The Top 10 DevSecOps Events for Government in 2025

Posted on by Rich Savage

In the modern digital age, security practices must keep pace with the rapid speed of software development. DevSecOps revolutionizes this by embedding security into every phase of the development lifecycle, ensuring that security is a shared responsibility from the very start. This approach is particularly crucial for the Public Sector, where agencies build and deploy software that must meet continuously evolving security standards.

Carahsoft Technology Corp., The Trusted Government IT Solutions Provider®, features numerous solutions for Government IT decision-makers, industry and vendor partners and technology thought leaders, including those in DevOps and DevSecOps Solutions and Services. At several key events Carahsoft is participating at this year, attendees will learn about security best practices, discuss emerging trends, take part in hands-on workshops and much more, ensuring agencies stay up to date with the latest developments in DevSecOps and cybersecurity. Here are the top events to watch for in 2025.

RSA Conference 2025

April 28-May 1 | San Francisco, CA | In-Person Event

Through technical sessions, hands-on labs and connecting with top professionals, attendees will discover unparalleled opportunities for networking, as well as insights into cutting-edge cybersecurity technologies, best practices and strategies to protect against evolving threats. Attendees should look for sessions that cover data protection, Zero Trust initiatives and AI applications in cybersecurity.

As a proud key participant in the RSA Conference, Carahsoft partners with leading cybersecurity vendors to offer tailored solutions that address the unique needs of Federal, State and Local agencies. Carahsoft is also excited to host the 12th Annual RSA Public Sector Day at RSA Conference on Monday, April 28. This year’s program will examine key areas such as developing a strong cybersecurity workforce, understanding the impact of AI on both offensive and defensive cyber operations and improving the exchange of information among government entities. Following RSA Conference on Tuesday, April 29 Carahsoft is hosting our Public Sector Reception from 6:00 pm – 9:00 pm at The Conservatory at One Sansome.

Offset Symposium 2025 by Second Front Systems

May 15 | Washington, D.C. | In-Person Event

This symposium features cutting-edge solutions in areas such as AI, cybersecurity and advanced software systems, giving Government, defense and industry leaders the opportunity to explore the latest innovations in national security and defense technology. Attendees will gain insights from thought leaders, participate in hands-on demonstrations and engage in high-level discussions aimed at driving defense capabilities forward.

Sessions to look out for:

The Future of Strategic Offsets – Bridging Technology and Defense

AI-Powered Defense Solutions

Cyber Resiliency in Modern Warfare

The Role of Open Source in Defense Innovation

As a Platinum Sponsor, Carahsoft will showcase its expertise in defense solutions through an interactive booth, speaking engagements and a VIP networking session. Be sure to stop by our booth and speak with one of our team members!

AWS Public Sector Summit

June 10-11 | Washington, D.C. | In-Person Event

Carahsoft Top DevSecOps Events Blog Embedded Image 2025

To meet the unique challenges of the Public Sector, this summit brings together Government, education and nonprofit leaders to explore the latest cloud innovations and solutions. Attendees will gain insights from industry experts, participate in hands-on workshops and learn how AWS enables organizations to accelerate their digital transformation, enhance security, integrate cloud security solutions into DevSecOps and improve mission outcomes.

Join Carahsoft, a leading distributor of cloud solutions to the Public Sector and a trusted AWS partner, in DC and stop by our Carahsoft Pavilion, featuring our vendors Anchore, Hashicorp, Hyland, Rackspace, Second Front and more. Join us after the first day of the summit on June 10 for a networking event just a short walk away at Planet Word Museum!

Carahsoft’s DevSecOps Conference

July 29 | Reston, VA | In-Person Event

Our premier event will explore the integration of security into the development lifecycle, leveraging automation, compliance frameworks and modern tools to enhance operational efficiency. Attendees gain actionable insights into trends, challenges and best practices for secure application delivery, legacy system modernization and meeting compliance mandates, fostering collaboration and innovation across the Government technology landscape.

This Carahsoft-hosted conference features fireside chats, presentations and technology demonstrations from Government leaders and industry experts. For an idea of what to expect at our 2025 event, check out last year’s videos and resources at our resource hub. If you are a vendor interested in sponsorship opportunities, please reach out to us at DevSecOpsMarketing@Carahsoft.com.

DevSecOps World Tour by GitLab

October | Washington, D.C. | In-Person Event

Through expert-led sessions, hands-on workshops and real-world case studies, attendees will explore the latest trends, tools and best practices in DevSecOps and gain valuable insights into security, enhancing collaboration and the best practices of integrating security seamlessly into the DevOps lifecycle. Attendees should look for sessions about global software development trends and success stories from Public Sector clients.

Carahsoft enables attendees to explore tailored solutions that streamline workflows, ensure compliance and accelerate the adoption of secure software development practices. Check out the events tab on our website for more information closer to the date of the event.

DevSecCon by Snyk

October | Virtual Event

With a focus on bridging the gap between security and development, offering insights into the latest trends and providing tools and practices in DevSecOps, this event will explore best practices for integrating security into the software development lifecycle. Through a combination of keynote speeches, hands-on workshops and interactive sessions, attendees will gain valuable knowledge on securing cloud-native applications, mitigating risks and enhancing collaboration between security and development teams.

Tracks at this event include AI Security, Open Source Security and Security Culture & Education

At DevSecCon, Carahsoft showcases its partnerships with top-tier vendors, offering attendees the opportunity to learn about cutting-edge technologies and solutions tailored to enable the Public Sector to become DevSecOps compliant while meeting their unique needs. To learn more about Carahsoft and Snyk’s DevSecOps capabilities and how we will be involved in this event soon, visit our website.

KubeCon + CloudNativeCon North America

November 10-13 | Atlanta, GA | In-Person Event

By uniting developers, operators and technology leaders to explore the latest innovations in containerization, microservices and cloud-native architectures, this event provides attendees with hands-on workshops and technical sessions to learn from industry experts on topics ranging from Kubernetes and container orchestration to DevOps, security and cloud infrastructure. Attendees should look for sessions about Kubernetes security, cloud-native security tools and DevSecOps automation.

Carahsoft’s booth and vendor demo kiosks will present solutions for secure Kubernetes deployments in Federal agencies. Check back soon to our events website for more information on this year’s event.

