The Centers for Medicare & Medicaid Services (CMS) administers Medicare, Medicaid, and Children’s Health Insurance Program (CHIP) programs, including the health IT systems that support their organizational mission. Changing global health conditions and resulting legislative mandates require CMS to instill practices for rapid change. Because of the types of health data involved and the amount of funds they administer, CMS requires a significant focus on maintaining a high level of system and data security.
To evolve their capabilities, CMS shifted to a DevSecOps model for software development. The agency requires contractor partners able to effectively implement DevSecOps in a federal environment to achieve efficiencies and deploy secure, workable products quickly.
How DCCA Engaged
DevSecOps integrates development, security and operations into every phase of development. With the adoption of Agile and DevOps practices, organizations have been able to more rapidly develop workable products. However, addressing security as an afterthought or out of cycle activity created inefficiencies and additional risk. DevSecOps was a natural next step, integrating security activities earlier in the development process with quality gates.
DCCA has pioneered DevSecOps within CMS and has been recognized for security achievements on multiple occasions. On the Medicaid and CHIP Financial (MACFin) program, DCCA implemented a security automation framework (SAF) into code pipelines. We created three automated pipelines to support rapid development: 1) Infrastructure - creates the ability to destroy and re-create MACFin AWS Cloud resources within seconds, create policy-based ‘What-If’ scenarios, and supports disaster recovery; 2) Code - enforces continuous security and quality checks with every code commit; and 3) Security – provides configuration and vulnerability checks. Our implementation of these pipelines has allowed us to not only rapidly produce secure software, but also demonstrate our secure software approach to our product owners, users, and other CMS stakeholders.
DCCA co-authored MACFin DevSecOps case studies which CMS published in ISSO articles in 2019 and 2021. The articles highlight the quality improvements and efficiencies achieved, such as reducing the burden of Adaptive Capabilities Testing (ACT). As noted in the CMS ISSO Journal from 2021, the objectives of implementing DevSecOps on the MACFin program included:
- Hardened operating system as a result of automation
- Reduced burden of security assessments
- Continual improvement of the security posture
- Increased product quality•Accelerated software integration and deployment with precision•Ability to validate configuration on demand
- Ability to automate product reconstruction as part of disaster recovery
- Ability to create new environments on demand for testing and previews
At this time, all desired outcomes listed above have been achieved on the program.