VA Lighthouse Sets Federal Innovation Standards

As VA strives to provide Veterans with increasingly high-quality and secure digital experiences, the VA Lighthouse Developer Experience program plays a significant role in making this a reality.

Throughout the 2022 calendar year, Lighthouse focused on enabling VA’s Office of Information and Technology (OIT) teams to deliver valuable software applications with higher quality and reduced risk through agile development and continuous delivery.

This focus has led to the development of Lighthouse Delivery Infrastructure with its Secure Release pipeline, which simplifies software development at VA, making it more efficient, repeatable, and secure.

Lighthouse Delivery Infrastructure

All high-quality software (API or otherwise) requires a standard set of development and operations-centric infrastructure and tools to achieve sustainability and scalability. To address this reality, the Lighthouse Delivery Infrastructure provides a suite of infrastructure, tools, and development guidelines that enable rapid and secure development, deployment, and operation of high-quality VA APIs within the VA Enterprise Cloud (VAEC).

In short, the overarching goal of the Lighthouse Delivery Infrastructure is to deliver products that work for Veterans by prioritizing the effectiveness and collaboration of software product delivery teams within VA OIT.

However, offering capabilities to efficiently develop and deploy software (like APIs) is only part of the solution. To truly realize time and cost savings, we must be able to secure and authorize software equally efficiently.

Federal Government agencies are required to leverage the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) to authorize software for operation with an Authority to Operate (ATO).

ATOs manage risk by identifying and evaluating applicable NIST RMF controls for new and existing applications. A tremendous amount of work and responsibility goes into certifying applications for use and granting an ATO. It requires an Authorizing Official (AO) to accept the benefits and risks of the application’s initial release into production and all subsequent releases. As an application is enhanced, its ATO must evolve to reflect its ever-changing security and risk posture.

Obtaining and maintaining an ATO at VA is rigorous; it takes months (and often more than a year) for new applications to get an ATO. Similarly, a significant amount of time is required to maintain an ATO as an application evolves.

This may be tenable for legacy software development with low-frequency release cadences, but not for software releasing into Production on a weekly or even daily basis.

To meet agile teams where they are, a continuous ATO (cATO) process is necessary, and VA OIT established one.VA’s Chief Information Officer (CIO) Kurt DelBene and Chief Information Security Officer (CISO) Lynette Sherrill granted full approval to the cATO, which is making a huge impact.

How do we address this problem?

To pair modern, agile software development with a cATO process, Lighthouse has leveraged ongoing authorization under NIST RMF. Importantly, NIST encourages organizations to employ iterative and incremental approaches to ensure security and privacy requirements and controls are implemented, verified, and validated on an ongoing basis.

Lighthouse is demonstrating a continuous learning culture that embraces guiding principles to be better, faster, and more secure by incrementally improving their approved cATO process. This process leverages the strengths of VA Enterprise Cloud (VAEC) and Lighthouse Delivery Infrastructure, as well as embedding independent application security assessors into software development teams.

This means software development teams not only benefit from having a significant set of security controls inherited from VAEC and the platform, but every code commit automatically triggers the Secure Release pipeline that runs vulnerability scans for images and containers, source code, and third-party dependencies. And security remains a key focus throughout the entire lifecycle of a product, extending to continuous runtime monitoring in production.

Once a team satisfies requirements enforced by the Secure Release pipeline, they obtain a signed image that allows for deployment of the product to a live production environment. These requirements include the remediation of vulnerabilities detected in scanning, and verification that security requirements are met by their application security assessor.

Accelerating delivery without compromising security

By investing in automation and user-centered design principles to increase transparency and traceability between software development teams and security specialists, Lighthouse’s cATO process enables teams to deliver high-quality, secure software empowered by innovative cybersecurity technology.

The VA Lighthouse Developer Experience program champions operational excellence as VA continues to modernize its technology and systems to enhance users’ experience with digital tools in the most secure way possible. Ongoing authorization allows VA to ship secure, authorized software 80% faster, placing VA as a frontrunner in the federal civilian agency space.