small-medium-large as units for assigning story points. Over time, as the teams accumulate performance data, this iterative and incremental4 process improves accuracy in allocating points. Point values are typically is the contractor team of software developers, including software and security engineers, data specialists, testers, quality assurance, and configuration managers. Ideally these participants scope and/or Capability Drop (CD) documents for smaller items such as applications (see Figure 13). Services and requirements oversight organizations have the flexibility to identify alternative names for

TO START 47 7. Ch. 5 Selecting Which Value Stream to Start With 51 a. GREENFIELD vs BROWNFIELD SERVICES i. DevOps is not just for Greenfield ii. Important Predictor – Is the application architected environment and ensuring service levels are met v. Infosec – team responsible for securing systems and data vi. Release Managers – the people responsible for coordinating the production deployment processes PLANNING HORIZONS SHORT i. Act like a startup, strive to generate measurable improvement or actionable data within weeks f. RESERVE 20% OF CYCLES FOR NON-FUNCTIONAL REQUIREMENTS AND REDUCING TECHNICAL DEBT

problem-solving. ii. Telemetry – An automated communications process by which measurements and other data are collected at remote points and are subsequently transmitted to receiving equipment for monitoring development. Operations don’t just monitor what’s up or down. ii. Modern Monitoring architecture 1. Data Collection at business logic, application, & environments layer a. Events, logs, & metrics b. Common 1. Authentication/authorization decisions 2. System and data access 3. System and application changes, especially privileged changes 4. Data changes (CRUD) 5. Invalid input, possible malicious injections

Operations to improve outcomes 2. Ch. 9 – Create the Foundations of Our Deployment Pipeline a. Enterprise Data Warehouse program by Em Campbell-Pretty - $200M, All streams of work were significantly behind schedule Application code & dependencies 2. Environment scripts & creation tools 3. DB scripts and reference data 4. Containers 5. Automated tests 6. Project artifacts – documentation, procedures, etc. 7. Application introduced iv. Integration tests – ensure correct interaction with other production applications and services g. CATCH ERRORS AS EARLY IN OUR AUTOMATED TESTING AS POSSIBLE i. A test suite’s goal is to find

responsible for unsupported platforms ii. Systematically review production infrastructure and services for items that are causing disproportionate amounts of failure and unplanned work; plan for elimination CODE REPOSITORIES AND SHARED SERVICES i. Add mechanisms & tools ii. Add security’s pre-blessed libraries, implementations, etc. iii. Collaborate with any shared services to provide prebuilt, secured known vulnerabilities and consolidate multiple versions of the same library iii. 2014 Verizon PCI Data Breach Investigation Report – studies over 85K cardholder breaches. 10 vulnerabilities accounted

stewarding three critical assets: the Enterprise Architecture asset, the IT people asset, and the data asset. These three assets represent the capabilities of the company and its ability to address the some sort of management.About the Author Mark Schwartz is an Enterprise Strategist at Amazon Web Services and the author of The Art of Business Value and A Seat at the Table: IT Leadership in the Age of

developer incorporates open source frameworks, uses standardized design patterns, and orchestrates services that are already available.  There are “cookbooks” available with templates for deploying systems adapt the system over time as the business changes versus buying an undefined stream of future services from a vendor who doesn’t know your business and doesn’t have financial incentives to supportyou meant to be, really. About the Author Mark Schwartz is an Enterprise Strategist at Amazon Web Services and the author of The Art of Business Value and A Seat at the Table: IT Leadership in the Age of

Design.pdfContainerized Software Factory Reference DesignSoftware Factory using Cloud DevSecOps Services Sidecar Container Security Stack Sidecar Container Security Stack enables: correlated and centralized containers, strong identities per Pod using certificates, and whitelisting rather than blacklisting. Services that support the security sidecar include: 1. Program-specific Log Storage and Retrieval Service

Contracting – Dr. Stephen Mayner SAFe https://techfarhub.cio.gov/ Handbook for Procuring Digital Services Using Agile Processes All structures (standard C, IDIQ, BPA, GWAC, set-aside, etc.) can support

moving, from the first year of USDS Mikey Dickerson (Federal Government | United States Digital Services Team)  The more simple, the better off you are  Agile is tactic not religious credo  You have