Splunk GovSummit

December | Washington, D.C. | In-Person Event

By providing a firsthand look at how Splunk’s data analytics, security and operational intelligence solutions can enhance mission-critical operations across Federal, State and Local agencies, this event enables attendees to gain insights from real-world case studies. Learn about emerging trends in data and network with industry leaders shaping the future of Government technology, as well as how to utilize Splunk for continuous monitoring in a DevSecOps pipeline.

As a key partner of Splunk GovSummit and distributor of Splunk’s powerful analytics platform, Carahsoft will provide a team of experts to share valuable knowledge, offer tailored solutions and facilitate connections between Government professionals and Splunk’s cutting-edge products, enabling attendees to transform data into actionable intelligence. To stay informed on our presence at Splunk GovSummit, visit our website and explore Splunk solutions.

Public Sector Network’s DevSecOps Virtual Event

TBA | Virtual Event

To provide a comprehensive look into the integration of security within the DevOps lifecycle, this event looks at incorporating security from planning through deployment. Topics covered include enhancing security measures, improving DevOps processes and ensuring compliance with Federal standards, all while addressing real-world examples and the unique needs of Government agencies. Attendees should look for sessions about security challenges, automation strategies and real-world use cases for DevSecOps in the Public Sector.

Carahsoft will showcase innovative solutions that enhance security, streamline workflows and ensure compliance, empowering Public Sector agencies to meet the demands of modern software development in a secure and efficient manner. Check out the events tab on our website for more information closer to the date of the event.

Red Hat Summit & Connect Series 2025

Multiple Dates | Multiple Locations | In-Person and Virtual Events

With both in-person and online options, this dynamic series of events brings together IT professionals, developers and business leaders to explore the latest innovations in Open Source technology, cloud-native solutions and automation. Featuring keynote sessions, expert-led workshops and hands-on labs, this conference empowers attendees to drive transformation within their organizations, improve efficiencies and accelerate their digital transformation journey. Attendees should look for sessions about security automation, containerization best practices and DevSecOps with OpenShift.

Carahsoft provides comprehensive support and expertise to help Government agencies, educational institutions and other Public Sector agencies leverage Red Hat’s innovative Open Source solutions. Carahsoft is a gold sponsor at this year’s event, and we will continue to update the details of our presence here.

Previous Event Highlights

Atlassian Team on Tour Government

Public Sector professionals joined to explore the latest tools and strategies for driving collaboration, efficiency and innovation across Government teams. This dynamic event showcased Atlassian’s solutions for managing complex projects, improving cross-functional workflows and fostering a culture of transparency and accountability. Attendees gained valuable insights from industry leaders, learned how to optimize team performance with Atlassian products and discovered best practices tailored to the unique challenges in Government.

As a proud key partner, Carahsoft brings its expertise in providing innovative IT solutions by offering attendees personalized insights on how Atlassian’s software can address their unique challenges and improve mission-critical operations.

By gaining new insights and perspectives on the right tools to continually integrate DevSecOps into every stage of the software development process, Public Sector agencies can ensure their systems remain secure. With DevSecOps, agencies can increase the delivery speed of their software, monitor systems in real time and collaborate with other agencies.

To learn more or get involved in any of the above events please contact us at DevSecOpsMarketing@Carahsoft.com. For more information on Carahsoft and our industry leading DevSecOps technology partners’ events, visit our DevSecOps solutions portfolio. 

Join Fellow Change Agents and Innovators at Prodacity 2025

Posted on by Seamus Bergen

With change on the horizon, Federal organizations are re-evaluating legacy processes for software development in order to deliver new and better software to Americans. They’re taking bold action and transforming organizations into continuous software delivery innovators.

In honor of these government IT change agents, Rise8 is hosting Prodacity 2025 in Nashville, TN on February 4-6. Over three days, Prodacity will bring together technology leaders at every level to learn, discuss, experiment, problem-solve and build transformative solutions that change constituents’ lives.

The agenda for Prodacity 2025 is packed with expert-led sessions and practical insights tailored to give attendees a complete perspective on effectively implementing continuous delivery. Software development requires more than development expertise; it calls for strategic thinking, an understanding of culture, sound governance and product management skills. Prodacity 2025 attendees will learn about and experience all this and more.

Each day will focus on different phases of continuous delivery. On day one, attendees will learn about setting a strategic direction for continuous innovation. Day two will be all about mastering tactics for continuous improvement. On day three, attendees will identify where to start with practical steps to drive transformation.

Speaking of Transformation

Prodacity 2025 will feature an impressive lineup of speakers from both the private and public sectors. Notable speakers include:

KEYNOTE: Barry O’Reilly, entrepreneur, business advisor and author – Barry is an expert on model innovation, product development, cultural transformation and organization design. At Prodacity 2025, he will speak on why we need a system for unlearning. He co-founded Nobody Studios, a venture studio to create 100 compelling companies over the next five years. His bestselling book, Lean Enterprise: How High-Performance Organizations Innovate at Scale, is the subject of a pre-conference book club.

Justin Fanelli – Mr. Justin Fanelli is the Acting CTO for the Department of Navy and Technical Director of PEO Digital, driving mission-critical IT transformations and cost-efficient innovations. He has held key roles including Chief Data Architect for Defense Health and Technical Director for Navy MPTE, earning accolades like the Etter Award for impactful service delivery and multi-billion-dollar cost savings. A DARPA Service Chiefs Fellow, he has led groundbreaking advancements in healthcare data systems and Navy enterprise solutions. Outside work, Mr. Fanelli teaches at Georgetown, advises startups and contributes to nonprofits like TechImpact.

Paul Contoveros – Mr. Paul Controveros is the Chief of the Combat Force Enhancement Division at Space Operations Command in the for the U.S. Space Force where he leads all support to Deltas’ Combat Development Teams and Supra Coders. He also leads a team of professional software developers charged with delivering digital tools to the force. Upon retiring from the USAF with 26 years of military service, Mr. Contoveros worked as a contractor supporting the HQ AFSPC S5/9 Advanced Capabilities Team, which morphed into the Directorate of Innovation upon the standup of HQ SpOC. In this role he created the monthly Delta Innovation Collaboration Exchange (DICE), authored the Accelerated Delta Innovation Process (ADIP) and co-authored the command’s first ever, nearly completed, Innovation Operations Instruction. Mr. Contoveros joined the government team in July of 2023 as Director of Innovation, re-branded as the Combat Enhancement Division as part of the SpOC re-organization in 2024.

