Government technology is where modern engineering practices meet 30-year-old procurement, and the result is either a generational improvement in citizen experience or a $200M write-off. I work with public-sector teams and govtech vendors who refuse to accept that the second outcome is normal. The work looks different from commercial engineering only in its constraints, the architectural rigor required is actually higher, because the failure modes (denial of benefits, civil-rights violations, breach of millions of records) are worse.
FedRAMP and StateRAMP are the dominant constraints on cloud-hosted federal and state systems. FedRAMP Moderate covers most CUI workloads, FedRAMP High covers high-impact systems, and StateRAMP is rapidly converging on the same control catalog at the state level. I design platforms that inherit as many controls as possible from FedRAMP-authorized providers (AWS GovCloud, Azure Government, Google Public Sector), so the agency-specific work focuses on the application layer where it actually adds value. Continuous-ATO patterns, codified in OSCAL and automated through tools like ComplyTime, are the only path I've seen that lets a public-sector team deploy at modern cadence without burning eighteen months on each annual reauthorization.
Accessibility is non-negotiable. Section 508 requires conformance with WCAG 2.0 AA at minimum (2.2 AA in practice), and the Department of Justice has begun enforcing Title II ADA requirements on state and local digital services. I build interfaces that pass automated audits, manual screen-reader testing, and the kind of real-user evaluation the U.S. Web Design System recommends. For most agencies, adopting USWDS components is the fastest path to accessibility conformance and visual coherence with federal peers.
Legacy integration is where most modernization projects either succeed or get stuck for years. The mainframe is not going away on the timeline of any project I've worked on, and pretending otherwise is how teams end up rewriting COBOL at the cost of citizen experience. I build API gateways and event bridges that put a modern surface on legacy systems while letting the legacy continue to be the system of record. CICS over Kafka, IDMS through Spring Boot, IBM i through Mulesoft, the patterns differ but the principle is the same: modernize the experience layer first, retire the legacy on its own timeline.
Public-sector AI is the next compliance frontier, and the bar is correctly higher than commercial AI. The OMB M-24-10 memorandum on federal AI governance, NIST AI RMF, and the EU AI Act all converge on the same requirements: documented risk assessments, bias testing, human review of high-stakes decisions, and transparent disclosure to affected citizens. I ship AI in government contexts with explainability, audit trails, and explicit human-in-the-loop review for any decision that affects benefits, eligibility, or rights. The technology is the easy part, the governance is the work. Start a project if your team needs to ship a digital service that holds up to inspector-general review.