Agencies should share APIs, developer platforms, federal CIO Council says
The federal government is duplicating too many software projects across different agencies, and it could start to fix the problem by encouraging the sharing of platforms and services, the federal CIO Council says in a recent report.
“There has been advocacy for cloud services within the federal government, but efforts to migrate to common platforms that serve federal software developers and contractors within the federal enterprise are still nascent,” the report says. “The lack of internal developer-focused platforms and services results in software projects within and across departments and agencies rebuilding much of the same functionality.”
That can make projects more expensive and complex, the report says, “while hurting their usability and chance of a successful outcome.”
When it comes to sharing developer platforms and services, government should borrow from its model of sharing “common administrative functions such as financial management, human resources, payroll and acquisitions,” the report says.
“Rather than writing functionality from scratch, a team can compose platform APIs and services together to build and deliver much of an application’s functionality,” said Acting Federal Chief Information Officer Margie Graves in a blog post. “This includes developer platforms and services that directly impact mission delivery including citizen-facing applications or optimization of internal operations through consolidation or de-duplication of IT functions.”
For the report the CIO Council also surveyed what federal platforms and services exist right now. The council notes those “are mostly provided through .gov top-level domains and cover a range of API use cases that include application development and deployment, analytics, user authentication, payment processing and data discovery.”
Examples the council found included the 18F digital services office’s identity management portal login.gov, and platform-as-a-service offering cloud.gov.
Roadblocks to sharing
One federal developer platform, the Federal Risk Authorization and Management Program, was designed to provide a sort of do-it-once, reuse many times, approach to assessing the security of, and authorizing cloud products and services. But the CIO Council said in its report that it maybe isn’t achieving its desired outcomes of efficiency and Authority to Operate reuse.
Cloud service providers can get an Provisional Authority to Operate from a joint board that individual agencies can then leverage to give a full ATO.
But according to the report, “practice appears to indicate that many agencies continue to rely minimally, if at all, on these provisional authorizations in granting individual agency ATOs.”
The report does note, too, that there is confusion around provider and customer responsibilities under the Federal Information Security Modernization Act.
“This lack of clear delineation between the roles and responsibilities of provider and customer agencies in the context of shared developer platforms and shared services may slow adoption,” the report says. “This current lack of detail provides an opportunity for further policy clarification.”
Promoting shared services may also require another look at the Privacy Act, the council says. Right now whenever an agency creates new records system it has to publish a System of Records Notice, and comply with other requirements under the Privacy Act.
But if the shared service is only a technical infrastructure without data, maybe it would be better for the agency responsible for the data flowing through the system to publish the SORN, the report suggests.
“Wide-scale adoption of these types of arrangements could have a big impact on promoting the use and realizing the benefits of shared services,” the report says.