Governance is critical and should be the starting point – this drives behavior, compliance, risk controls, technology, remediation, guardrails, and key metrics. The second is to educate and enable people on how not to hit guardrails. The third step is the establishment of processes that align with Governance to drive the action of People within the journey of DevSecOps. Technology should be the final component. Technology is the enabler of the processes and enforcement of Governance within DevSecOps. Discussion will focus on lessons learned in designing a DevSecOps operating model that aligns to an application security program to enhance governance and management of the DevOps functions including requirements, compliance, testing, reporting, and updating or establishing clear requirements around application security processes, technologies, and automation, informed by the strategy defined through the application security program and operating model. Additionally, the discussion of how centralized vulnerability and compliance information can provide access to DevOps teams allowing greater transparency and visibility to identified vulnerabilities that require remediation and to update status of remediation and build in workflows that will trigger when a vulnerability or compliance issue is ready for re-testing or requires an exception.