The DevSecOps Capability Maturity Model

Implementing DevSecOps can improve multiple aspects of the effectiveness of a software organization and the quality of the software for which it is responsible. Implementation of DevSecOps is a complex process, however, and the way a program evaluates progress in its DevSecOps implementation is important. We propose here a frame of reference for DevSecOps maturity, enabling organizations to focus on outcomes – value delivered – without excessive focus on compliance. The Department of Defense’s (DoD) DevSecOps Documentation Set emphasizes program activities that speed delivery, tighten security, and improve collaboration across the software development lifecycle. But without a deep understanding of the interdependencies between the roles and activities within a DevSecOps ecosystem, less beneficial sub-activities could be optimized at the expense of others that might be more beneficial, resulting in waste. Effective DevSecOps ecosystems must be based on objective observations and data that account for the journey a software program undergoes