Federal agencies exist to serve the American public. Part of this service includes creating and deploying non-sensitive software and applications that improve efficiency within agencies and for the public. However, deploying these applications has historically been a slow process — so slow, in fact, that agencies face the risk of both employees and the public turning elsewhere to get the online services they need. With a mandate by the current Administration to speed up federal cloud deployments, it’s critical that agencies find a way to speed up their ability to deploy digital services. But how?
18F is a digital consultancy within the United States federal government for federal agencies. It focuses on agile user-centered design and cloud platforms to enable agencies to create software and applications. Like private development firms, 18F found it could quickly create software but, unlike the public sector, compliance caused major delays in deploying those new services to the public.
“If we can make software and iterations faster and faster, but can’t deploy [quickly enough], then what’s the point? All we’ve done is feed a bottleneck,” explained Bret Mogilefsky of 18F at a Cloud Foundry conference. The question became: What could 18F do to speed up this process?
Deploying a digital service in government is similar to the private sector — procure and configure servers, set up any backing services, deploy the application, test the application, and run security scans. But then the government runs into unique requirements, like documenting the entire stack, which can be up to 1,000 pages. This process requires knowledge of more than 4,000 pages of regulations, laws and risk management policies. Typically, federal agencies have compliance experts who must review this documentation and grant approval or request changes. This can take six to 14 months to get authority to operate (ATO), and then you still need to deploy the application.
The result is that development teams spend the majority of their time navigating compliance to get ATO, and minimal time actually developing software and services. This can negatively impact development teams’ morale and momentum, and also can make it very difficult to recruit and retain developer talent, since they cannot iterate software as fast as the private sector can.
“Speed also equals security,” Mogilefsky pointed out. “The speed with which you can deploy a change or fix is huge. We know there is no such thing as a secure system; there are only systems that haven’t been broken yet or vulnerabilities we aren’t aware of yet. So speed is a huge factor in making these systems are secure.”
18F knew that to quickly deploy services for agencies that serve the American public, each agency could not operate as a silo.
With the advent of 18F, the government agencies had the revelation that everyone was struggling with the same issue. It became clear that it was time to disrupt infrastructure and compliance in government to solve this problem across the board.
The solution was to create cloud.gov, an open source cloud-based platform. Cloud.gov is a secure, fully compliant PaaS that helps federal agencies deliver services in a faster, more user-centric way. It empowers development teams to focus on products that serve their agency’s mission, without needing to manage the underlying server infrastructure. Cloud.gov has “built-in compliance support to help create the documentation and continuing assurance necessary for federal services to comply with FISMA regulations and agency-specific ‘Authority to Operate’ (ATO) requirements,” states the cloud.gov website.
Today, Cloud.gov is one of eight Cloud Foundry Certified Providers.
Mogilefsky explained that 18F opted for open source due to difficulties among vendors when working with the federal government. “Open source lets the open source community of developers help us innovate while we do everything possible to make sure compliance requirements are built in.”
Compliance should be lightweight and incremental, not a time-consuming process that negatively impacts developers’ morale and innovation and prevents the government from retaining top talent.
“Developers should have high confidence when entering the compliance process,” Mogilefsky stated. “Cloud.gov helps agencies imagine how things can be easier and lets us demonstrate how easily they can shift their culture to be more agile.”