How DevSecOps can help the federal government catch up on the innovation front

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Government IT modernization requires new strategies, and now the IBM Center for Business of Government has outlined one. Namely, a more effective approach to DevSecOps, a way of continuously delivering secure software. With more, IBM fellow and former deputy federal CIO Margie Graves joined Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Ms. Graves, good to have you on.

Margie Graves: Great to be here Tom, thank you for having me.

Tom Temin: It’s hard to go to a conference or a meeting that has to do with it without hearing about SecDevOps. So is the purpose of this report to tell people this is here or to tell them to get on with it – what are you doing here?

Margie Graves: I think it’s probably more of the latter. This is not a new concept. It’s been out there for some time, it’s been effectively adopted in commercial sector. And I believe that we are probably a little bit behind the power curve in the federal government in terms of adoption. So this report is an encouragement for people to keep pushing, keep moving forward, and to understand the advantages that can be provided to them by DevSecOps.

Tom Temin: Because one of the statements in there is interesting. It says the federal government has the power to convene operational experts and to work with standards and governance bodies to ensure alignment and directional consistency. Explain that all for us.

Margie Graves: Well, when we have policy elements that we’re trying to develop within OMB, we convene not only the experts from the agencies so that we can get the operational point of view, but we also convene entities like NIST that supplies all of the standards and capabilities that most people follow within the federal government, and other entities that play well in the game like who provide shared services like GSA in the area of acquisition. So any of those enabling factors that can help clear the pathway for agencies to adopt this very effective methodology. That is what the endgame is trying to convene those bodies that can actually change and transform the policies and the legislation and the approaches and playbooks and how tos that agencies actually need to develop and to implement.

Tom Temin: Alright, and we should, I guess, give a brief definition of DevSecOps that grew out of DevOps, development operations, where you have continuous delivery of small modules of software, and each one is kind of tested against not only its function, but against whether it’s acceptable to the customer. And then Sec got into the middle of that to make sure it’s all done securely. Good way of describing it?

Margie Graves: That’s absolutely correct. What we were finding was that in the development process, we weren’t including the CISO community and the operational security community, the information assurance community effectively in the process itself, all during the development, as opposed to having testing and selected elements of the actual solution, pen tested at the very end, and then finding out that we had problems. So the most effective way to do this, DevSecOps is a approach a methodology that makes sure that we include operators, the security community, the stakeholders, and most importantly, the customer in every step of the development process. So as you’re doing these small iterations that you were talking about, Tom, you are actually building security in as you go.

        Read more: IT Modernization

Tom Temin: We’re speaking with Margie Graves. She’s an IBM center fellow, and former deputy federal CIO, among other jobs in the federal government and industry. And also this report that is just out from the IBM Center ties CX, customer experience, to DevSecOps. Explain that connection for us.

Margie Graves: It’s probably the most important connection that we could possibly make. What we have discovered over time, is that developers benefit from being embedded with the customer. And it’s almost like if you go to the optometrist, and they say, well do you like it better this way, or do you like it better this way, in terms of lenses? It’s the same thing with development of IT capability. You sit with the user, and you determine whether the feature that you have developed actually meets their needs, or even if it was a requirement that they stated they needed at the very beginning. And then when they see it, it’s not quite as important to them as they thought it was. You have to be able to get that feedback in real time as you’re developing, and to either throw out features or enhance features accordingly, to really meet the customer feedback in real time.

Tom Temin: And what do you think are some of the acquisition and procurement aspects that are required by DevSecOps, because when you think of software development that is acquired, the government tends to take the here’s the requirements, send us back the software when you’re done type of approach. I’m oversimplifying a little bit, but we’ve seen this for decades, and it doesn’t often come out very well. On the other hand, with DevSecOps, the implication is everybody’s working together side by side, day after day. And that sounds like it mitigates more in favor of federal employees doing that development work. Can contractors participate in DevSecOps on behalf of the government?

Margie Graves: Oh, absolutely, they can. I will give you a real life example that I experienced at USCIS transformation, where we had three or four development teams that were on a overall contract, and each one of them competed for a sprint. And depending on how they delivered in terms of the velocity of the sprints they delivered, the effects of the sprints they delivered and the customer satisfaction, they received more business. So it was almost like a constant competition. And the requirements were based on currently developed user stories, and what was in the pipeline in terms of user stories, as opposed to what we used to do with the waterfall development approach, which was the functional requirements document that was developed three years prior, and was probably no longer relevant at the time you actually launched the development.

Tom Temin: Sure, I think of waterfall more like Niagara Falls, you throw something over the edge, and it smashes and gets drowned on the bottom, and never get what you want, going over the falls in a barrel load us something like that. And in this age now, where there is serious money that has been appropriated by Congress for modernization, and the administration is asking for even another half billion dollars beyond that way more money than was available earlier, just because I don’t know what got under Congress’s saddle, what burr they’re sitting on. But do you think that modernization money can be combined with a DevSecOps approach to maybe get after some of these legacy systems that are so badly in need of redevelopment or replacement?

Margie Graves: This is one of the topics that I love to talk about, because obviously TMF was launched under my watch, and I really believe it’s a game changer in the sense of adding it to your toolset and funding capabilities that are available to you as you develop your funding strategy. And the key issue there is it is a funding strategy. It’s inclusive of working capital funds, it’s inclusive of your base budget, and it’s inclusive of the TMF. And TMF is actually specifically designed so that people can do this kind of experimentation. And this kind of quick turn agile development in demonstrably projects that can be funded initially by a small tranche, and then ultimately, as capability is delivered, and then more money can come out of the well, you don’t have to fund the whole thing simultaneously. And you can get a severable and deliverable feature delivered with a small tranche of money. But now that we have bigger dollars on the table, it also opens up the aperture to use some of the shared services that are available in the United States government today, and some of the ones that are being developed under the QSMO umbrella would come to mind.

Tom Temin: I was gonna say, yes, the idea of interoperable components being reused for different applications by different agencies, because so many of the technical functions underneath the application are the same across the government, whether it’s finance or personnel systems, you name it, much of it can be similar or common with maybe only the front end different with respect to what that agency’s particular requirements might be. So it sounds like you’re saying DevSecOps can really serve that idea of reuse and shared services.

        Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app

Margie Graves: Yes, it absolutely can. And I’m really hopeful to that now that we have another funding methodology and that the TMF has been funded with, what I would consider to be congressional, are just this time around, that people will take advantage of that ability to move into some of those shared services because one of the premises of the administration’s approach to IT modernization is, of course, the adoption of commercially capable systems. So those are all available to us and as a customer in the United States government, I felt I always wanted to go there first – shopped around the closet first.

Tom Temin: Alright, Margie Graves is an IBM fellow and former federal deputy CIO. Thanks so much for joining me.

Margie Graves: Thanks very much Tom, I really enjoyed our conversation.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.