Case Studies / Continuous Integration and Deployment in Grants Management

Continuous Integration and Deployment in Grants Management

In this grants management engagement, Karsun Solutions used DevSecOps best practices, including continuous integration and deployment, to implement a common delivery process allowing agile teams to develop, deploy and deliver business features in 2-week sprints. Combining modern software development and DevSecOps principles with the proprietary GoLean® platform the Karsun Solutions DevOps Practice accelerates digital transformation for government agencies with solutions built on AWS. These highly skilled resources deliver superior solutions and architectures to customers at federal agencies.

About the Customer

The Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA) Grant Management Modernization (GMM) program owns and operates the GMM Streamlined Platform for Agile Release and Transformation Acceleration (SPARTA) system. Through the development and deployment of the GMM SPARTA system, GMM seeks to streamline grants management across the agency’s 40-plus grant programs through a user-centered, business-driven approach.  Grants are the principal funding mechanism FEMA uses to commit and award federal funding to eligible State, Local, Tribal, Territorial, certain private non-profits, individuals and institutions of higher learning.

Customer Challenge

FEMA manages over 40+ active grants programs that were developed independently. Enhancements and/or updates to these programs were not coordinated and FEMA was incurring high sustainment costs.  FEMA Grants Management Modernization (GMM) had a business imperative to integrate 40+ active grants programs into a single grants platform that would deliver the full grant lifecycle management and establishment of common business practices and processes.  A common delivery process was critical for the 12 agile teams to develop, deploy and deliver the business features in 2-week sprints.  

Partner Solution

Karsun followed DHS standard Agile processes and SecDevOps and worked with FEMA stakeholders to promote a consistent delivery model that drove customer value. We use DevSecOps tools including BitBucket, Jenkins Enterprise, SonarQube Enterprise, Fortify, Nexus IQ server, and Twistlock to implement automated continuous integration and continuous deployment (CI/CD) pipelines. All DevOps tools except BitBucket are installed within OpenShift cluster as containers. 

Continuous Integration and Deployment 

All application source code is stored in BitBucket.  We follow the GitFlow model for development and release management with three core branches Master, Develop and Hot Fix.  Story branches are created from “Develop” branch and changes are pushed via pull requests to the “Develop” branch.  On submission of each pull request, Sonar and Fortify scans are executed and on successful scans, the code is merged to “Develop” branch after peer review. After each merge to “Develop” branch, a docker image is created and tagged appropriately and uploaded to OpenShift internal registry. Using Imagestreams in OpenShift, additions or updates of new images are watched for and builds or deployments are automatically triggered.

Smoke test runs every hour against the development branch and if the tests are successful, the corresponding commit ids are tagged as golden and pushed to master. Each “master” branch build also goes through sonar and fortify scans, Nexus IQ scan, and twistlock image scans.  

Production deployment is handled on demand once the product owners approve the changes. 

Technologies Used

OpenShift 3.11

AWS Services – VPC, IAM, S3, RDS (PostgreSQL, Oracle), ELB/ALB, Lambda,  Cloudwatch, Cloudtrail, Route 53,  DMS, SQS, SNS, Dynamo DB, Athena, Elastic Search, Glue 

DevOps tools – Bitbucket, Jenkins, SonarQube, Fortify, Twistlock/Prisma Cloud, Terraform, Nexus Suite

Test Automation – Selenium

Monitoring – NewRelic

Results and Benefits

• Consistent and rapid builds and deployments for new feature rollouts and bug fixes
• All critical, high, medium risks are remediated before production 
• Implementation of 12 factor principles enables independent deployment of components 
• Infrastructure as a code to fully automate the provisioning process resulting in consistent environments 
• Continuous delivery to other environments 
• Static and dynamic scanning for security vulnerabilities 

About the Partner

Karsun Solutions provides cloud migration technical expertise and develops new products and services to solve business partners’ complex challenges. This includes a wide range of activities such as quality management and planning, enterprise data management, solution and enterprise architecture, information delivery, application development, testing and sustainment with federal agencies.