While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
DevOps is one of those buzzwords has been thrown around inside the federal government lately almost as often as “cloud.” Yet a group of federal officials who wholeheartedly support DevOps said during a panel discussion at the 2016 GITEC Summit in Baltimore that the methodology will change IT culture within agencies.
What is DevOps? Put most simply, it’s a way of thinking that encourages software developers to work with IT operations staff on testing and quality assurance to develop software more quickly and automate infrastructure changes. It’s a collaborative mentality designed to produce software faster and more efficiently. And, officials said, it’s revolutionary in its own way.
Michael Fairless, branch chief at the Securities and Exchange Commission, said that agencies implementing DevOps should embrace skeptics of the approach and answer all of their questions. In fact, he said, skepticism should be encouraged. “Every team should have at least one skeptic, and probably 10 if you can get them,” he said.
Fairless also said agencies should “empower our innovators” and “get people who are thinking about things in ways that no one else is thinking about.”
Jim Tunnessen, chief technology officer for the Food Safety and Inspection Service at the Department of Agriculture, said within CIOs’ offices, for those working on DevOps, “everyone’s job is to challenge the status quo.”
“We have proved numerous times that the status quo doesn’t work,” he added. “There is always a way for improvement. There is always a way to do things better.”
Outside of the CIO’s office, Tunnessen said, those who are advocating for a DevOps approach should focus less on the technical specifics and more on marketing the benefits to agency leaders. “Nobody cares how we do it, they just want to know the benefit to it,” he said.
Fairless pointed out, as a hypothetical example, that an agency could spend $1 million to do a project under a DevOps model in six months and make a dozen mistakes, but correct them more quickly. Or, the agency could spend $20 million to do the same project over 18 months in a more traditional developmental model, and then discover mistakes months down the road and have to add six months to a contract to fix all of the bugs.
“We need to tell people that they are going to change,” Tunnessen said. “The environment is changing, we’re all going to change. Don’t worry, we’ll all evolve together. This is how it’s going to work from here on out.”
For agencies that worry about what will happen to their engineers after problems have been fixed under a DevOps model, and projects that used to take 18 months are now done in six to eight weeks, Fairless said agency IT leaders should shift their employees’ focus.
“Sit them down with customers. Ask them questions like they have never been asked before: What is it that you do?” he said, sardonically.
“I wish I could call it a best practice. We’re not there yet,” Fairless said. “We’ve got a long way to go. But it really does come down to, if you are going to tell people ‘you will change,’ then you will do it.”
Kevin Greene, program manager of the cybersecurity division at the Department of Homeland Security’s Science and Technology Directorate, said that as agencies embrace DevOps, it’s critical to keep security in mind and have security-conscious workers on the development teams.
The goal, Greene said, should be to get developers to create software with security and resilience in mind from the start, which he acknowledged is sometimes difficult to achieve.
How can it be done? Greene advised creating an environment of “transparency and trust” and also providing developers with security training and awareness. Additionally, he said, risk management has to be taken into account.
John Murphy, DevOps and infrastructure lead at NGA Research in the National Geospatial-Intelligence Agency, said “security folks are at a premium,” and qualified security personnel are often few and far between. Therefore, he said, being able to automate security testing is key.
Murphy added that developers create a lot of code but should be judged on the quality, not on the volume, and said he has had to advise developers to slow down and keep security in mind.