DevSecOps is Improving CX at GSA, VA

The General Services Administration and the Department of Veterans Affairs are looking to DevSecOps and Agile methodologies as the agencies develop products that ensure customers are getting the right tools at the right time.

“DevSecOps and digital transformation has fundamentally changed the way we do business,” said Derrick Curtis, senior technical advisor for VA’s Enterprise Portfolio Management Division at the Office of Information and Technology, during an ATARC virtual event. “DevSecOps has also allowed us to be more focused on our customers … throughout the process and making sure we are meeting that need, but also in IT modernization in the digital space. It has changed the way we look at refreshing our equipment and our infrastructure in a more agile methodology.”

Both GSA and VA have transformed their organizations with a “product-centered” approach, rather than “project-centered.” This shift has enabled the agencies to focus more on customer needs and develop cohesive teams around those products that support solutions throughout the entire lifecycle.

Crystal Philcox, assistant commissioner of operations at GSA’s Technology Transformation Services, said a product approach leverages methodologies like human-centered design and Agile development, both of which align with President Biden’s recent executive order on customer experience. Philcox recommended that organizations should identify a “north star,” then develop milestones around delivering use cases for real users, which will improve product functionality and quality.

“Digital transformation only happens when you are able to iterate on what users need most,” Philcox said. “It takes using a DevSecOps approach to development to ensure that you can more quickly build in security and testing as you go, you reduce your risk of errors as you go. These things like human-centered design, CX, DevSecOps — they’re separate, but they should be done together, and they complement each other.”

DevSecOps and Agile methodologies have brought newfound advantages and efficiencies to agencies. At GSA, these methodologies have enabled the agency to mitigate errors in deliverables, reduce risks in deployment and better meet customer needs. VA has improved accountability by defining product ownership and fostering collaboration across stakeholders, developers and customers.

“We really embraced and experienced this during COVID because when those requirements came to the agency that we had to quickly respond to, DevSecOps put us in a posture to where we could move agilely and quickly to deliver capabilities in weeks and sometimes days,” Curtis said. “We could not have done that in the old mode. We were in so we really grew with DevSecOps.”

In the VA, the agency’s primary top priority is protecting veterans’ data, and data is at the heart of great customer experience. Curtis said DevSecOps is “not just about running fast,” but instead takes a unified approach to security, baking it into solutions at the beginning of a product’s lifecycle, to secure solutions and information. As the agency does this, VA is using President Biden’s cybersecurity executive order as a guiding light, specifically focusing on zero trust. Zero trust has brought in a level of monitoring to ensure operations are always running properly.

“Within [the executive order] there are several security measures that you have to employ to protect your information. But DevSecOps teaming forces you to think about the how, the when and what of that implementation to make sure you carry it throughout the process,” Curtis said.

GSA is designing solutions with containerized cloud solutions and microservices to improve flexibility and driving privileged access management to improve security needed to do more complex data work. The agency has also seen successes through implementing tiger teams, which are specialized, cross-functional groups brought together to solve specific problems.

“Tiger teams, which would be a combination of our development and security folks, sitting down ahead of time, before the product development starts, and planning out how they’re going to work together seems to have solved some of the [communication challenges],” Philcox said.

Looking ahead, a top priority for is data security.

GSA is currently building out a data layer, where all authoritative data sources live. The agency is creating services in between the data layer and its application layer to provide users with real-time information and enhance self-service experiences, Philcox said.

GSA is also pulling from that data layer to create a data analytics environment with a data catalog and data visualization tools, so that the agency’s data analysts can better use AI and produce evidence. Ultimately, the data layer will enable GSA to store data once and use it many times across various projects.

“Now that zero trust is coming into this picture, that’s going to make this data layer even more powerful because we are going to have all that security built in at a very detailed data level,” Philcox said. “Secure data powers great experiences in software. That’s really what we are looking for. Certainly, on the business side, the better and the more secure your data, the better your user experience.”