Overall details on security process are from TechFAR. Make security a priority early in the process. Do not have a “security sprint,” but instead start with a hardened system and regression test every day. Implement continuous monitoring in production and ongoing authorization. Use code scanning tools and processes to allow for ongoing evaluation of security posture. Build any new controls during the regular sprints, test frequently, and be ready to deploy. The system should always be in a deployable state.

As part of the Integrated Project Team (IPT) process of gathering requirements for the procurement, security managers should develop a checklist for all security controls prior to contract award that must be adhered to and factored into each release. The culmination of the individual iteration adherence to the checklist can facilitate the full review at the time of the release. Deviations from the checklist should be discussed during the iteration. Critical to successful implementation of this approach is having security personnel available throughout development process.