Alistair Croll, author, founder and chair – Alistair is the author of Lean Analytics, widely considered required reading for startups and Just Evil Enough. He is also the chair of FWD50, a growing community of policymakers, technologists and civic innovators. Drawing on his experience as the builder of web performance pioneer Coradiant and Year One Labs incubator, Alistair will educate Prodacity attendees on MVPs for enterprises.

Edward Hieatt, Mechanical Orchard – Edward serves as Chief Customer Officer, helping enterprises overcome legacy modernization challenges. As a seasoned software engineer, Edward previously worked at Pivotal Labs and played a significant role in its growth, leading the rapid expansion of the technical field organization. His Prodacity talk will provide attendees with a perspective on real continuous delivery.

Join us at Prodacity

Carahsoft is thrilled to sponsor Prodacity 2025. We look forward to working alongside the speakers, representatives, attendees and all change agents seeking to disrupt government technology’s status quo.

Please join us February 4-6, 2025, in Nashville, TN. Learn more and register here. Prodacity will be unlike any other government event you’ve attended—it is the GovTech symposium of the year.

How to Accelerate the Journey to Government Compliance with CCM

Posted on by Esty Peskowitz

Government agencies are inundated with a vast amount of daily Governance, Risk, and Compliance (GRC) tasks and processes. Achieving regulatory compliance, an arduous process, can take up precious time that could be reallocated to other business-critical missions.

Continuous controls monitoring (CCM) is one solution. CCM leverages AI and extreme automation to help cut down on manual processes, allowing agencies to overcome regulatory hurdles, supercharge their staff, and make better risk-based decisions with fast, cost-effective automations.

Improving the Compliance Process

Creating a quality compliance report comes with heavy, manual processing time. CCM can help significantly by taking away some of the cumbersome brunt work, cutting 60-80% of the manual tasks required by GRC programs.

RegScale Government Compliance CCM Blog Embedded Image 2024

It can also help overcome hurdles to reaching valuable security authorizations. Completing an Authorization to Operate (ATO) package can take roughly six months to finish — but that process can be reduced to two weeks with the right CCM platform. CCM also gives agencies a leg up with gaining Continuous Authorization to Operate (cATO) by leveraging OSCAL, a machine-readable format that standardizes security control documentation and enables automated validation.

The Time-Saving Capabilities of Machine Learning and AI

In the past year, advances in machine learning (including large language models and generative AI) have created exciting new possibilities for GRC teams. AI and machine learning (ML) can offer everything from better data analysis to proactive risk management to a major reduction in manual processes. Here are a few of the most compelling use cases for AI-enabled GRC:

Help employees proactively monitor traffic
Review code for errors unlikely to be caught by the human eye
Explain complex controls and procedures in everyday language, bridging knowledge gaps
Generate accurate, up-to-date documentation in one click

Overall, AI allows agencies to move faster, with more accuracy, and with better visibility. To free up staff to complete mission-critical objectives, agencies should create their own AI/ML usage strategies and implement them within a Compliance as Code framework.

How RegScale’s CCM Leverages Compliance-Trained AI

RegScale’s AI-enabled platform, RegML, combines CCM and leading large language (LLM) tools to streamline compliance management with intelligent automation and precision. This approach improves compliance by significantly reducing manual labor and costs. It also provides user-friendly summaries and guidance and improves accuracy and precision in documentation, freeing up staff to focus on core business objectives.

RegML has four main AI features:

AI Extractor, which automatically derives compliance documentation from existing policies and procedures.
AI Explainer, which is designed to demystify control statements by providing users with simple explanations of intricate controls.
AI Author, which helps draft control implementation statements in the context of relevant regulations and requirements. This process allows writers to focus on editing a draft, leading to fewer errors and better accuracy.
AI Auditor, which identifies gaps in controls and provides suggestions for improvement. This frees up teams to work on more critical tasks like fixing gaps and implementing controls.

CCM and the Future

Today, more and more work is being done in the cloud. As data becomes ephemeral and serverless, cybersecurity has become more important than ever — as have the mandatory frameworks governing it. Meanwhile, regulations such as NIST’s Secure Software Development Framework (SSDF), the Digital Operational Resilience Act (DORA), the Security and Exchange Commission (SEC) rules, Cybersecurity and Infrastructure Agency (CISA) mandates, and the European Union’s AI Act have or are predicted to undergo changes.

These shifting frameworks only make CCM more integral, as its AI features allow users to ensure that they are thoroughly compliant at every step of the process. By freeing time for additional tasks, and by maintaining adherence to changing regulations, CCM enables organizations to improve their GRC programs and streamline their operations.

To learn more about how RegScale’s CCM platform provides a layer of security around AI usage, watch its webinar How AI is Revolutionizing Government Compliance.

Carahsoft Technology Corp. is The Trusted Government IT Solutions Provider, supporting Public Sector organizations across Federal, State and Local Government agencies and Education and Healthcare markets. As the Master Government Aggregator for our vendor partners, including RegScale, we deliver solutions for Geospatial, Cybersecurity, MultiCloud, DevSecOps, Artificial Intelligence, Customer Experience and Engagement, Open Source and more. Working with resellers, systems integrators and consultants, our sales and marketing teams provide industry leading IT products, services and training through hundreds of contract vehicles. Explore the Carahsoft Blog to learn more about the latest trends in Government technology markets and solutions, as well as Carahsoft’s ecosystem of partner thought leaders.

Rethinking and Modernizing the ATO Approval Process

Posted on by Travis Howerton

The path to securing Authorization to Operate (ATO) approval presents a myriad of challenges, such as complex regulations, the potential for human error and the constant threat of cyberattacks. The role of an Authorized Official (AO) necessitates both speed and thoroughness to ensure an organization’s risk is minimized while also safeguarding sensitive information. Traditional manual, point-in-time assessments are proving insufficient, resulting in significant security risks. As digital transformation accelerates in both the Government and Private Sector, regulatory compliance requirements have also increased, yet the tools and processes used to meet these standards fall behind. This disconnect poses a challenge for AOs, underscoring the urgent need for innovation in the ATO approval journey.

