New Approaches to Software Delivery in Government

Booz Allen is focused on delivering open, secure, and portable software solutions to advance the federal mission. As government organizations begin to take on modernization and software delivery in innovative ways, our digital experts have observed some common trends, challenges, and opportunities. 

We interviewed Josh Boyd, an expert in digital software development; and Gary Kent, a leader in Booz Allen’s aerospace business—and they shared perspectives on the current development environment in government, and specifically how new practices are taking hold within defense organizations.

1.  What trends are you seeing around modern software practices in the federal government?  

A few years ago, there were several federal organizations that were first movers when it came to the adoption of modern software practices and container-based architectures, primarily for green field applications. Looking back, the General Services Administration and Joint Improvised-Threat Defeat Organization were two of those early innovators. But there’s been a massive shift to where we are today, and across agencies we’re seeing the acceleration of modern practices for both new development as well as the refactoring of legacy applications to truly transform mission operations at the enterprise level. Things that were once on the horizon—microservices architectures, Kubernetes, service mesh, zero-trust networking, and security approaches—are now becoming the standard. And platforms and technologies that were once closed systems are being replaced with ones that are built to be open, vendor agnostic, interoperable, and sustainable for the future.

Because of these trends, there’s also been a change in the way government acquires products and services. There are increasing needs to stand up innovative development programs rapidly, so we’re seeing new paradigms for how work is brought to fruition as well as new authority for government leaders to work with industry partners to accelerate the deployment of technology.

2.  What are some of today’s software delivery challenges?

One of the biggest challenges we hear from clients is the ability to deliver software rapidly enough to respond to urgent mission needs. For example, if there’s an actual threat to a Navy fleet or to our airbases, traditional development and waterfall approaches aren’t able to push software out quickly enough given time-intensive processes to ensure that quality and security are accounted for. They simply can’t wait for cumbersome, outdated development to deliver changes months after the need is identified.

In the defense space, this is resulting in the investment in a software factory approach to integrating new capabilities, particularly when there’s a need to modernize entire portfolios and hundreds of applications.

Our clients are also facing the challenge of navigating security requirements. To fast track development while ensuring security, we’re seeing a move to central repositories for enterprises to reuse hardened containers (Iron Bank at the Department of Defense is one to watch). In addition, there’s been a transition to continuous authority to operate (ATO) arrangements. Where traditionally it may have taken months from software build to deployment, this notion allows for continuous delivery and monitoring through a pipeline and set of tools to move into production quickly—and ultimately, to more effectively respond to emerging threats while operating from the enterprise to the tactical edge. The concept of continuous ATO is also becoming important within civil agencies, such as for the updated Recreation.gov platform, where a continuous delivery model has allowed the site to push out around 5,000 updates annually without disrupting the system.

Still, there’s the challenge of scaling DevSecOps practices at the enterprise level so that new pipelines don’t need to be developed for every project. Our teams saw that our clients were slowed down by this process time and again across different engagements, so we developed and open-sourced the Solutions Delivery Platform (SDP), a DevSecOps pipeline framework with pre-integration of tooling and best practices for complete pipeline workflow. That way, there’s a single source of truth, clear metrics and reporting across an organization, and governing principles that are automatically pushed to all consumers. This accelerator and its reusable components for development decreases time to stand up an operational pipeline from months to days, or less. To ensure rapid delivery, the Department of Defense (DOD) officially integrated SDP into its DevSecOps services. The container images that make up the Solutions Delivery Platform were approved by Nicolas Chaillan, the Chief Software Officer at the U.S. Air Force, for inclusion into Iron Bank—the centralized DOD repository for artifacts. Containers accredited in Iron Bank have DOD-wide reciprocity, so this move means that DOD can truly scale DevSecOps practices and governance across its organizations.

3.  Can you share examples of how organizations are scaling modern practices in secure environments?

Across the board, the federal government is becoming more open to developing software in unclassified spaces and then taking the code to the high side. There are certainly complexities that come with this territory, such as how to promote software into the high environment or how to test code without using classified data. But given it’s not easy to find the right technical talent to take on this highly-specialized work, the government is getting creative in how platforms and applications are delivered and is now more comfortable with distributed delivery teams.

Additionally, many organizations are centralizing their delivery pipelines and practices so they can focus on mission capabilities and not on the management of disparate applications and platforms. Our colleague, Kate Mercer, a leader in the aerospace business for DevSecOps delivery, shared that she sees a broader adoption of DevSecOps in the Air Force and across DOD.

For example, the U.S. Air Force has embarked on a journey to build an enterprise DevSecOps platform, where instead of having applications and platforms in disparate locations, leadership has decided to move everything to an environment-agnostic platform that can run on any infrastructure. This unified vision to build what they call “Platform One” will allow for continuous ATO and will be built to be autonomous and self-deploying. It will make it possible for mission owners to focus on the application level and enable teams to begin critical software development rapidly through shared and previously accredited engineering. Kate shared that the standup of Platform One will allow individual programs to drive their attention to building new mission capabilities instead of infrastructure and platforms. Additionally, this type of approach creates a pyramid of security controls, with security trickling down from the top level to everything that sits underneath the platform.

To that end, the Air Force—with Booz Allen as a partner—is driving towards a centralized yet distributed model. They are bringing scarce resources to the center so that different missions can quickly build more robust capabilities through hardened and reusable containers and source code repositories that accelerate time to deployment and ensure that the mission (not the technical process) is the focus.