DevSecOps is Making Army, CMS More Agile

Acquisition and technology leaders across the U.S. Army and Centers for Medicare & Medicaid Services (CMS) are leveraging DevSecOps to increase speed of solutions delivery, accelerate agility and promote a culture of innovation.

Elizabeth Schweinsberg, digital services expert at U.S. Digital Service, is helping CMS build new software, modernize older software and adopt DevSecOps practices, she said during GovCIO Media & Research’s Disruptive DevSecOps virtual event Thrusday.

“We have seen a huge shift to the cloud, and with it more agile development philosophy along with increased shared resources to help teams put the ‘security’ in ‘DevSecOps,’” Schweinsberg said.

At the Army, Jennifer Swanson, the agency’s chief systems engineer for the Assistant Secretary for Acquisition, Logistics and Technology, said that she’s focusing on contract language, upskilling the workforce and integrate automation into solutions testing as the Army continues to adopt DevSecOps. Security testing of applications plays a huge role in zero trust, Schweinsberg noted.

“Getting out in front of vulnerabilities is really going to be key to increasing the trustworthiness of applications that the government is putting out there for the public,” Schweinsberg said.

In terms of the workforce, Swanson said that the Army is leveraging both government and industry solutions to offer flexibility and choice throughout career tracks, which supports many of the agency’s retention and recruitment initiatives.

One example is the U.S. Air Force’s Digital University, which is an educational program that builds digital literacy throughout the service branch. Digital University incorporates modern content from industry, academia and government, and centralizes resources for personnel to upgrade digital fluency and develop organic technical expertise.

“That’s kind of to have curriculum choices and options. We’re also building out kind of a human-centered design approach,” Swanson said. “We’re building on those roles right now, we’re talking to [personnel], we’re doing a pilot to talk to those people… to get that validated. Then based on that, we’re going to put together a recommended curriculum.”

As agencies continue to build out their DevSecOps strategies, Schweinsberg said they’re leveraging new technologies and frameworks to accelerate solutions delivery without unduly changing proven methods. CMS is using platform as a service to provide continuous integration and continuous deployment, testing and containerization, to reduce overhead burden.

“Development teams that are newer to the DevSecOps model don’t have to become experts in it in order to use it,” Schweinsberg said. “We also hope that it will bring down the time needed to get our authorities to operate (ATOs)… We were heavily inspired by the Department of Defense’s platform one and are taking some of those lessons and tailoring it to our needs.”

Schweinsberg is also adopting CISA’s Zero Trust Maturity Model to create a framework for evaluating the maturity of applications that are running in the agency’s main cloud provider. This model enables CMS to identify small ways to improve security, then integrate those lessons learned across the agency.

“This way we can look across a bunch of applications at the same time and find really small things we can do to affect everybody’s security, or areas of education, or what tools we need to introduce at the top level to help bring the entire agency closer to optimal maturity,” Schweinsberg said. “A lot of it is more testing… and putting in guardrails around security settings.”

Automation will play a key role in testing new solutions. At the Army, Swanson said she’s focusing on automating testing to speed up solutions delivery, but one challenge with automation is building in trust. If the Army can overcome that barrier, Swanson said that that will help move her agency toward Agile development sprints in a DevSecOps pipeline.

“We can we’ve done that in lab pipelines, for example,” Swanson said. “How do we get it in the hands of users without having that be like a six month pause on what you’re doing?… It’s really just trying to figure out how to make it more agile and really shift it left.”

Moving forward, zero trust and upskilling the workforce will be key enablers to a true, successful DevSecOps pipeline.

“Zero trust is a lot about making a bunch of small tweaks to what we’re already doing to continuously get closer to the end,” Schweinsberg said.