Preventing Compliance Drift

RegScale Modernizing ATO Approvals Webinar Recap Embedded Image Blog 2024

To stay ahead of the threats against the nation while simultaneously reducing the friction and corrosion in the compliance process, a proactive approach of implementing necessary measures and safeguards before they are mandated by regulatory requirements is essential. As Brandt Keller, Software Engineer at Defense Unicorns, stated during a recent webinar discussing the ATO approval process, “New technologies are coming, and we need to implement them and understand what they do, how they do it and what controls they do or do not satisfy.” The role of compliance within the DevSecOps process is pivotal, especially when switching from one technology to another. This decision must consider how the change impacts compliance, as the environment shift can alter the ATO posture. Such changes may result in drift or even expose the system to malicious actors seeking to escalate privileges or perform unauthorized actions. While compliance and security are often viewed as separate processes, they can and should be integrated to provide an additional layer of defense.

Preventing drift in IT systems is a crucial aspect of maintaining continuous compliance. AOs must actively collect and report data to accurately reflect the current state of their systems. Leveraging open standards on a platform is essential for effectively utilizing data. To achieve this, AOs need reliable methods for producing and regularly assessing data. Building a system from the ground up with compliance in mind involves meticulously implementing and automating controls that can be rerun consistently. The process must be both repeatable—able to redo tasks—and reproducible—able to collect evidence and achieve the same results. Any deviation indicates a potential issue, a change or an environmental modification that has made it less compliant. This approach allows AOs to confidently attest that their ATO meets all required controls and prevents any drift.

Implementing Automation

Automating processes within DevSecOps pipelines has emerged as a pivotal strategy, particularly streamlining compliance checks before system deployment. This approach allows decision-makers to assess risk before a system is even deployed. Moreover, the ability to continuously evaluate and update data in real time enhances accuracy and ensures timely access to critical information. However, accessibility of data remains a challenge due to the number of disconnected environments in existence. Open standards such as OSCAL solve this problem by providing a unified framework for continuous data integration. By adopting platforms that adhere to open standards, organizations can foster innovation and empower AOs with data in a familiar and actionable format, thereby optimizing efficiency and bolstering security measures.

ATO Risk Management Framework (RMF) artifacts represented in OSCAL machine-readable formats break down information silos, achieving effective communication across teams and facilitating seamless data handoffs. Automation is pivotal in expediting the decision-making process, alleviating the burden on the human workforce, enabling AOs to access better-quality data and making risk-based decisions more efficiently. While the potential for error is still present, automation significantly mitigates human error in data handoffs across all controls and systems. It also helps security professionals focus on managing risk rather than completing rudimentary compliance tasks.

Automating technical and administrative controls is not the same. While traditional approaches rely on application programming interface (API) data, nontraditional methods such as infrastructure as code (IaC)—managing computing infrastructure through provisioning scripts—or compliance as code—managing regulatory requirements by encoding them into automated scripts or code—offer alternative paths. These approaches allow organizations to establish rules and apply validations programmatically, mirroring the precision and speed of technical controls. However, not all controls are created equal; some function as checkboxes without mitigating risks. The critical controls that significantly impact an environment’s security posture should be the priority for automation. As emphasized by Travis Howerton, Co-founder and CEO at RegScale, “it is less important what percent of total controls are covered than what percentage of your total risk you are mitigating with automation.”

The cadence mismatch between cyber threats that move at lightspeed, and heavily manual compliance processes must be fixed. “The big part of what has to modernize,” according to Howerton, “is taking more automated approaches, leveraging advances in technology and thought leaders in this space to figure out how we can do things in a more automated manner to bring the principles of DevSecOps to compliance.” This strategic focus will ensure thorough and repeatable processes and prepare AOs for a future where compliance and security are dynamically intertwined, ultimately supporting better risk-based decisions and unlocking the full potential of digital transformation. By accepting early that ATOs should be more real-time and continuous, AOs can better position themselves for the future.

Watch RegScale and Carahsoft’s webinar, AO Perspectives: Managing Risks and Streamlining ATO Decision-Making, to learn more about modernizing the ATO approval process.

The Secret Behind High Performing Teams in Public Sector

Posted on by Shaun Jones

Using Atlassian, small agile teams across the DoD and Federal Government are breaking down bureaucracy and putting knowledge into the hands of users. Atlassian’s Jira Service Management and Confluence are two powerful tools from Atlassian’s suite. They synergize to enhance both task management and knowledge continuity within any organization. Read on to learn how they function together, boosting efficiency and providing an accessible platform for both rapid action and deep learning.

Jira Service Management: The Empowerment Hub

Atlassian Contegix High Performing Teams in Public Sector Blog Embedded Image 2024

Jira Service Management (JSM) is a dynamic, intuitive tool for service management, perfect for teams that need to respond quickly to requests or incidents. It acts as the front line for all queries and issues, where users can submit tickets for technical problems, service requests, or operational needs. The system’s user-friendly design ensures that even non-technical users can easily navigate its interface to find help or request services. This accessibility empowers all users by simplifying the engagement process with essential services, making it quicker and more intuitive to get the help they need or initiate processes.

Confluence: The Knowledge Base

Confluence complements JSM by serving as a comprehensive repository for organizational knowledge. It’s where all documentation – ranging from service manuals, troubleshooting guides, project reports, to meeting notes – is stored and managed. The platform is robust and versatile, supporting rich text content, multimedia, and dynamic content. It also features powerful search tools and a hierarchical structure that helps users easily find and access the information they need.

Better Together

When JSM and Confluence are used together, they create a cohesive environment that supports both immediate problem-solving and long-term knowledge management:

Integrated Service and Knowledge Delivery: As users report issues or request services through JSM, they can be directly linked to relevant Confluence pages where guides, troubleshooting steps, or policy documents are stored. This speeds up resolution times by empowering users to help themselves and ensures they are guided by the most current and comprehensive information.
Feedback Loop for Continuous Improvement: Insights and data from JSM can be used to update and refine the knowledge articles in Confluence. Common issues identified in JSM can be addressed in how-to guides or FAQs in Confluence, creating a feedback loop that continually enriches the organizational knowledge base.
Organizational Learning and Memory: Confluence ensures that solutions and information aren’t just shared in the moment but are stored for future reference. This helps build an “organizational memory,” crucial for training new staff and learning from past incidents.
Enhanced Collaboration: Both tools enhance teamwork by keeping everyone on the same page. While JSM facilitates the management of tasks and tracking of progress on projects or issues, Confluence ensures that all team members have access to the same background information, guidelines, and resources.

Together, Jira Service Management and Confluence not only streamline workflows but also ensure that knowledge is preserved and leveraged effectively, creating a more informed, responsive, and efficient organization.

