Agile
Reduce costs. Deliver value.
TCG’s Agile approach promotes effective collaboration with customers to identify their business needs, eliminate wasted effort, and drive consistent delivery of the applications and software Federal agencies need to accomplish their missions.
Agile Capability StatementDevSecOps
Unify teams for efficient and secure delivery.
In complex environments with distributed responsibilities, we build unified teams that share responsibility to consistently deliver and maintain secure applications and tools.
We focus first on the foundational elements of the methodology–iterative improvements, collaboration, efficiency–not the technology. This helps agencies avoid upending their whole infrastructure and see benefits immediately.
DevSecOps Capability Statement
How would you describe TCG’s approach to DevSecOps?
Our DevSecOps solutions are right-sized for the organizations that we work with, ranging from a 1 developer team to a team with 20-plus members. There are different needs at different organization sizes. With larger organizations, development and other teams are more likely to be focused on their own internal deadlines and objectives. This creates large islands, and more time is needed to build bridges and establish collaborative approaches. Small agencies need to do more with less, so teams are much smaller and potentially more integrated. In that situation, we would focus on automation first in order to improve efficiency and quality. The bottom line is that we know how to adjust our approach given the organizational needs.
What is commonly missing from standard DevSecOps approaches?
I think the industry is still coming to terms with the issue of open-source supply chain security.
When we incorporate third-party dependencies into a project, the reliance on external repositories and sources introduces risks of malicious or vulnerable packages potentially jeopardizing system security and integrity. Taking cognizance of this, library management needs to evolve to implement mechanisms aimed at safeguarding software supply chains. This is where protective sequestration (PS) comes in, a concept borrowed from public health that describes measures taken to prevent the infection of a known uninfected group from a potentially infected larger group.
At its core, PS entails taking stringent measures to insulate a software repository from potential risks. This is achieved by initiating the standard process of downloading updated versions of packages, for use directly or as dependencies in projects, but then intentionally isolating them for a ‘quarantine’ period before incorporating them into the repository.
What value does our approach provide to Federal agencies?
As with our other capabilities, we take an iterative approach. We don’t come in and try to overhaul everything at once. We focus on high priority problems first and iterate from there. This preserves institutional knowledge, delivers valuable changes quickly, and saves money in the long run. This approach also helps avoid disruptions to current development cycles and updates.
Application Security
TCG uses FISMA controls for network topology, server configuration, application security, application logging, authentication, and monitoring.
- FISMA Moderate and High
- Zero Trust
We plan and execute multiple iterations of Zero-Trust architecture based on the premises of elimination of implicit trust, continuous verification, and the assumption of a breach.
Open-Source Supply Chain SecurityAgile Transformation at the MCC
“TCG rebuilt two mission-critical applications for the Millennium Challenge Corporation (MCC) and is continuing to develop these and other applications, as well as implement a data warehouse and analytics program. The TCG-led Agile transformation was very successful and MCC has continued to invest in software development support from TCG to meet critical agency needs.” ‑MCC COR
