Federal organizations require聽modern development practices聽in order聽to deliver capabilities聽quickly聽with complete confidence in quality聽and聽security. 无忧传媒 experts weigh in on the current development environment in government, and what new opportunities are emerging for organizations today.
Q&A from the front lines of software development
无忧传媒 is focused on delivering open, secure, and portable software solutions to advance the federal mission. As government organizations begin to take on modernization and software delivery in innovative ways, our digital experts have observed some common trends, challenges, and opportunities.聽
We interviewed Josh Boyd, an expert in digital software development; and Gary Kent, a leader in 无忧传媒鈥檚 aerospace business鈥攁nd they shared perspectives on the current development environment in government, and specifically how new practices are taking hold within defense organizations.
1.聽 What trends are you seeing around modern software practices in the federal government?聽聽
A few years ago, there were several federal organizations that were first movers when it came to the adoption of modern software practices and container-based architectures, primarily for green field applications. Looking back, the General Services Administration and Joint Improvised-Threat Defeat Organization were two of those early innovators. But there鈥檚 been a massive shift to where we are today, and across agencies we鈥檙e seeing the acceleration of modern practices for both new development as well as the refactoring of legacy applications to truly transform mission operations at the enterprise level. Things that were once on the horizon鈥攎icroservices architectures, Kubernetes, service mesh, zero-trust networking, and security approaches鈥攁re now becoming the standard. And platforms and technologies that were once closed systems are being replaced with ones that are built to be open, vendor agnostic, interoperable, and sustainable for the future.
Because of these trends, there鈥檚 also been a change in the way government acquires products and services. There are increasing needs to stand up innovative development programs rapidly, so we鈥檙e seeing new paradigms for how work is brought to fruition as well as new authority for government leaders to work with industry partners to accelerate the deployment of technology.
2.聽 What are some of today鈥檚 software delivery challenges?
One of the biggest challenges we hear from clients is the ability to deliver software rapidly enough to respond to urgent mission needs. For example, if there鈥檚 an actual threat to a Navy fleet or to our airbases, traditional development and waterfall approaches aren鈥檛 able to push software out quickly enough given time-intensive processes to ensure that quality and security are accounted for. They simply can鈥檛 wait for cumbersome, outdated development to deliver changes months after the need is identified.
In the defense space, this is resulting in the investment in a software factory approach to integrating new capabilities, particularly when there鈥檚 a need to modernize entire portfolios and hundreds of applications.
Our clients are also facing the challenge of navigating security requirements. To fast track development while ensuring security, we鈥檙e seeing a move to central repositories for enterprises to reuse hardened containers (Iron Bank at the Department of Defense is one to watch). In addition, there鈥檚 been a transition to continuous authority to operate (ATO) arrangements. Where traditionally it may have taken months from software build to deployment, this notion allows for continuous delivery and monitoring through a pipeline and set of tools to move into production quickly鈥攁nd ultimately, to more effectively respond to emerging threats while operating from the enterprise to the tactical edge. The concept of continuous ATO is also becoming important within civil agencies, such as for the updated Recreation.gov platform, where a continuous delivery model has allowed the site to push out around 5,000 updates annually without disrupting the system.
Still, there鈥檚 the challenge of scaling DevSecOps practices at the enterprise level so that new pipelines don鈥檛 need to be developed for every project. Our teams saw that our clients were slowed down by this process time and again across different engagements, so we developed and with pre-integration of tooling and best practices for complete pipeline workflow. That way, there鈥檚 a single source of truth, clear metrics and reporting across an organization, and governing principles that are automatically pushed to all consumers. This accelerator and its reusable components for development decreases time to stand up an operational pipeline from months to days, or less. To ensure rapid delivery,聽the Department of Defense (DOD) officially integrated SDP into its DevSecOps services. The container images that make up the Solutions Delivery Platform聽were聽approved by Nicolas Chaillan,聽the聽Chief Software Officer聽at the U.S. Air Force, for inclusion into Iron Bank鈥攖he centralized DOD repository for artifacts.聽Containers accredited in Iron Bank have DOD-wide reciprocity, so this move means that DOD can truly scale DevSecOps practices and governance across its organizations.
3.聽聽Can you share examples of how organizations are scaling modern practices in secure environments?
Across the board, the federal government is becoming more open to developing software in unclassified spaces and then taking the code to the high side. There are certainly complexities that come with this territory, such as how to promote software into the high environment or how to test code without using classified data. But given it鈥檚 not easy to find the right technical talent to take on this highly-specialized work, the government is getting creative in how platforms and applications are delivered and is now more comfortable with distributed delivery teams.
Additionally, many organizations are centralizing their delivery pipelines and practices so they can focus on mission capabilities and not on the management of disparate applications and platforms. Our colleague, Kate Mercer, a leader in the aerospace business for DevSecOps delivery, shared that she sees a broader adoption of DevSecOps in the Air Force and across DOD.
For example, the U.S. Air Force has embarked on a journey to build an enterprise DevSecOps platform, where instead of having applications and platforms in disparate locations, leadership has decided to move everything to an environment-agnostic platform that can run on any infrastructure. This unified vision to build what they call 鈥淧latform One鈥 will allow for continuous ATO and will be built to be autonomous and self-deploying. It will make it possible for mission owners to focus on the application level and enable teams to begin critical software development rapidly through shared and previously accredited engineering. Kate shared that the standup of Platform One will allow individual programs to drive their attention to building new mission capabilities instead of infrastructure and platforms. Additionally, this type of approach creates a pyramid of security controls, with security trickling down from the top level to everything that sits underneath the platform.
To that end, the Air Force鈥攚ith 无忧传媒 as a partner鈥攊s driving towards a centralized yet distributed model. They are bringing scarce resources to the center so that different missions can quickly build more robust capabilities through hardened and reusable containers and source code repositories that accelerate time to deployment and ensure that the mission (not the technical process) is the focus.