Access the case study and learn more about how Atlassian and Contegix can support your organization’s learning management efforts and discover your team’s digital potential.

Enterprise Service Management in the Physical Realm: Understanding PPESM

Posted on by Ross Marks

Public sector organizations face a unique challenge: efficiently managing a vast array of property, plant, and equipment (PP&E) while adhering to strict regulations and budgetary constraints. Traditional methods, relying on siloed systems like spreadsheets and paper forms, create a tangled web of inefficiency. Here’s where Plant, Property & Equipment Service Management (PPESM) steps in, offering a modern, extensible solution for the entire asset lifecycle.

PPESM: A Real-World Example

Imagine a U.S. Navy shipyard bustling with activity. A complex web of stakeholders — the yard, contractors, the Navy, the ship’s crew, and various regulatory bodies — collaborate on critical repairs to ensure a ship’s timely return to service. Traditionally, this process has been plagued by paper forms, communication silos, and the high cost of mistakes. Let’s see how PPESM can revolutionize this environment.

PPESM replaces paper forms and carbon copies with a centralized digital platform. Work requests, inspections, condition found reports, and corrective actions are all electronically submitted and tracked, ensuring real-time visibility. Automated workflows keep everyone informed and expedite the repair process, and digital forms with pre-populated fields and data validation minimize the potential for errors and rework.

But there’s more. Plant, Property & Equipment Service Management goes beyond process improvements; it delivers tangible business and strategic results with on-time availability completion, continuous yard improvement, and increased stakeholder satisfaction.

How PPESM works

PPESM: A Holistic Approach to Asset Management

PPESM builds upon the foundation of Enterprise Service Management (ESM), extending its capabilities to address the specific needs of PP&E. Imagine a single, user-friendly system that seamlessly tracks assets from acquisition request to decommissioning. PPESM delivers this vision, empowering government agencies with:

Centralized Asset Register: Consolidate data from disparate sources into a central repository, providing a clear view of all assets, their locations, specifications, and maintenance history.

Streamlined Acquisition Process: Manage acquisition requests electronically, eliminating paper trails and streamlining approvals.

Automated Workflows: Automate routine tasks like scheduling preventive maintenance, generating work orders, and sending notifications for certification renewals.

Mobile Functionality: Empower field service technicians with mobile access to asset data, work orders, and service manuals, allowing for real-time updates and improved efficiency.

Enhanced Reporting and Analytics: Gain valuable insights into asset health, utilization rates, and maintenance costs. Use this data to optimize resource allocation and make data-driven decisions.

How PPESM Bolsters Security and Compliance

PPESM strengthens your organization’s security posture by centralizing asset data and access controls. User permissions can be tailored to specific roles, minimizing unauthorized access to sensitive information. Additionally, by automating document management and streamlining compliance workflows, PPESM ensures critical certifications and approvals are never missed, reducing the risk of being out of compliance and operational disruptions. This centralized, auditable system provides a clear picture of your assets and compliance activities, fostering transparency and accountability.

Addressing the Challenges of Smaller Asset Pools

PPESM offers particular benefits for organizations with smaller asset pools (under a few hundred). These agencies often struggle with inefficient ad-hoc methods. PPESM provides:

Reduced Breakdowns: Preventative maintenance becomes a breeze with automated scheduling and reminders. Early detection of issues minimizes equipment failures and extends lifespans.

Compliance Made Easy: Never miss a certification deadline again. PPESM tracks upcoming renewals and simplifies document management, ensuring smooth compliance audits.

Optimized Scheduling: Eliminate scheduling conflicts with a centralized, accessible system. Prioritize critical projects with ease and improve overall operational efficiency.

Faster Approvals: Mobile access and electronic workflows expedite the approval process for maintenance requests, ensuring timely repairs and minimizing downtime.

Beyond Efficiency: The Power of PPESM

PPESM goes beyond streamlining processes. It empowers government agencies to:

Reduce Costs: Minimize breakdowns, optimize resource allocation, and decrease administrative burdens, leading to significant cost savings.

Improve Service Delivery: Faster response times, efficient maintenance scheduling, and readily available asset information enhance service delivery to citizens.

Increase Transparency: A centralized system fosters accountability and improves visibility into asset management practices.

Enhanced Decision-Making: Data-driven insights empower informed decisions about asset acquisition, maintenance, and eventual decommissioning.

A User-Centered Approach

Traditional PP&E management systems often suffer from poor usability and accessibility, hindering user adoption and data accuracy. PPESM prioritizes a user-friendly experience with:

Intuitive Interface: A modern, easy-to-navigate interface ensures user acceptance and facilitates quick adoption across departments.

Mobile Accessibility: Empower staff with on-the-go access to information and tools, fostering real-time updates and improving field service effectiveness.

Offline Functionality: Ensure uninterrupted operations even in areas with limited connectivity.

The Key to Streamlined Operations, Cost Savings & Better Decision Making

PPESM is not just a software solution; it’s a catalyst for the transformation of PP&E management. By leveraging a centralized, user-friendly system with automated workflows and mobile accessibility, PPESM empowers agencies to streamline processes, optimize resource allocation, and ensure regulatory compliance. This holistic approach ultimately translates to improved service delivery, increased cost savings, and better decision-making. As your agency strives for operational excellence, consider PPESM as the key to unlocking a future of efficient and effective asset management.

Schedule a demo with our Atlassian team to learn how you can equip your organization with service management solutions.

DevSecOps: Achieving Efficiency and Scale with Automation and Software Factories

Posted on by Rich Savage

In today’s rapidly evolving digital landscape, Government agencies face many challenges in delivering modern, secure software applications to the end-user. DevSecOps is a methodology that combines development, security and operations to create a more streamlined and secure software development process. This concept has emerged as a transformative approach that integrates security practices, automation and software factories into the software development lifecycles from its inception. At the Carahsoft DevSecOps Conference, industry experts and innovators shared their knowledge of emerging tools, effective strategies and methodologies in software engineering through several educational sessions.

Unlocking Efficiency: The Power of Automation and AI/ML

Automation helps developers improve the efficiency and quality of code, reduce risk and combat security vulnerabilities. As a key component of DevSecOps, automation allows developers to simplify many of the tasks involved in software development, such as testing, deployment and monitoring. Once automated, developers can focus on writing high-quality code and addressing security vulnerabilities, rather than spending time on redundant manual tasks.

