DevSecOps and Government Cybersecurity

A federal government agency that supports critical day-to-day operations for dozens of other federal agencies was in need of a security strategy refresh. Their work includes technical support and cybersecurity, a job that has become even more crucial as the number of cyberattacks continues to increase, worldwide. Facing a rising tide of threats, the agency partnered with CDW Government to move their organization into a more agile security system in the AWS cloud — and to help their entire team feel empowered to run it.

Here are five principles CDW Government used to shift the agency’s system to a DevSecOps approach in the AWS cloud.

The foundation of CDW Government’s cybersecurity methodology is assessment and authorization (A&A) support, a comprehensive analysis of an agency’s security protocols.

Security A&A requires a deep knowledge of security best practices and open communication with an agency’s internal team. Collaboration is key to success, and the CDW Government team worked closely with the agency’s Approving Officials (AOs) to define goals for the new security system, align expectations for the project, and better understand how their applications are configured and used.

CDW Government is more than just a security provider. We also offered DevSecOps support so the agency could deliver applications and services faster — and maintain those apps over time. DevSecOps is a combination of philosophies, practices and tools that increase an organization’s ability to evolve and improve products faster than they could using traditional software development.

Since the agency had been operating under a more traditional staffing model, our first step involved creating playbooks for DevSecOps and continuous integration/continuous delivery (CI/ CD) that would empower their teams to deploy new apps much more efficiently. CDW Government also improved overall platform capabilities by providing tooling that the agency’s application teams could easily integrate — instead of rebuilding. And to ensure that the agency could take full ownership of the project, the CDW Government team developed an assessment method to identify level of adoption by various teams and propose guidelines for improvement.

Even with a strong “security first” mentality and the latest tools, organizations are only as secure as their least experienced employee — or their employee who bypasses procedure in a rush to meet a deadline. To protect the government agency from vulnerabilities caused by human error, CDW Government built automation into the agency’s day-to-day operations and applications. That means that agency employees can work smarter while staying secure.

Continuous integration/continuous delivery (CI/ CD) is a software development practice in which developers use a central repository to automate, test and deploy new code. As part of their DevSecOps model, CDW Government helped the agency deploy a CI/CD pipeline for Kubernetes deployments using a GitOps style, which allowed the teams to release much more rapidly.

CDW Government also set up a CI/CD pipeline for infrastructure build and security scanning. With the software development process now automated, the agency’s developers could quickly and seamlessly update applications and run new code, while being confident that the system is completely secure.

Security is an iterative process and guidelines are always changing — particularly at the government level. For the first year that the agency operated in their new cloud environment, the CDW Government team reviewed process documentation from all the agency’s departments and conducted interviews with staff to identify pain points and understand how operations were flowing within the organization.

Then, using their human-centered design (HCD) expertise, the CDW Government team proposed security enhancements with both the agency’s and the end-users’ needs in mind. This regular review process not only ensured systems stayed up to date, but also increased awareness among the agency’s team members about their own standard operating procedures — which led to greater fidelity and compliance overall.

Since deploying their cloud-based security system, this government agency has reduced its security risk overall and consistently come in under budget for cybersecurity expenses. And, thanks to the training and support from CDW Government, the agency team feels confident in their ability to evolve their cybersecurity protocols, keeping their systems — and the systems of partner agencies — safe from malicious intruders.