Unpacking the Culture Behind DevSecOps at USCIS, DOD

DevSecOps is driving digital transformation journeys across both the private and public sectors by delivering faster, more scalable and modernized solutions that promote innovation, but getting there takes a collaborative approach in building the culture first.

Federal technology leaders from the U.S. Citizenship and Immigration Services and the Air Force, along with industry partners, unpacked how to successfully navigate the framework at GovernmentCIO Media & Research’s virtual event Thursday.

USCIS CTO Rob Brown, for instance, recommended that organizations’ platforms and frameworks have openness and transparency to promote a common understanding across leadership and evangelists.

“We want to provide common feedback for the limited number of resources that we do have to understand what that means, then educate those folks so they can see it in a common way across the portfolios to make meaningful choices and decisions,” Brown added.

The agency is looking to enhance the platforms that support the entire enterprise — ultimately supporting the country’s naturalization and immigration system. It will also work to codify frameworks and reusable libraries, building upon a shared developer experience and reducing redundancies that exist throughout portfolios and teams, Brown said.

USCIS will also fine tune its supply chain to provide a better understanding and common language, which will deliver greater visibility and efficiency.

It’s essential for organizations that are starting their DevSecOps journey, or those looking to improve their capabilities, to map out steps required to deliver value to the end user, said Anthony Ortega, vice president of agile software implementation with Appddiction Studio. One helpful tool is value-stream mapping exercises that can identify next steps.

DevSecOps requires constant improvements, and organizations should understand the minimum value that’s needed to deliver to an end user, said Matthew Huston, CIO and CISO at Air Force’s Platform One, a centralized team that offers managed services to the Defense Department overall.

“That is extremely important. Once you start delivering value, then you can iterate on that to ultimately secure your environment. You don’t have an end point in mind, but recognize that there will always be change,” he said.

Ryan Murray, executive technical director of digital platform strategy at ThoughtWorks, noted that customers want solutions faster and safer. DevSecOps is a cultural shift that builds software to create value for customers.

The Department of Veterans Affairs has spearheaded innovation throughout the COVID-19 pandemic. Specifically, the VA’s coronavirus chatbot reduced call center volumes by approximately 50% and delivered information to veterans efficiently. Murray added that deep technology has the potential to drive productivity across the entire department.

When implementing DevSecOps, a cutting-edge shared service with early adopters will increase transformation because that flexibility enables them to take a risk and demonstrate success, Huston said.

With that approach, he noted that “we were able to create something that went from nothing to full authorization” in just a couple months. “Injecting one good example of value added will then spread across the entire organization,” he added.

USCIS launched its Team Managed Deployment strategy, which is helping to modernize and migrate legacy systems, Brown said. This enabled teams to meet the team-managed deployment approval step for a CI/CD pipeline.

DevSecOps has enabled USCIS to achieve near-real-time engagement and results. The agency will work to expose DevSecOps capabilities across its contacts, like subject matter experts, to help with integration and experience.

With the additional speed, customers and developers are posing more creative requests that boost innovation, Murray added.

“We’re creating a ton of value while saving a ton of money at the same time, with the same investment. This is really magic stuff,” he said.

Following the transition to DevSecOps, teams and agencies must receive and maintain a continuous authority to operate. Huston noted that once an ATO is in place and accepted, it’s simple for product teams to maintain it. The most challenging part of the process is acclimating organizations to different processes.

“The biggest barrier I see is fatigue. DevSecOps is a journey. It can be a hard shift for leadership. On the path, there are a million things that can be celebrated that can make people want to move forward by maintaining that passion,” Ortega stated.

On the path forward, Murray recommended that organizations and agencies maintain openness, stating that “as the world of technology gets bigger, there are more ways to get in trouble along the way. Sharing success patterns across organizations is essential. The next step is getting early adopters out there to achieve success, then you have to scale that success.”

Within the federal space, agencies are looking to leverage platforms to ensure that they can deliver faster value and have a better understanding of what they’re building.

“We need to change how we’re structured and organized to really take this to the next level,” Huston said.

COVID-19 has shifted the way teams and agencies have operated. Following the mass transition to telework, there was an immediate need for modernized, scalable technology that could support the remote environment.

Huston said that Platform One has transitioned to 100% remote, which enabled the organization to increase its workload with greater access to engineers and product managers on a nationwide basis.

Before the onset of COVID-19, Brown noted that USCIS already had telework capabilities. The agency also went through a major technology shift across communications.

“It was cool to see the ability for these folks to quickly integrate technology into their pipelines so they could get that instant feedback. I’m working on looking at the productivity rates as a response to telework. People are working more hours. We’re seeing more engagement and more channels. We’ve been able to move forward with greater rigor than we had before,” Brown said.