Federal agencies are continuously looking for ways to deliver software system end-user value more rapidly, securely, and cost-effectively to further enable their missions and modernize their technologies.

To maximize the spend on information technology and services, federal decision-makers should consider shifting their focus from traditional project metrics and outputs to their eventual business outcomes. The private sector has successfully done so in part by utilizing managed services as a cost-effective means of purchasing repeatable services at unit cost. In contrast, federal agencies still tend to purchase IT services via full-time equivalent (FTE) workers within hourly cost contracts without reaping the benefits of proportionate cost advantages and economies of scale.

DevSecOps is one area that lends itself nicely to managed services. DevSecOps is both a philosophy and a set of software development practices that combines software development (Dev), cybersecurity (Sec), and information technology operations (Ops) to shorten the development lifecycle and secure the outcome. CI/CD incorporates a set of operating principles and a collection of practices that enable application development teams to deliver code changes more frequently and reliably. 

● The Ops in DevSecOps embeds operational considerations for authority to operate (ATO), deployment, and sustaining maintenance into the software requirements and resulting products
● The Sec in DevSecOps bakes cybersecurity concerns into the software requirements and products in lieu of bolting protective measures onto the perimeter afterwards
● The CI/CD pipeline automates what once were manual configuration management processes, such as a variety of tests, quality scans, and baseline builds

Acquiring DevSecOps as a managed service provides agencies with the opportunity, at recurring unit cost, to fully enable and sustain DevSecOps and continuous integration and continuous delivery (CI/CD) while leveraging the economies of scale, diversity of skills, best practices, and cost efficiencies of managed services. These services accelerate the installation and configuration of development, test, and production environments via automation of the CI/CD pipeline. At the same time, this approach can ensure that the governing service-level agreements (SLAs) are more closely aligned with business outcomes. 

Growing Recognition of the Need for DevSecOps
Cyberattacks are becoming more sophisticated, targeted, widespread, and undetected, driving home the point that cybersecurity must be baked into every phase of the software development lifecycle. Moreover, as federal agencies pursue IT modernization initiatives and speed up the adoption of cloud-based solutions, development teams need agile methods to deliver better and more secure code faster and cheaper.

“To realize not only the security benefits of cloud infrastructure, but also its benefits related to scalability and speed-to-market, agencies should utilize mature agile development practices, including DevSecOps,” according to the report to the President on Federal IT Modernization, released in 2017. 
The report also points out that the use of automated and assistive technologies such as artificial intelligence (AI) and machine learning (ML) can help agencies further improve security.

Accelerating cloud adoption is a key part of the Department of Homeland Security’s (DHS) modernization strategy. DevSecOps allows the department to maintain a viable telework environment while modernizing and transforming its tech assets, according to DHS Deputy CIO Beth Cappello.

Adoption of agile methods and integrated security practices like DevSecOps that encourage sharing, reuse, and agile delivery of IT solutions is a priority of The U.S. Food and Drug Administration’s (FDA) Technology Modernization Action Plan (TMAP). The TMAP provides a technology foundation for the development of the FDA’s ongoing data strategy that will accelerate the path to better therapeutic options for patients and clinical providers and better tools to improve public health, according to FDA officials.

Meanwhile, the U.S. Citizenship and Immigration Services (USCIS) has embraced DevSecOps to facilitate the modernization and migration of legacy systems, while defense services such as the Air Force and Navy have stood up DevSecOps platforms to manage software factories for development teams and/or to bake security into new software.

Overcoming DevSecOps Challenges
An obstacle that can hamper deployment of DevSecOps is that the initial configuration of environments and tools is cumbersome and requires significant human resource skills. Plus, most federal agencies still purchase DevSecOps services by traditional Firm Fixed-Price (FFP) and Time & Materials (T&M) contract models, focusing on project outputs in lieu of business outcomes. 

The challenge for most organizations is the front-loaded investment in personnel and skills/training required for the initial configuration of the environments, followed by a natural reduction in demand for these skills and a shift to incremental training and awareness for smaller sustaining maintenance teams. A solution for many organizations is to turn to Managed DevSecOps Services, where skilled resources lie in wait to accelerate the journey to full DevSecOps and CI/CD enablement, and then organically downsize and refocus appropriately for steady-state operations.

After automated tests, security scans, and continuous ATO packages are configured and implemented, the incremental support team is downsized appropriately to provide cost-effective scaling of resources. Meanwhile, that support team is consistently up-skilling to handle the persistent evolution of security threats, deploying countering defenses and emerging technologies as part of the service. 

Since Managed DevSecOps Services providers use existing resources, methodologies, and technologies in a shared pool environment, the services can be offered to agencies and corporations at a lesser total cost than utilizing in-house staff or traditional time and materials professional services agreements. Plus, shared pool environments easily leverage best practices and standards forged through a diversity of experiences. Managed DevSecOps Services offerings can be administered within an agency’s public cloud, private cloud, or on-premise data centers, and equally effective when layered upon a hosted Platform-as-a-Service (PaaS) environment.

Managed DevSecOps Services Value
Most federal agencies have adopted DevSecOps to a degree, but for those just leaning in, here are the value propositions for Managed DevSecOps Services.

Managed DevSecOps Services offers the ability to elevate staff efficiencies, shift oversight focus upwards, and increase cost optimization within DevSecOps, leveraging:
● Appropriate staff levels during surge for installation, configuration, and issue triage versus steady-state for incremental operations
● Continuous up-skilling of staff to align with and adopt emerging technologies and to defend against and prevent evolving cybersecurity threats
● Experiences gained and best practices forged in other engagements and environments
● Service level agreements aligned with business outcomes, not project milestones and outputs

Bottom Line
Managed DevSecOps Services allow agencies to accelerate their journey to DevSecOps enablement and to do so cost-effectively. Agency development teams can lean on a shared pool of skilled resources and the existence of best practices, standards, and optimized tools.

As the focus continues to shift from the traditional measurements of software development projects--such as scope, schedule, and cost metrics--to the business outcomes and impacts of the resulting applications--such as availability, efficacy, and tangible impact to agency and corporate missions--the adoption of Managed DevSecOps Services and CI/CD approaches will gain greater importance and return greater value. 

This article appears in the Spring 2021 Service Contractor.