A challenge for many agencies is the initial configuration of a DevSecOps environment—tools are cumbersome and require significant human resource skills.
Technology is constantly changing. Cyber threats are more sophisticated, targeted, stealthy and widespread. Meanwhile, expectations continue to rise for government agencies to deliver a user experience comparable to what the private sector offers in the digital world.
Amid this backdrop of constant change, federal decision-makers are looking for ways to sustain long-term modernization initiatives that leverage data, security and agile processes to better support their agencies’ missions. At the same time, application development teams need a faster way to build, secure, deploy and scale enterprise software products that help decision-makers achieve mission goals.
An approach that combines managed platform as a service, or MPaaS, and managed services can offer agencies acceleration to market along with the expertise, training, cost-efficiencies and economies of scale needed to realize positive business outcomes. A DevSecOps MPaaS aligns nicely with managed services, helping to ensure that agencies have access to the most advanced, secure technologies and human resources required to obtain continuous authority to operate (ATO).
DevSecOps is both a philosophy and a set of software development practices that combines software development (Dev), cybersecurity (Sec), and information technology operations (Ops). DevSecOps shortens the development lifecycle and secures the outcome by baking both cybersecurity and operational delivery/support concerns into the software requirements. Continuous integration/continuous delivery (CI/CD) automates manual configuration management processes, such as a variety of tests, quality scans, and baseline builds. This allows application development teams to deliver code changes more frequently and reliably.
A DevSecOps MPaaS offers agencies a software factory in-a-box composed of a set of integrated development, security and operations tools, as well as a catalog of pre-defined government-vetted components and technology solutions, which can accelerate the path to agency ATO.
Managed DevSecOps services add in the human experts who can configure necessary automation to move to accelerate software through the CI/CD pipeline and apply all the intelligence required to deliver hardened, quality, and authorized applications into production.
Raising the Cybersecurity Bar with DevSecOps
As Deputy Chief Information Officer Maria Roat noted in 2020, the federal government must continue to raise the bar on cybersecurity to combat the escalation of cyber threats and attacks. Cybersecurity needs to be built into everything—from software to incident response, to mitigation, to training people. As a result, the federal government has moved into a DevSecOps model that must be incorporated not just at the data layer but throughout the entire technology stack. Therefore, agency CIOs must ensure they have the workforce, tools, and processes around those tools, as well as the funding to keep cybersecurity front and center, according to Roat.
MPaaS and managed services can help CIOs overcome workforce, technology deployment and funding challenges associated with DevSecOps.
A challenge for many agencies is the initial configuration of a DevSecOps environment—tools are cumbersome and require significant human resource skills. To be effective, a DevSecOps MPaaS must provide a standardized development environment and infrastructure that can be fully launched, integrated and configured out of the box. By offering developers a single way to operate, an agency can boost scalability and streamline how the IT organization works.
Additionally, pre-integrated components let development teams accelerate project startup, onboarding and usage. This helps application development teams deliver value to end-users as quickly as possible and standardizes the agency’s approach on how to build, deploy and operate software.
Moving from Project Outputs to Business Outcomes
Managed services can help address the workforce and funding challenges agencies face in adopting DevSecOps. Most federal agencies still purchase DevSecOps services by traditional Firm Fixed-Price (FFP) and Time & Materials (T&M) contract models, focusing on project outputs instead of business outcomes. Managed services add the human experts who can automate and configure tests, security scans and continuous authority ATO packages. After initial implementation, the incremental support team is downsized appropriately to provide cost-effective scaling. At the same time, this support team is consistently up-skilling to adopt emerging technologies to deal with the evolution of persistent security threats. The countermeasures and technologies they deploy are part of the service.
Managed service providers use existing resources, methodologies and technologies in a shared pool environment. This means the services can be offered to agencies at a lesser total cost than utilizing in-house staff or traditional T&M professional services agreements.
Agencies are turning to DevSecOps to reduce software development costs by consistently embedding security and operational support concerns into the functional and non-functional system requirements, and by automating the CI/CD pipeline completely from original baseline build through testing and scanning to automation of ATO package generation.
A DevSecOps MPaaS can cost-effectively eliminate technology sprawl and accelerate DevSecOps enablement and CI/CD automation.
A Managed DevSecOps Service can cost-effectively balance and right-size DevSecOps teams for initial implementation, which focuses on integration of tooling, and sustaining enablement, which focuses on incremental automation, patching, and security defense up-skilling.
The combination of the two provides a cost-effective approach for rapid delivery of quality and hardened software into the hands of end-users for positive business outcomes.
Keith Kapp is chief technology officer for CVP.