CACI uses GitLab to boost tech delivery for public sector customers

CACI migrated to GitLab’s AI-powered DevSecOps platform to increase efficiency, security, and productivity, while also consolidating what had been cumbersome and expensive toolchains.

“Our customers rely on us because they know agile software development is our superpower,” says Glenn Kurowski, senior vice president and CTO of CACI. “But looking at ourselves critically revealed some programs were using DevSecOps toolchains that were great years ago but not that great today. With multiple acquisitions under our belt, we had different DevSecOps toolchains spread across our software development teams. It was working but we knew it could be more efficient. We had to disrupt ourselves to improve our superpower.

According to Kurowski, CACI selected GitLab as its partner because of his confidence in it as a full DevSecOps platform, GitLab’s rapid pace of continuous innovation, and its willingness to partner on the emerging USG security requirements. Adopting GitLab also allowed CACI to have a more homogenous approach and eliminated seams created by using disparate products.

A big part of CACI’s plan was to commit to using GitLab as the central cog in building a company-wide Common Software Development Environment (CSDE).

Building CACI’s software in the CSDE, which is set up as a service on the AWS GovCloud, ensures everything they develop is fully compliant with emerging federal regulations. The environment includes a standard set of tools, services, and rule frameworks for regulatory mandates. With CSDE as-a-service, it’s available to all projects. And the GitLab DevSecOps platform is at the center of it.

“Previously, our teams frequently had to build a new DevSecOps toolchain for every new contract that came in,” says Kyle Craft, CSDE service lead at CACI. “With GitLab at the heart of our CSDE, you just create a new account and start working on the software, instead of spending time building and administering a toolchain. It’s much more efficient.”

Teams across CACI use the CSDE for the company’s nearly 190 different software development projects — unless a customer requires the use of their own environment. The company is seeing a 90% savings in labor and administrative work around toolchain administration since moving to a GitLab-based CSDE. Patch creation automation is down from hours to minutes, while security scanning has sped up by 13x versus previous implementations.

“Our developers love the ease of use, the availability, reliability, and scalability of our GitLab-based CSDE service,” says Craft. “GitLab is the backbone of the way we build software, and our workforce loves how fast they can start up projects and produce software for new programs and projects.”

CACI has seen “explosive growth” in CSDE users since standardizing on GitLab. Rolling out CSDE started with just 110 initial users in the summer of 2022. But a little over a year later, that usage had grown to more than 1,900 developers. It helps that GitLab fits the scale at which CACI’s agile software development executes. For example, one program alone in CACI has more than 150 applications and issues 800 releases of new capability per year.

“Our customers expect innovation and high-quality software. They desperately need high velocity – rapid releases of new capabilities to address evolving mission needs,” says Kurowski. “Many in our industry do software development but we take it to the next level, and at scale. To expand our leading position, we turned to GitLab to enable us to rethink, and disrupt the way we build software swiftly without compromising security.”

The GitLab-based CSDE has been critical in CACI’s work to create a new version of a communication system for one of its customers.

Two earlier versions of the project were built using a variety of different DevSecOps tools. To support the development of the new version of the mission application, the team switched to CACI’s GitLab-based CSDE for an integrated end-to-end DevSecOps platform.

“GitLab had all the features and automation we needed in one application. It simplified our work,” says Wesley Monroe, technical project manager at CACI. “With all of the road mapping, issue tracking, and security scanning in one place, it’s hard to even compare it with what we were using before.”

One of the greatest benefits of using GitLab’s DevSecOps platform is that it enables CACI to be prepared to handle emerging security compliance requirements, avoiding costly rework down the road.

Meeting government laws, regulations, and standards is critical for a government contractor. That means not only being compliant but being able to prove it.

CSDE was another example of CACI investing ahead of its customers’ needs. “We have positioned ourselves to be able to meet future contract security requirements,” says Craft. “We can attest to meeting security standards and have the data to back that up, which is tracked and stored in the GitLab platform.”

Using a single platform also enables CACI’s teams to shift security left, incorporating it into every phase of the software development lifecycle. That’s key to being able to meet security-focused US government regulations, such as the Secure Software Development Framework (SSDF).

Before CACI launched its migration to GitLab DevSecOps, teams had been weighed down with a large number of disparate and expensive tools across the enterprise. Now they are reducing that complexity by migrating off some of those tools.

By trimming the company’s toolchains, Kurowski says they have reduced licensing costs, spent less time administering their tools, and have been able to dedicate more time to developing software. He also notes that teams are more productive, they’re launching projects much faster, and they’re more easily meeting demand surges. He says training also has been simplified, upgrades are done more smoothly and quickly, and project management has become more in line with code development. Patches are also now done with little to no downtime.

Software developers, working on a common platform, now easily move between projects to meet surges in customer demand. “This ensures customers have access to top software development talent at speed,” says Kurowski.

The platform also has enabled them to create documentation that is “night and day better” than what they were able to produce before, notes Craft. That’s largely because the platform fosters strong collaboration inside and among DevSecOps teams, giving them better visibility into projects and the ability to share responsibility for making notes about problems, solutions, and best practices.

CACI’s DevSecOps users have been creating what Craft calls a “community of practice” because of the extra visibility and collaboration they’re finding through the platform. “Because we’re using the same platform, we’re aware of each other like we never were before,” he explains.

Part of CACI’s expanding use of GitLab means looking forward to purposefully and responsibly leveraging AI features, like GitLab Duo, built into the platform. Kurowski says they anticipate using AI to help learn and understand existing code, and to develop new code.

“We love where GitLab is headed with augmenting DevSecOps with AI,” he adds. “Our coders spend more time understanding code than writing it. That’s just the norm for the industry. The idea of augmenting the process with code explanation, code suggestions, and code assistance, in general, is spot on with a core need.”