated code and other emergent artifacts.

The record in the source is plain: DevSecOps was designed to reconcile speed with security, and as AI accelerates software development across government the operational question has shifted from adoption to implementation. The Carahsoft conference offers a near-term forum for agencies and vendors to compare approaches, but as the piece closes, the choice framed for government leaders is stark and specific: “The question is no longer whether agencies should adopt DevSecOps, but how to implement it in a way that balances innovation, security, and governance as AI accelerates software development and modernization efforts across government.”

Source: Balancing Speed and Security: Why DevSecOps is Essential for Modern Government IT