Security is the name of the game in DevOps, federal tech leaders say

Federal leaders in development operations have to contend with an array of user experience and mission needs. For the Smithsonian, that means ensuring its museum visitors and website users enjoy the collections. For U.S. Citizenship and Immigration Services, it means getting the expedited paperwork processing for which people pay extra. And at the Consumer Financial Protection Bureau, it means dispensing oversight quickly.

Speaking on an ATARC panel about the importance of DevOps across government, technology...

READ MORE

Federal leaders in development operations have to contend with an array of user experience and mission needs. For the Smithsonian, that means ensuring its museum visitors and website users enjoy the collections. For U.S. Citizenship and Immigration Services, it means getting the expedited paperwork processing for which people pay extra. And at the Consumer Financial Protection Bureau, it means dispensing oversight quickly.

Speaking on an ATARC panel about the importance of DevOps across government, technology experts stressed security, training and stakeholder input to reach mission success.

When Christopher Crist joined U.S. Transportation Command at the Defense Department, he was the chief of DevSecOps. Since then his role transformed to become chief of digital transformation with DevOps at the core of his work, he said. That extends to concepts such as cloud migration, zero trust, the risk management framework process, machine learning and artificial intelligence. As for why DevOps gained prominence over the last few years, Crist said it becomes the foundation for more and more new initiatives: “In order to get to B, you have to start with A.”

Rayvn Manuel, senior application developer and a DevOps Engineer for the National Museum of African American History and Culture, said the trend initially began in the early 2000s with agile technology. Agile enables iterative development and self-forming teams to achieve that A-to-B delivery, but all stakeholders need to be involved from the development team to the operations team, to systems and security.

“The next thing that came into play, which I think actually made DevOps prominent, is the introduction of some tools, like containers,” she said on the panel Thursday. “So if you have multiple developers from different places, and we did — we have contractors, vendors at all sorts of places — then we didn’t have to worry about the environment, that all the environments were actually standardized. And you didn’t have to worry about whether a person had the correct tools or the correct base.”

Ultimately, it comes down to speed to mission, according to Tiina Rodrigue, chief information security officer in the Office of Technology and Innovation at the Consumer Financial Protection Bureau.

“Nobody is interested in long, slow discipline, and we’ve been able to turn the tide away from that history to what we’re seeing today,” she said.

The panelists agreed DevOps has been around for years in one form or another, it is just the marketing which is new. Paula Wagner, chief of the Systems Delivery Division in the Office of Information Technology, Management Directorate at USCIS, said including security as part of the development, and coding to consistently monitor or test systems have also pushed DevOps out faster.

Engaging developers and security teams earlier is one area that needs improvement, Rodrigue said. Underlying assumptions or decisions can be made before everyone is at the table.

Security training for developers can get the biggest bang for the buck, because they will write secure code from the start, which Brian Reed, chief mobility officer at NowSecure, said gives the pipeline maximum velocity.

Manuel agreed training is important but emphasized what comes before: the ability to detect a problem. Integrating a series of patches meant to address different issues can create something entirely new, which can lead to leakage, she said.

“Monitoring tools are great because they let you know if something’s not talking to something. But none of those tools actually let you know if something is open to attack or is open to be changed, or if there’s a password and this should not happen and is actually in a checklist, but nothing can tell you that a password has just been sent to something else in the clear,” she said. “So the lack of insight into observability into the code as it’s interacting with all the various systems or modules is a problem, I think, within this sphere.”

For USCIS, Wagner said meeting requirements is the biggest challenge. She said her team has to be specific with product owners. In addition, her office wants to create a labeling system for development teams, which would enable them to run reports on the status of a particular functionality.

At least one bright spot is procurement of DevOps solutions. USCIS tends to migrate toward open source software and the agency has several low code, no code platforms, which it is trying to expand across the enterprise, Wagner said. Likewise, CFPB also does not struggle with procurement of DevOps solutions so as long as they do their due diligence, check the organization’s cyber hygiene and monitor supply chain risks, Rodrigue said. To the issue of supply chain risk management, Reed said the software bill of materials and labeling requirements that are coming through the president’s May 2021 cybersecurity executive order will “work the way across the government into the civilian world, will ultimately improve everything for everybody.”

Related Stories