DevSecOps approach to application development changes the way USCIS does business

The US Citizenship and Immigration Services is changing the way they approach their application development process by implementing the DevSecOps methodology. While the concept of DevSecOps is not a new idea for the USCIS, it provides a new platform for managing the agency’s critical programs Risk and Fraud Programs by utilizing the USCIS Amazon Web Services (AWS) hosting environment and other cloud environments as necessary.

Broadly speaking, the term DevSecOps represents a collaboration of development, security, and operations teams at the beginning of program development.  Instead of each team performing their processes separately within their own niches then merging them at a later date, the collaboration allows the entire process to proceed simultaneously and more efficiently. It provides for the identification and resolution of programmatic issues early in the process, rather than at the end.

Steve Grunch, USCIS Branch Chief of Enterprise Cloud Services, said in an interview with DevNation that one of the biggest drivers in bringing all three of these groups together was the support of Senior Leadership. They (Senior Leadership) recognized this new approach would allow the teams to support applications projects at scale and at the speed they needed them done, he said.

Grunch explained that typically during an application development process, the development team initiated the cycle, and at a predetermined milestone, the operations team joined the process.  This process referred to as DevOps, allowed the developers and operations team to share responsibilities and combine the workflow. Instead of a sequential process, the two once-separate teams worked simultaneously to complete the entire processes and deliver a product. Implementation occurred at a quicker pace as development stages were completed in a continuous integration/continuous delivery fashion.

However, with this method, the security portion remained out of the loop until the very end. Grunch explained, that while the DevOps approach enabled USCIS to reduce cycle times especially those that are customer/beneficiary facing, if security issues existed within the application, the rollout and implementation could be delayed until those issues were resolved. This required USCIS to change the way they do business to get more hands-on and to focus on operations.

These processes can no longer be completed separately, Grunch emphasized. Using this approach, the key is that all the pieces are embedded into one platform including security aspects.

Taking a revolutionary approach with the DevSecOps method, the security team became an equal party in the application production process from the very beginning. The security team is embedded with the development and operations team to look at how they would handle operational activities on the platform-as-a-service, and they work hand-in-hand with the developers on how best to support their application and production.

USCIS is implementing DevSecOps in four imminent Risk and Fraud Programs procurements, each valued at more than $100M. Awards are projected for Q4 FY2018. The agency previously released Draft Performance Work Statements (PWS) via GSA e-Buy to allow industry to become familiar with the requirements, share comments and submit questions. However, in a statement issued in late May, the agency announced they will not publish the questions and answers, but instead use them to finalize the PWS and solicitation.

Deltek is tracking these procurements under the following GovWin opportunities:

• Records and Identity Services Portfolio (RISPD) – GovWin Opportunity 167833
• Verification Future DevSecOps (Ver Future) – Opportunity 167842
• Risk and Fraud Analytics and Development (RFAD) – Opportunity 157852
• Risk and Fraud DevSecOps (RFDS) – Opportunity 157796

The agency anticipates issuing the solicitations around June 13, 2018, via GSA Schedule 70. The solicitations will be posted for 10 days with only a 3-day period for questions. The latest update specifically stated, “USCIS does not intend to extend the proposal submission due date.” 

Additionally, evaluations will likely include a down-select. Offerors selected from this step will be invited to participate in technical demonstrations that will occur approximately six weeks after the receipt of proposals. Selected offerors will receive notifications one week prior to the demonstrations.

Snapshot of projected Timeline:

Based on the latest update, Deltek anticipates the following procurement milestones:

• Solicitations Released: June 13, 2018
• Questions Due: June 16, 2018
• Proposals Due: June 23, 2018
• Technical Demonstrations: August 25, 2018

Note of Interest: The government-projected solicitation dates have previously slipped. Typically, the DHS Acquisition Planning Forecast System release dates are notional and highly subject to change. It is possible the solicitation dates could slip further out. If the solicitations are released on schedule, proposals will be due June 23, 2018, with technical demonstrations occurring around mid-August. This should leave ample time for an award during Q4 FY2018.  Deltek advises all GSA vendors to closely monitor their GSA portals in the days ahead.