When it comes to software development, government agencies fall into one of two camps.
Either they’re committed to doing their own programming using federal employees, or they’re committed to using commercial off-the-shelf (COTS) products — as is, or customized to some degree for federal use.
I oversimplify. But I’ve noticed a trend in recent years connected to the rise in next-generation applications, or to use the vernacular, digital services. This trend is also connected to the rise in agile development and dev/ops. That is, the idea of doing small pieces of software at a time and making sure they’re right before moving to the next piece.
The Air Force, for instance, is back into the blue-shirted coder mode big time. I can remember when, at the old Air Force IT conferences in Montgomery, Alabama, the top officers emphasized COTS and contracted-out programming. In my recent interviews with Will Roper, the assistant secretary for acquisition, technology and logistics, he noted the growing number of airmen “writing quality code.” In fact he’s helping establish a career track for software coding.
Likewise, U.S. Citizenship and Immigration Services people do a lot of their own programming. Chief Information Security Officer Shane Barney noted this on a recent AFCEA Bethesda panel, and to me in interviews last fall. USCIS has been chipping away at digitizing its many forms and updating the processes behind them digitally, writing application programming interfaces and integrating existing applications.
Virtualization has made everything software. Software-defined networks and storage now combine with virtualized applications and operating systems to create workloads agencies, at least in theory, can shove from cloud to cloud as needed. Or they can spin up and down instances according to hourly, monthly or seasonal demand.
The degree to which agencies stride into programming potentially affects how they regard COTS software. At AFCEA, an audience member asked whether Barney would consider a purpose-built federal application from a vendor.
“Probably not,” he answered. He added that unless such a package integrated perfectly with USCIS-developed systems already in place, and the vendor would include its API, the software pitch wouldn’t get much traction from USCIS.
By contrast, Togai Andrews, the chief information security officer at FEMA and the other panelist, gave a more traditional answer. He said he’d gladly accept a “90% solution” even if it meant modifying a FEMA process to match what a capable commercial or commercially-developed application can do.
So the federal computing basic model has turned again. It used to be, industry develops and government hosts. Now, for some agencies, it’s government develops and industry hosts in the clouds.
The cloud smart, née cloud first policy and the Digital Service establishment of the Obama administration set this change in motion. The agile, step-by-step methodology ensures agencies don’t launch their own five-year, million-line projects that don’t come out.
Which approach an agency adopts has a big effect on contractors. Those selling development services will have to compete against in-house capabilities treasured by the customer. Those selling COTS packages will have to compete against the integration capabilities an agency might have in-house.
Agency tech staffs, and the programs they support with coding, need to have a long term view. The case for commercial software is that the vendor does the updating, even though for enterprise type software you’ve generally got to pay for major upgrades. The case for commercial software-as-a-service is that, for your subscription, whatever you log on to that morning is the latest, most bug-free version.
For software developed in house, bug fixes, maintenance, documentation, updates and all the rest of it falls on the agency. Are they prepared?
Existential question of the day
If you get a headquarters e-mail telling you you’ve been enrolled in mandatory anti-phishing training, and there’s a link to the training in the e-mail, how do you know that e-mail itself is not a phishing scheme? Sometimes you have to talk to the IT guys directly.