From an industry partner perspective, it’s important that I observe emerging solutions and proactively anticipate agency adoption rates in order to prepare for how best to support my government customers. Over the past 25+ years in the government IT world, I have watched as some very promising solutions went “big” (i.e., mobility, cloud, AI, etc.) while others faded off into the sunset before really getting started. One thing can be certain in both cases, regardless of the solution, government adoption of any emerging solution is SLOW.
This leads me to my current state of perplexity over the government’s adoption of DevOps, and more specifically DevSecOps. According to the 2017 Federal CIO Report and other sources, one could readily conclude that the increase in DevOps adoption is steady (with 75% of federal CIO survey respondents saying it is a top priority). One would then ask, “Is there actual funding implementing this priority?” Or better yet for the vendor community, “How does this priority translate into real business opportunities today?” If I can demonstrate that DevOps solutions are being required in a broad number of government RFIs, we have our answer.
After some digging on a popular federal business opportunity website, I found that through 2017, the number of business opportunities that required “DevOps” solutions in any given year was never more than … two. At first consideration, this doesn’t seem congruent with the prioritization that the CIO report is suggesting. But then in 2018, RFIs and RFPs requiring “DevOps” solutions spiked from 2 to 27, just in the first quarter. This piqued my interest.
I then decided to explore DevOps security. I attempted to track the presence of DevOps security in federal business opportunities. One important clue about the maturity of this whole area is that there’s still tremendous variation in what to call it. Using several different variations of industry accepted terms for DevOps security (DevOpsSec, Devopsec, DevSecOps, SecDevOps), I found eleven citations, all but one in 2018. Most were RFIs or pre-RFP notices; just two were awards. It looks like DevOps implementations appear to have taken off in early 2018, and while security is lagging in actual implementation, there’s a growing effort to at least explore the offerings.
Recently, over 45,000 of us security professionals attended the RSA Conference. RSA is always a good time to gauge what is trending in security, and to re-establish an industry baseline for technology adoption that can help determine where government adoption stands in comparison. Of the 500+ conference sessions that took place last week, 18 were searchable by the keyword “DevOps” and 9 by the word “DevSecOps”. That’s a pretty strong showing by any measure. Of course, industry as a whole is typically faster in its rate of technology adoption across the board. But while I am not a statistician, my observations and cursory research has led me to conclude that although government may be lagging industry with respect to DevOps adoption, the attention to security is actually keeping pretty close pace with this adoption.
Why Government Adoption Matters
Why does this matter? The federal government is moving strongly to the cloud, and one of the most easily cost-justified uses of cloud technology is for application development. In fact, it’s so readily cost-justified that some application development organizations may be tempted to skip a couple of steps with respect to keeping IT security and compliance in the loop. When you add DevOps to the mix, it becomes even harder for security and compliance to deliver on their requirements, because what’s in production can change every day. It’s critical that CISOs, ISSOs and auditors understand this new engineering culture and practice and proactively work with the DevOps teams to integrate security at the front end.
So here at the start of this adoption curve, I would be interested in finding out what you, the GovLoop community members, think is really happening on the DevOps and DevSecOps fronts. If you have any comments or additional statistics – either conflicting or supporting – please feel free to post. With only small numbers and cursory statistics to reference, I consider the status of DevOps and DevOps security adoption in government still uncertain.