The U.S. Department of Homeland Security announced it has awarded startup GovReady a $1.1M certification and accreditation contract that will be critical to bringing an open source approach to security.
“GovReady will develop tools to help developers through the C&A process and in doing so open the door for more secure, compliant and quality software systems,” said DHS announcing the award.
“The C&A process is essential, but, in its current state, unnecessarily difficult for small businesses to navigate,” said Homeland Open Security Technology Program Manager Dr. Dan Massey. “This project will help to even the playing field between large and small business by giving everyone an opportunity to provide software to the government.”
Enabling internal government tech shops to quickly stand up applications in a secure testing environment is fundamental to quick prototyping, and 18F’s new Cloud.gov is a major step in realizing ultimate IT flexibility.
I reached out to GovReady founder Greg Elin who is working on “making FISMA a platform instead of paperwork,” and he replied with the following comments that are better than anything I could say on the subject:
For most of the past 20 years, the CIO Council, NIST, and most agency IT shops have focused on policies and procedures to provide contractual requirements for vendors doing the work. That’s not criticizing anyone, it’s how the system was set up. The CIO Council’s authority is to provide recommendations–not write code. NIST’s mission is to advance measurement science and standards development–not build platforms.
Take the CIO Council’s enterprise architecture efforts or NIST’s Risk Management Framework as examples. They provide incredibly rich, comprehensive expert guidance distributed in documents. Unfortunately, contracts, contractors and projects implement the guidance differently enough that interoperability and reusability rarely occurs between bureaus or across agencies. In contrast, over the past decade in the private sector and on the Internet, knowledge has become immediately actionable via open source, APIs and GitHub repos. It’s a golden era of shared solutions powered by StackOverflows and code snippets, package managers and Docker containers.
If 18F’s Cloud.gov succeeds at encompassing official policies and regulations into loosely coupled running code, then contracts are easier to write, vendors aren’t constantly reinventing things, and projects happen faster.
Learn more about Cloud.gov.