And they’re popping up on the civilian side of government as well, with software factories in place at the U.S. Patent and Trademark Office and the Department of Veterans Affairs.
Lorraine Landfried, senior vice president in the civil sector at Booz Allen Hamilton, said software factories represent “the next evolutionary step” agencies are taking in software.
“As we’re moving away from looking at just individual systems or projects, and taking more of a product line and portfolio approach, a software factory is a natural complement to that, because it gives you a common set of tools and processes that can be used by multiple development teams that are solving similar product problems,” Landfried said.
The factory approach is a combination of “people, processes and tools,” she said.
“It lets us put more accelerators, and more powerful tools in place, things like test automation, developer self-service types of tools, all the way to the other end with validation of security controls,” Landfried said. “You get all of that done consistently, more affordably and more reliably.”
The approach may change how agency chief information officers and IT teams approach their technology stack. Instead of organizing development teams and resources around each specific program or set of requirements at an agency, Landfried said agencies are starting to design their factories around broader mission and product lines.
“It just to be used be one development team to solve one problem, but really opening the aperture of, ‘How are we going to onboard other products into this and really pivot from being a purpose built DevSecOps pipeline to being something that can be shared across products, or even at an enterprise level?’” Landfried said.
Meanwhile, software security considerations are becoming ever more paramount at federal agencies. President Joe Biden’s May 2021 cybersecurity executive order directed agencies to adopt secure software development practices.
The National Institute of Standards and Technology has since published a secure software development framework, and last September, the White House Office of Management and Budget issued new guidance for agencies to obtain secure software attestations from vendors.
With cybersecurity and supply chain security requirements on the rise, Landfried said agencies are building repeatable security process into their software factories, as well.
“You’re going to get logs created a certain way, you’re going to have those logs connected to enterprise monitoring,” she said. “You can start putting, machine learning tools on top of those. And you’re not having to go and retrofit every application that you have. As applications come into the factory, that uniformity allows you to put yourself in a much better security posture.”