The use of AI has transformed the way developers work, compared to 20 years ago when code was primarily written from scratch. Today, external libraries — software code written by a third-party source — are used frequently which introduces a new set of risks and benefits. The benefits include making software development faster and more efficient as developers use pre-existing code to build their applications. However, if a third-party library has a security vulnerability, it can be exploited by malicious actors to gain access to sensitive data. If not maintained properly, the third-party library can become outdated and incompatible with other software components.

Software Factories

Software development has become an essential part of today’s business operations, and Government agencies are constantly seeking ways to improve their processes. Recently, the concept of the software factory—a structured approach to software development that emphasizes standardization, automation and collaboration—has gained popularity. It establishes a set of tools, processes and best practices that enable teams to develop software more efficiently and effectively. The goal of a software factory is to create a repeatable and scalable process for software development that can be applied across different projects and teams. By implementing this strategy, agencies can improve the quality, speed and consistency of their software development efforts.

One of those best practices, Continuous Integration and Continuous Deployment, are combined in a single process known as CI/CD. CI is the practice of frequently merging code changes from multiple developers into a shared repository, where automated tests are run to address integration issues early in the development cycle. This ensures the code is always in a releasable state and reduces the risk of conflicts and errors when changes are merged. CD, on the other hand, is the practice of automatically deploying code changes to production as soon as they pass the necessary tests and checks. Thus, enabling teams to release software changes quickly and frequently. By utilizing CI/CD, teams can achieve a continuous flow of code changes from development to production, which is imperative for modern software development.

Elevating DevSecOps: A Blueprint for Integrating Early Software Security Measures

Securing software in a containerized environment presents unique challenges due to the dynamic nature of containers and the distributed nature of container orchestration platforms like Kubernetes. Government agencies must ensure that containers are properly configured and secured, as misconfigurations can lead to vulnerabilities that can be exploited by attackers. Another difficulty is detecting and responding to security incidents in a timely manner, as containers can be spun up and down quickly and may be spread across multiple nodes in a cluster. Securing software early can help agencies reduce risk, lower costs, deliver software faster and improve collaboration between development and security teams.

Another crucial component of DevSecOps—continuous delivery—enables teams to deliver software changes quickly, safely and sustainably. This means that teams can release software changes frequently and with confidence, knowing that the changes have been thoroughly tested and are ready for production. Through a combination of automation, collaboration and feedback loops, continuous delivery helps reduce the time and effort required to release software changes.

Agencies can adopt a DevSecOps approach that integrates security into the software development lifecycle from the beginning. This involves using tools and processes to automate security testing and validation, as well as incorporating security requirements into the development process. For instance, agencies can use tools like vulnerability scanners and security-focused container images to detect and remediate vulnerabilities in containers. They can also use automation to validate security requirements and ensure that containers are properly configured and secured.

Securing software early in the development process can lead to several benefits including:

Reduced risk of security incidents: By identifying and addressing security vulnerabilities early in the development process, agencies can minimize the risk of security incidents and data breaches.
Lower costs: Fixing security issues later in the development process is much more expensive than addressing them early on. By integrating security into the development process from the beginning, agencies can reduce the cost of fixing security issues and avoid costly rework.
Faster time to market: Adopting DevSecOps approach can help agencies to deliver software faster by automating security testing and validation. This decreases the time for manual testing and enables faster release cycles.
Improved collaboration: Agencies can strengthen collaboration between development and security teams to ensure requirements are properly understood and incorporated into the development process. This proactive initiative can help foster a culture of security throughout the agency.

The adoption of DevSecOps, along with its fundamental principles, empowers Government agencies to establish a more efficient and secure software development process. This is achieved through the implementation of automation, the adoption of a software factory approach and the early integration of security measures.

To learn more about DevSecOps best practices and trending innovations, visit Carahsoft’s DevSecOps vertical solutions portfolio.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at Carahsoft’s annual DevSecOps Conference.*

Generative AI, DevSecOps and Cybersecurity Highlighted for the Air Force and Space Force at DAFITC 2023

Posted on by Mike McCalip

Thousands of Space Force and Air Force personnel and industry experts convened to discuss the most current and significant threats confronting global networks and national defense at the 2023 Department of the Air Force Information Technology and Cyberpower Education & Training (DAFITC) Event. Throughout the many educational sessions, thought leaders presented a myriad of topics such as artificial intelligence (AI), DevSecOps solutions and cybersecurity strategies to collaborate on the advancement of public safety.

Leveraging Generative AI in the DoD

At the event, experts outlined three distinct use cases for simplified generative artificial intelligence in military training.

Text to Text: This type of generative AI takes inputted text and outputs written content in a different format. Text to Text is associated with tasks such as content creation, summarization, evaluation, prediction and coding.
Text to Audio: Text to Audio AI can enhance accessibility and inclusion by creating audio content from written materials to support elearning and education and facilitate language translation.
Text to Video: Text to Video AI is primarily geared towards generating video content from a script to aid the military with language learning and training initiatives.

Dr. Lynne Graves, representative of the Department of the Air Force Chief Data and Artificial Intelligence Office (CDAO), provided attendees with a brief timeline of how the USAF will fully adopt artificial intelligence. The overarching aim for AI integration is to make it an integral part of everyday training, exercises and operations within the Department of Defense (DoD).

In FY23, the DoD is focusing on pipeline assessment. Using red teaming where ethical hackers run simulations to identify weaknesses in the system, internal military personnel target improvement of their infrastructure and mitigation of the vulnerabilities in the different stages of the pipeline.
In FY24, the emphasis will be on the Red Force Migration policy, which involves developing, funding and scaling the necessary strategies.
In FY25, the goal is for the department to become AI-ready. This entails preparing for AI adoption at all agency levels, establishing a standard model card that explains context for the model’s intended use and other important information, creating a comprehensive repository of data and implementing tools for extensive testing, evaluation and verification.

USSF Supra Coders Utilize DevSecOps for Innovation

The current operations of United States Space Force (USSF) Supra Coders involve a range of activities that combine modeling, simulation and expertise in replicating threats. These operations are conducted globally, and currently include orbit-related activities, replication of DA ASAT (Direct Ascent Anti-Satellite) capabilities and the reproduction of adversarial Space Domain Awareness (SDA).

