DevSecOps is fueling agencies’ cloud migrations

(FedScoop)

Share

Written by

Agencies have increasingly migrated to the cloud to expand their DevSecOps efforts over the last few years, according to federal officials.

Both the Bureau of Information Resource Management within the State Department and the Navy moved to the cloud to automate processes, integrate security into the software development process and deploy updates faster.

The embrace of the cloud as an enabler of DevSecOps and cybersecurity more broadly represents an evolution in agencies’ approaches to the technology.

“Two years ago the biggest driver was ‘my boss told me to,'” said Tom Santucci, director of IT modernization within the Office of Government-wide Policy within the General Services Administration, during an ATARC event. “Now people are starting to see the benefits of this.”

IRM functions as the main provider of IT resources, from infrastructure to messaging, for the State Department, and its Systems Development Division deploys software solutions for any domestic or overseas office with a business need. The bureau moved its previously separate development and production environments to the cloud over the last few years to bridge the two.

Now IRM can not only run up a build agent in the development environment to automate tests or scans but actually create a pipeline to push it to the staging or production environments for users.

“It was possible before the cloud, but it was a larger tactical effort and a larger security effort because you had differences between environments,” said David Vergano, systems development division chief of IRM, during a FedInsider event. “So the cloud backbone is helping to make things smoother, and now we can really try to change how we do things because we have the tooling.”

The department’s other offices come to Vergano with the particular cloud products they want to use, and he advises them to use Federal Risk and Authorization Management Program-certified tools to smooth acquisition and ensure security.

Like IRM, the Naval Information Warfare Systems Command’s (NAVWAR’s) Program Executive Office for Digital and Enterprise Services (PEO Digital) is delivering environments that can be built once and adapted to multiple use cases. Cloud platforms that enable continuous integration/continuous deployment (CI/CD) and DevSecOps make that work easier, but migration isn’t always immediately affordable.

“In [the Department of Defense], nobody has buckets of funding laying around to dump into modernizing their architectures so that everyone in July 2021 can move toward containers and microservices,” said Taryn Gillison, program executive director of the digital platform application services portfolio.

Alternatively, PEO Digital is developing enabling capabilities like Naval Identity Services, infrastructure as code (IaC) and middleware.

If PEO Digital can automate testing and tools for the Navy’s various components, it allows them to shift focus to modernization, Gillison said.

Hurdles remain for NAVWAR, however — namely installation timelines. Gillison said she’s “impatient” to see cloud-to-ship software pushes and other policy changes happen more broadly.

In the prior six to 12 months, 52% of IT executives at public sector organizations said they’d chosen a new cloud provider, according to an Ensono report from June. That number jumped to 85% in the prior 24 months, with 78% of public sector respondents citing security as a concern.

With most public sector organizations managing their cloud environments centrally, a multi-cloud model prevails — largely due to the flexibility it affords agencies, Clint Dean, a vice president at Ensono, told FedScoop.

That jives with DOD canceling its $10 billion Joint Enterprise Defense Infrastructure (JEDI) cloud procurement, citing its intent to launch the multi-cloud, multi-vendor Joint Warfighter Cloud Capability (JWCC) environment.

“As much as Amazon, Microsoft and Google would have us believe, maybe there’s not as much brand loyalty as folks think there is,” Dean said.

-In this Story-

ATARC, automation, Bureau of Information Resource Management, Cloud, Cloud Special Report, continuous integration/continuous deployment (CI/CD), Cybersecurity, David Vergano, Department of Defense (DOD), DevSecOps, Ensono, Federal Risk and Authorization Management Program, General Services Administration (GSA), information technology, infrastructure as code (IaC), Joint Enterprise Defense Infrastructure (JEDI), Joint Warfighter Cloud Capability (JWCC), middleware, Naval Identity Services, Naval Information Warfare Systems Command (NAVWAR), Navy, Office of Government-wide Policy (OGP), Program Executive Office for Digital and Enterprise Services (PEO Digital), State Department, Taryn Gillison, Thomas Santucci
TwitterFacebookLinkedInRedditGmail