In this grants management engagement, Karsun Solutions used DevSecOps best practices, including continuous integration and deployment, to implement a common delivery process allowing agile teams to develop, deploy and deliver business features in 2-week sprints. Combining modern software development and DevSecOps principles with the proprietary GoLean platform the Karsun Solutions DevOps Practice accelerates digital transformation for government agencies with solutions built on AWS. These highly skilled resources deliver superior solutions and architectures to customers at federal agencies.
The Customer
The Department of Homeland Security (DHS) Federal Emergency Management Agency (FEMA) Grant Management Modernization (GMM) program owns and operates the GMM Streamlined Platform for Agile Release and Transformation Acceleration (SPARTA) system. Through the development and deployment of the GMM SPARTA system, GMM seeks to streamline grants management across the agency’s 40-plus grant programs through a user-centered, business-driven approach. Grants are the principal funding mechanism FEMA uses to commit and award federal funding to eligible State, Local, Tribal, Territorial, certain private non-profits, individuals and institutions of higher learning.
The Challenge
FEMA manages over 40+ active grants programs that were developed independently. Enhancements and/or updates to these programs were not coordinated and FEMA was incurring high sustainment costs. FEMA Grants Management Modernization (GMM) had a business imperative to integrate 40+ active grants programs into a single grants platform that would deliver the full grant lifecycle management and establishment of common business practices and processes. A common delivery process was critical for the 12 agile teams to develop, deploy and deliver the business features in 2-week sprints.
The Solution: CI/CD for Grants Management
Karsun followed DHS standard Agile processes and DevSecOps and worked with FEMA stakeholders to promote a consistent delivery model that drove customer value. We use DevSecOps tools including BitBucket, Jenkins Enterprise, SonarQube Enterprise, Fortify, Nexus IQ server, and Twistlock to implement automated continuous integration and continuous deployment (CI/CD) pipelines. All DevOps tools except BitBucket are installed within OpenShift cluster as containers.
Continuous Integration and Deployment
All application source code is stored in BitBucket. We follow the GitFlow model for development and release management with three core branches Master, Develop and Hot Fix. Story branches are created from “Develop” branch and changes are pushed via pull requests to the “Develop” branch. On submission of each pull request, Sonar and Fortify scans are executed and on successful scans, the code is merged to “Develop” branch after peer review. After each merge to “Develop” branch, a docker image is created and tagged appropriately and uploaded to OpenShift internal registry. Using Imagestreams in OpenShift, additions or updates of new images are watched for and builds or deployments are automatically triggered.
Smoke test runs every hour against the development branch and if the tests are successful, the corresponding commit ids are tagged as golden and pushed to master. Each “master” branch build also goes through sonar and fortify scans, Nexus IQ scan, and twistlock image scans.
Production deployment is handled on demand once the product owners approve the changes.
AWS Services | DevSecOps Tools | Test Automation | Monitoring |
This implementation used EKS, VPC, IAM, S3, RDS (PostgreSQL, Oracle), ELB/ALB, Lambda, Cloudwatch, Cloudtrail, Route 53, DMS, SQS, SNS, Dynamo DB, Athena, Elastic Search and Glue. | Karsun experts used Bitbucket, Jenkins, SonarQube, Fortify, Twistlock/Prisma Cloud, Terraform and Nexus Suite for this solution. | Our experts used Selenium for this solution. | This solution utilized NewRelic for monitoring. |
The Result
- Consistent and rapid builds and deployments for new feature rollouts and bug fixes
- All critical, high, medium risks are remediated before production
- Implementation of 12 factor principles enables independent deployment of components
- Infrastructure as a Code to fully automate the provisioning process resulting in consistent environments
- Continuous delivery to other environments
- Static and dynamic scanning for security vulnerabilities
About Karsun Solutions
Karsun Solutions modernizes enterprise systems enabling agencies to make the next technological advancement their next opportunity to elevate mission capability. IT solutions from Karsun are tailored to meet agencies’ unique needs and optimize operations. These solutions adapt and stay relevant to current trends while using secure, digital architecture built to last. It is a proven modernization partner whose expertise elevates agency capabilities and ensures every next opportunity is within reach.
About the Engagement
Karsun’s technical expertise and innovative solutions address complex challenges facing FEMA. This includes quality management and planning, enterprise data management, solution and enterprise architecture, information delivery, application development, testing, and sustainment efforts.