The USSF Supra Coders have encountered limitations with software solutions, including restrictions tied to standalone systems, licensing structures with associated costs and limited adaptability to meet the specific needs of aggressors and USSF requirements. DevSecOps presents a multifaceted strategy for mitigating the identified capability gaps noted by the USSF Supra Coders. It can help create more effective and efficient software solutions through seamless integration of security protocols, streamlining system integration processes, optimizing costs and enhancing customizability.

Cybersecurity Within the Space Force

Cybersecurity is a shared responsibility across the DoD but is especially relevant for the U.S. Space Force. As a relatively newly emerging branch of the military, the Space Force is still developing its cyber strategies. Due to its completely virtual link to its capabilities, the USSF must prioritize secure practices from the outset and make informed decisions to protect its networks and data.

Currently, the Space Force is engaged in the initial phases of pre-mission analysis for its cyber component which serves as a critical element for establishing and maintaining infrastructure through the integration of command and control (C2). These cyber capabilities encounter a series of complex challenges, which necessitate a multifaceted approach including the following solutions:

Enforcing Consistent Cybersecurity Compliance
Developing Secure Methods to Safely Retire Old Technology
Enhancing Cryptography Visibility
Understanding Security Certificate Complexity
Identifying Vulnerabilities and Mitigating Unknown Cyber Risks

While the Space Force faces a uniquely heightened imperative to bolster its cybersecurity capabilities with its inherent reliance on information technology and networks in the space domain, the entire community must collaborate effectively to achieve military leaders’ targeted cybersecurity capabilities by the goal in 2027.

The integration of generative AI in military training, innovations through DevSecOps by the USSF Supra Coders and cybersecurity initiatives of the Space Force collectively highlight the evolving landscape of advanced technologies within the Department of Defense. Technology providers can come alongside the military to support these efforts with new solutions that enhance the DoD’s capabilities and security.

Visit Carahsoft’s Department of Defense market and DevSecOps vertical solutions portfolios to learn more about DAFITC 2023 and how Carahsoft can support your organization in these critical areas.

*The information contained in this blog has been written based off the thought-leadership discussions presented by speakers at DAFITC 2023.*

Building a DevSecOps Culture

Posted on by Rich Savage

As software becomes more sophisticated, it plays an increasingly important role in all aspects of government operations. However, given the complexity and intertwined nature of modern software, any vulnerability could have wide-ranging consequences, which makes security of vital importance. The federal government has taken notice. A number of recent policy directives address issues related to the software supply chain, and key agencies are leading a governmentwide effort to promote secure software development, including the Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust and the Executive Order on Improving the Nation’s Cybersecurity. Learn how you can implement DevSecOps to support your journey to secure, innovative software in Carahsoft’s Innovation in Government® report.

The Mindset Shift that Enables DevSecOps

“In an ideal world, technology and processes support team members’ ability to deliver on their particular talents. Before agencies implement DevSecOps methodologies, they should identify where their processes are getting bottlenecked and forcing people to either work around them or fundamentally change their behavior. Instead, we want to make it easy for employees to do the right thing. The goal is to enable people to focus on what they do best — regardless of where they operate in the stack or the tools they are using — so that agencies can build and deploy secure, modern apps.”

Read more insights from Alex Barbato, Public Sector Solutions Engineer at VMware.

How Generative AI Improves Software Security

“Generative AI tools are becoming increasingly prevalent, providing interactive experiences that captivate the public’s imagination. These tools are accessible to anyone, offering a unique opportunity to engage and explore the creative possibilities enabled by AI technology. The technology doesn’t just train a model to recognize patterns. It can create things that are easy to understand: images, text, even videos. Sometimes the results are hilariously wrong, but other times the results are quite impressive, such as clear, concise answers to complex questions. Generative pre-trained transformer (GPT) technology, such as ChatGPT, has opened the doors for everyone to be an evaluator because the output is accessible and easy to critique.”

Read more insights from Robert Larkin, Senior Solutions Architect at Veracode.

Open Source is at the Heart of Software Innovation

“Embedding security into applications from the start is essential for streamlining and strengthening the entire development life cycle. Securing the software supply chain is a related effort that is of vast importance to government operations. Beyond securing individual applications, the ultimate goal is to build security into the pipeline itself. At each step and every handoff, we must be able to verify who has touched the software and who did what to ensure that the end result is what we intended to build and that nothing malicious has been injected along the way.”

Read more insights from Chris Mays, Staff Specialist Solutions Architect at Red Hat.

DevSecOps Needs Tool Diversity and Collaboration

“As DevSecOps methodologies and software factories grow in prevalence, agencies are recognizing that software development is a team sport — inside the agency, across departments and with external stakeholders. It touches many different teams, but getting everyone on the same page with tooling can be difficult. Different teams prefer different tools, and that makes collaboration hard. Modern software development brings security practices forward in the timeline while reducing duplication of efforts and improving real-time accountability. Success hinges on removing blockers, creating visibility and making sure collaboration is happening at every stage. In addition, encouraging input from different areas of the organization from the beginning and throughout development is vital for innovation.”

Read more insights from Ben Straub, Head of Public Sector at Atlassian.

Observability Speeds Zero Trust and Application Security

“In response to increasing cyberthreats, the government is speeding up the move to zero trust. This security model assumes that every user, request, application and non-human entity is not to be trusted until its identity can be verified. Zero trust principles require a layered defense that is more effective when rooted in observability. To develop an architecture that validates and revalidates every entity on the network, it is necessary to know what those entities are, how they’re communicating and how they typically behave so we can recognize deviations. Zero trust and observability technologies work together to create a more secure and resilient network environment by assuming that all requests for access are untrusted and continuously monitoring the network to detect and respond to potential threats.”

Read more insights from Willie Hicks, Public Sector Chief Technologist at Dynatrace.

The Role of a Service Mesh in Zero Trust Success

“For large companies and government agencies, it’s safe to assume that a committed attacker is already inside their networks. Executive Order 14028 mandates that every federal agency develop a Zero Trust architecture because it is the most effective approach to mitigating what attackers can do once they’ve made their way inside. What does Zero Trust look like at runtime? One of the key considerations is identity-based segmentation, which involves conducting five policy checks for every request in the system: encrypted connection between service endpoints, service authentication, service-to-service authorization, end user authentication, and end user-to-resource authorization.”

Read more insights from Zack Butcher, Founding Engineer at Tetrate and co-author of the NIST SP 800-200 series and SP 800-207A.

