How can government agencies move from old-school application development to an agile, streamlined software factory model? On February 24, 2022, Simon Szykman, senior vice president for client growth at Maximus, moderated a panel of government technology experts to answer that question. In a webinar hosted by Maximus and ACT-IAC, Szykman asked four guests to speak on new approaches in DevSecOps, continuous authority to operate (ATO), and the factors—beyond technology—that agencies must consider as they develop software for their end-users. Here are some of the insights that panelists offered:
- Recognize the path your are undertaking, and incorporate culture and lessons-learned
When it comes to modernization in the cloud, there are generally two paths that government agencies take: building an application from scratch or modernizing a legacy application by migrating it to the cloud. One of these approaches is more straightforward than others, notes Jamie Holcombe, Chief Information Officer for the USPTO. “To use a building analogy, it’s easier to raze an old barn than to renovate it,” Holcombe says. “Especially given the fact that with software, you have to keep it running while you renovate.”
However, just because building from a clean slate is simpler technically doesn’t mean it will work culturally. Allen Samuel, Director of Modernization and Innovation in Public Buildings Service at the GSA, notes that a considerable part of DevSecOps success relies on that last component: operations. “While IT staff might be excited about a new application, other employees may be reluctant to change their routines,” Samuel says. Ultimately, the best approach is the one that considers both technology and culture. That means bringing in familiar workflows and processes, at least initially. “Even if you throw the old application out and start over,” adds Holcombe, “if you don’t take the business rules from the old and apply it to the new, you should expect crazy cultural pushback.”
- Low-code/no-code platforms and CI/CD pipelines can accelerate your time to market
One of the critical differentiators between standard application development and a software factory approach is speed—but what does it take to accelerate your time to market and produce quality software faster? According to Daniel McCune, Executive Director of the Enterprise Portfolio Management Division for the Department of Veterans Affairs, low-code/no-code platforms are the answer. This approach to application development uses a visual interface that lets developers drag and drop components to create custom mobile and web apps.
“As the largest federal IT shop in the government, we have developed our own homegrown core applications,” explains McCune, “but they aren’t scalable. Right now, the demand from our customers far exceeds our capacity to deliver custom code solutions. With low-code/no-code, we’ve seen an 8x improvement in speed so far.”
Additionally, Samuel adds that a robust continuous integration and continuous delivery (CI/CD) pipeline can transform time to value for agencies because they automate much of the development process. “We can make updates in as little as 12 days now, thanks to our CI/CD pipeline,” says Samuel. “That means we can get feedback from users and iterate faster to deliver solutions to the customer quicker.”
- User-centered design is critical for success
Technology experts today know that building software is about more than just technology—to be successful, you must first understand your users. For this reason, many agencies are now bringing user-centered design principles into their application development to ensure that every product is accessible and addresses user pain points. For McCune and his team, moving to a user-centered perspective means shifting from “project management” to “product management.”
“We’ve been working on offering cradle-to-grave support for our products and applications,” McCune explains. “One team owns the entire lifecycle of the product, which allows them to work directly with the customer at every step in the process.” By taking this user-centered approach, McCune can decrease both cycle time and downtime.
But that’s not the only box to check for user experience, says Srinivas Manepalli, senior solutions architect for Amazon Web Services. “During transitions like this, users need guidance from leadership,” Manepalli says. “A user-centered application is great, but you also need to support customers by enforcing and guiding cultural changes. Without that, it’s hard to implement software effectively.”
- To overcome the arduous ATO process, bake security into your infrastructure
Finally, the panelists weighed in on a topic that is unique to the government: achieving authority to operate (ATO). All applications must acquire and maintain security authorization in order to be put into production by the government. And, as Holcombe notes, “that can be an onerous process.” According to Holcombe, the old way of meeting compliance simply takes too long—which is why many organizations are turning to continuous ATO as a new model.
“You need to bake your security into your design phase,” Holcombe explains. “Then, whenever something changes, conduct an audit on the new capabilities as part of one of your sprints, so that ATO is taken care of during the lifecycle of the product—not as an afterthought.”
Manepalli adds that working with existing services and platforms that are already compliant with FedRAMP- or DoD security baselines can also save time and money. “Many services are FedRAMP- or DoD-approved—why not use them?” he says. “If you aren’t sure where to start, work with a technology partner to find approved services that will make continuous ATO easier.”
As government agencies take on a new role as software developers, they face unique challenges—but they also benefit from the insight and direction of a clear, well-defined mission. Ultimately, Szykman and the panelists encourage government technology leaders to keep the end-user in mind, no matter what. “Don’t go into the battle [focused on] the stuff you want,” cautions Holcombe, “go with what works. Tools are just tools—the most important thing is developing software that serves your mission and your customers.”
Switching to a software factory mindset is a huge transition for government agencies, but you don’t have to go it alone. To learn more, view the entire webinar here, or visit https://maximus.com/federal for information on how we can help.