‘BatCave’ signals CMS’ progress toward moving to the cloud

Like the famous superhero Batman, the technological landscape at Centers for Medicare and Medicaid Services has two identities.

On the surface, many people think that CMS is a cliché and boring thing stuck in the past, along with mainframes and COBOL.

But if you find the secret switch on the bust, open the door behind the bookshelf and lower the bar, you will find the BatCave.

It’s also a metaphor for the development of CMS over the past decade, but…

read more

Like the famous superhero Batman, the technological landscape at Centers for Medicare and Medicaid Services has two identities.

On the surface, many people think that CMS is a cliché and boring thing stuck in the past, along with mainframes and COBOL.

But if you find the secret switch on the bust, open the door behind the bookshelf and lower the bar, you will find the BatCave.

It’s a metaphor for the evolution of CMS over the past decade, but it’s also literal in the sense that the agency has developed a new IT modernization initiative called the BatCave.

Robert Wood is CMS’ Chief Information Security Officer.

“Its official government acronym is Continuous Approval and Validation Engine, and in practice it is a software factory or container-based platform to streamline the runtime that goes into software development efforts, ATO readiness efforts, ongoing maintenance and deployment. system. CMS Chief Information Security Officer Robert Wood said in an interview with Federal News Network. “I think the DevSecOps platform and the software factory are pretty much the same in some ways,” he said. The accumulation of skills, processes, and culture combine to build software that opens doors quickly and aligns with the principles of continuous delivery.”

Also Read :  Emotion Library Maintainer Explains Why Company No Longer Uses Runtime CSS-in-JS

Wood’s team drives the BatCave work because, in order to build software faster, security groups need to reduce friction, ensure stability and resiliency, and above all, automate and continuously make as many security processes as possible.

While CMS may seem to some to be a thing of the past with mainframes and COBOL, over the past few years the agency has been actively moving its systems and data to the cloud.

CMS Chief Information Officer Rajiv Uppal told AFCEA Health IT day recently that the agency has already moved more than 90 of its 200 systems to the cloud.

“There are some things that will take longer to move to the cloud. For example, claims processing. It’s a 40 year old system running on a mainframe. We’re taking the pieces and moving them to the cloud. It takes time and we have to pay attention to the way we do it.” “Eventually, almost everything will be in the cloud. CMS probably accounts for the largest cloud footprint in the private sector. We are on our way.”

Borrowed from Air Force, etc.

The BatCave isn’t necessarily a new concept. CMS worked closely and modeled it after the Air Force’s Platform One efforts.

CMS developers are not obligated to use BatCave, so Wood knows that BatCave must provide value and incentives to attract users.

“We work with and discuss with the Air Force. The Air Force did this in a very federated environment, similar to how CMS should operate. Everyone has their own money and is doing their own thing.” “Adoption of services is a choice, not an obligation. You need to have the right incentives and value proposition in place to ensure that someone chooses to use your centralized service. So in the Air Force effort, we learned a lot from the Navy effort.”

Also Read :  D-Wave Quantum (NYSE: QBTS) Providing Quantum Applications for Life Sciences Industry

To attract these users, Wood said one big lesson he learned from the Air Force was to focus on the needs of the community and users.

“It’s really easy to fall into the trap of building what you think the community needs, instead of actually listening to the community or getting the data to flow where it needs to be. In our case, we dug a lot of user research, a lot of user validation, and a lot of data about what our system looked like. How are we going to build and what are we going to build?” “We have been researching human-centered design thinking in terms of a value-oriented flywheel. Doing something like this requires that level of user engagement and community involvement.”

security control inheritance

Wood said CMS moved its DevSecOps platform from contract awarding to production in less than a year, and six teams are now using it. He said several other mission areas at CMS are evaluating how the tool can be leveraged in the future.

“It won’t be for everyone. We recognize it. But people running containerized workloads, moving faster with software, running jobs in the cloud, running web services, application programming interfaces (APIs) are probably a pretty good fit.” he said. “They can benefit from not having to worry about ATO overhead anymore. The advantage is that you can make software changes and deploy really quickly without having to go through the costly and time-consuming security impact analysis process every time you want to do a new release or introduce a new feature. All of this contributes to faster mission launch and faster time to market.”

Also Read :  The 3 Most Undervalued Quantum Computing Stocks to Buy Now

Wood said that one of the biggest benefits of the BatCave platform is that developers inherit nearly 80% of the security controls they need. This means that only the remaining 20% ​​need to be tested, reducing development-to-production time.

“We weren’t trying to get to 80% from the start. We’ve basically built what we believe to be the ideal Minimum Viable Product (MVP), and we’ve begun the hard work of mapping controls to all the different things that are included in this modular fashion. This has been our MVP, so we look forward to adding more and more to the pipeline,” he said. “The rest, like security monitoring activities, are things we might start to systematically build into our processes. This includes tasks such as ingesting and aggregating logs into a data lake and generating software bills of materials (SBOMs). Everything rests on the shoulders of the development team, but we train them to succeed and gather artifacts in a way that we can continuously monitor so they can get us to where we are due. It is comfortable to place them in a state of constant empowerment.”



Source

Leave a Reply

Your email address will not be published.