AI and the Journey to Secure Software Development

“By automating and optimizing DevSecOps workflows, we can still shift security left while relieving developers from the burden of some complex remediation. It begins with a workflow that leverages fully automated security scanning to rapidly identify vulnerabilities as well as providing suggested remediation for vulnerabilities and on-demand remediation training to educate developers on what they are getting into. The rapid evolution of artificial intelligence is making new advances possible. The opportunities go well beyond AI-assisted code creation. AI features are being expanded across the entire software development life cycle. When it comes to security, having AI assist by making code functionality clear or explaining a vulnerability in detail reduces the time required to remediate risk.”

Read more insights from Joel Krooswyk, Federal CTO at GitLab.

Scaling App Development While Meeting Security Standards

“The dream for any software development team is constant, stable releases. The faster teams get the work they’ve created into production, the faster the agency can derive value from that work. When app development is stymied by cumbersome security reviews and stability testing and by the need to wait for a deployment window, innovation is stifled and the return on investment is delayed. If agencies want to have efficient, value-driving software development teams, those teams must be able to move with agility. A trustworthy, scalable DevOps pipeline that brings together testing and security in a seamless way allows teams to push out new apps and improvements quickly so government employees and citizens can have a seamless digital experience and the most up-to-date tools and information.”

Read more insights from Kyle Tobener, Head of Security and IT at Copado.

Join us in-person for our must-attend DevSecOps Conference—an exciting day of exhibits, speaking sessions, and networking events. We look forward to showcasing new DevSecOps updates from our supporting panels featuring government, systems integrators, and industry thought leaders.

Download the full Innovation in Government® report for more insights from DevSecOps thought leaders and additional industry research from FCW.

Speed Your Agency’s Software Deployments in 6 Easy Steps

Posted on by Jim Dodson

Slow, bottlenecked, and often archaic release methods challenge most government agency software delivery teams. But enterprise feature management can help your agency achieve faster releases with less risk.

Enterprise feature management provides teams with total control over application features, fine-grain release targeting, and detailed audit logs. It starts with feature flags, a powerful tool that allows your development teams to turn features on or off without requiring a code change or deployment. They are a modern solution to traditional hard-coded boolean flags custom-built for each app. With an enterprise feature management platform, you can use a pre-set feature flag enterprise framework to define and operate a simple and seamless experience. This delivers a host of benefits that, among others, dramatically streamlines and accelerates software delivery. It also empowers teams to roll out new functionality gradually and selectively rather than all at once. And, your agency can “dark launch” a feature in production, reducing dependencies on expensive and custom staging environments.

Here are six steps that government agencies can take to get started with LaunchDarkly Federal, the only FedRAMP-authorized feature management platform. These steps will help you understand how to use feature management for high-speed, low-risk software releases of legacy and new applications:

1. Put in place the LaunchDarkly SDK to enable feature flagging

LaunchDarkly’s Software Development Kits (SDKs) allow your developers to implement and share feature flags quickly and easily across software applications. They provide an easy way to connect new and existing applications to the LaunchDarkly SaaS platform. Simply include your programming language-specific LaunchDarkly SDK into your application to get started. The SDK initializes to a specific environment, manages default values and targeting contexts, handles any connectivity issues, and listens for feature status and rule changes. SDKs provide the support for real-time application updates without the need to deploy new code.

2. Identify your environment(s)

In traditional release motions, government agencies identify and set up numerous development, testing, and production environments. Not only is each environment often expensive, but running a release through so many gates can be a significant challenge for resource-strapped teams. It is almost impossible to simulate a production level environment in staging and so when you release to production, you are testing in production anyways. Why not do it safely with granular targeting to reduce risk? With an enterprise feature management solution, you can reduce the number of environments and focus more on safely and securely testing in production.

3. Target, or even micro-target, your release

The next step is determining exactly where you will release individual features, and when. With feature flags, your development teams can release features in a highly customized way. By creating targeting rules, teams can easily target individual releases to a subset of users, resources, or even infrastructure, before making them widely available to all end-users. It’s possible to even micro-target a single user.

Targeting makes it simple to progressively release a new feature to a QA team or to project sponsors for feedback. The granular control over features and release targeting that LaunchDarkly Federal provides will enable more control than traditional blue/green deployments alone.

4. Flip a switch, and release whenever you want

With enterprise feature management, your development teams can separate deployment and release processes. Engineering teams can deploy code, and non-engineering teams can trigger the release with a simple flip of the switch. Decoupling these processes reduces the risk of failure and allows teams to release new features quickly and efficiently. Your development teams can keep progressing on their software development projects and release new features at the best time for their program or department. And, enterprise feature management also allows your project and program teams to develop, test, and deploy features using custom workflows with enterprise-level management capabilities.

By using low-risk continuous integration/continuous development (CI/CD) development processes with incident resolution times of less than 200ms, teams can improve developer productivity and reduce the time it takes to release new features to production.

5. Quickly disable features if issues or errors occur

In the event of an issue or error, teams need to be able to quickly disable features to avoid any issues affecting the application in production. Issues could range from something major such as security vulnerabilities to minor usability and cosmetic problems. With traditional processes, a team would have to roll back to a previous release losing everything they just deployed or take down an entire application to address issues or errors. However, with enterprise feature management solutions, teams can quickly disable the individual problematic feature leaving the rest of the application unchanged. Instead of the lengthy and cumbersome rollback and redeployment processes, this limits the impact to the application with zero downtime. DevSecOps teams would then typically perform a “patch forward” for the fix.

6. Track the release with detailed analytics

Using analytics, monitoring tools, and processes helps guarantee that your software meets government guidelines and agency policies. Using enterprise feature management, your agency can gather detailed audit logs and analytics to inform your decision-making and improve software delivery processes across your mission-critical programs.

Following these six simple steps can help you shrink your agency’s release time from years and months, to days and hours, just like it did for the Centers for Medicare (CMS). Using LaunchDarkly and the six steps above, CMS went from one launch once per quarter, to completing six launches within a single day to support a global rollout.

Feature management is a powerful DevSecOps tool that can truly accelerate the delivery of transformative software. With detailed control over features, release targeting, and detailed audit logs, your agency can reduce risk and deliver software at the speed of the commercial world.

Download our eBook to learn more about LaunchDarkly, and view our our public sector webinar to learn more about DevSecOps best practices.