Modernizing and securing government IT through DevOps

According to the Government Accountability Office, most of the $100 billion federal IT budget is used to operate and maintain legacy systems, including software. However, technology creates additional security vulnerabilities as it ages. Continuing to use outdated applications, programs, and hardware is costly and introduces significant risks to organizations. Maintaining tooling integration distracts engineers from their core product and slows down innovation. To combat this, agencies must find a seamless and centralized way to modernize...

READ MORE

According to the Government Accountability Office, most of the $100 billion federal IT budget is used to operate and maintain legacy systems, including software. However, technology creates additional security vulnerabilities as it ages. Continuing to use outdated applications, programs, and hardware is costly and introduces significant risks to organizations. Maintaining tooling integration distracts engineers from their core product and slows down innovation. To combat this, agencies must find a seamless and centralized way to modernize their IT infrastructure.

Increased imperatives for security, compliance, legal regulations and complex acquisition policies complicate modernization, which is an ambitious undertaking in itself. A successful transformation of software development and delivery requires a thoughtful leadership approach that prioritizes security and cultivates a cultural shift, so people and processes are aligned.

Getting started

Federal CIOs embarking on a DevOps journey should embrace continuous integration/continuous delivery pipelines to reduce toolchain complexity, management and maintenance. This move will enable end-to-end visibility for an agency’s entire IT team.

With continuous integration, code is tested at each stage of an automated CI/CD pipeline. Fixing an issue requires smaller code changes and only code that passes the quality and security testing is integrated. Continuous delivery automates the software release process, making it repeatable and more efficient.

CI/CD is a DevOps best practice because it balances the need to move fast with stability and reliability.

Making security a part of the process

Security needs to be built into the DevOps process to ensure no risks are introduced during the development process. People, processes and technologies must work together. This includes code that has been examined by numerous security personnel, building processes that take place in the open, and high-quality software that is tested and trusted.

Too often, security testing happens too late, forcing developers to trace back and rework code extensively. With a modern development approach, every line of code is scanned as it is committed. Such a process provides clear accountability for the introduction and remediation of vulnerabilities or the dismissal of policy violations, and makes the DevOps platform process secure by design.

Government agencies should implement a comprehensive and continuously monitored software bill of materials, allowing everyone touching the software to fully understand the dependencies of their ecosystems.

Aligning culturally

Since transforming technology practices can be difficult, it requires support at the executive level as well as buy-in from employees. Federal CIOs should encourage teams to fully adopt the culture of DevOps and embrace the spirit of continuous improvement. By realigning their organizations and work — breaking down silos and eliminating handoffs — government IT leaders can empower their teams to get mission-critical capabilities out the door quickly.

Cultural change is a conscious and deliberate undertaking, requiring leadership sponsorship and investment in larger initiatives that push the enterprise forward. Leaders should budget time to promote experimentation and empower people to discover how they fit, what tools they need, how best to communicate and work together to meet the goals of speed and quality.

It’s vital for technology leaders to promote experimentation that allows teams to fail, empower people to find the right ways to work together, provide management instruction and make the ‘right’ path for teammates to follow. Understanding that failures can lead to successes is crucial in a DevOps, modernization-driven environment.

What success looks like

Air Force BESPIN Chief Technology Officer Master Sgt. James Crocker, was successful in becoming a trailblazing leader for the Air Force. He fought against the legacy approach to coding within his organization, which reduced the excessive amount of time it took to gather requirements, write, secure and deploy code. His vision has made the switch to a single DevOps platform effortless. As a result, the Air Force has seen an increase of code deployment by 208 times over pre-factory efforts.

In order to innovate more rapidly, the Air Force modernized its software development process, without compromising security or compliance, by reducing and integrating development tools into one platform. The pivot saved 100 years of program time and reduced software release timelines from a standard 3-8 months to just one week.

The shift to a successful DevOps model will lead to more significant transformation at every level of government. It will require not only technological advancement but also a cultural adjustment. With the proper foundation, tools and culture where employees can fail, experiment and learn, federal CIOs can position their agencies to reap the modernization benefits of open-source DevOps platforms.

Bob Stevens is area vice president for the public sector at GitLab.

Related Stories