April 22 2020
In the world of federal IT, the last decade or so has told the same story over and over, agency to agency: how do we modernize our legacy systems into efficient, cloud-based DevSec Ops machinations without sacrificing quality?
DevSecOps is becoming less an option and more a mandate across the board for many agencies today. The Marine Corps was in this boat — literally and figuratively — trying to keep up with demand with an eye toward the future.
What came out? MCBOSS, which has revolutionized the way the Marine Corps business operates. Keep reading to find out how we helped our government partner reach new heights:
What is MCBOSS?
The Marine Corps Business Operations Support Services (MCBOSS) is a revolutionary multi-platform, cloud-enabled environment that allows users to access and build applications for Marine Corps use. It was the first DevSecOps capability developed by the Naval Information Warfare Center (NIWC) Atlantic team, providing DevSecOps to the U.S. Marine Corps for the first time.
Why was it built?
The Problem: Legacy Systems
Security is a chief concern in the Department of Navy, and particularly the Marine Corps. Before MCBOSS, the Marine Corps had little in the way of cloud-enabled computing, and if they did, it took months to vet for security. Their legacy systems were operating relatively well, but software updates were slow — measured in years. They needed a cloud-enabled platform able to rapidly update with an authority to operate (ATO).
These lags hurt mission goals: helping modernize the protection systems we have in place to protect the American people at home and abroad.
The Approach:
Both disruption and new challenges threaten traditional organizational leaders. Agencies must innovate and deliver more effectively while keeping an eye toward the future — namely, being willing to disrupt their own products and processes for the greater good.
Thus, the Marine Corps injected agility into the organization so it can outlearn and outperform any threat. Fueled by passionate and empowered team members, MCBOSS increases agility and responsiveness while maximizing human capital and IT return on investment.
But what's the execution?
As part of the Application, Development, and Test Services (ADTS) group, our team helped build the automated testing and development within the software development pipeline, which enables DevSecOps processes within the MCBOSS environment. Our team built custom software factories (i.e., an integrated set of tools and data) for the project. These factories allow developers and DevOps teams to compile, build, and deploy their code reliably and efficiently to their production platforms.
The details:
- We prioritized Infrastructure as Code (IaC), utilizing cloud agnostic tools such as Terraform to provision the environment
- We automated the security and hardening into the IaC scripts so that hardened, secure environments can be provisioned at any time.
- We provided a secure, accredited hosting environment in AWS GovCloud so that application owners/developers can focus on software delivery vs software deployment, hosting, and OS hardening.
- We also furnished cloud resources and operational services using the “X as a Service” concept.
- Lastly, we utilized the software factories approach to provide a list of hosting platforms, accept the code base from application owners, and then deploy/host the software.
The Results
MCBOSS is now fully operational, with approved applications running on the platform. These include:
-
Appian – A low-code platform that provides capability for enterprise application development.
- Pega – This provides a no-code platform for model-driven, unified enterprise-grade, agile application development.
- Pivotal – This platform is a unified, multi-cloud system that runs enterprise applications at scale.
- Tactical service-oriented architecture (TSOA) – TSOA is the Marine Corps service aligned with the DoD’s net-centric services strategy (NCSS), which is an effort to better enable our warfighters by using the latest—and most secure—technology.
Most importantly, MCBOSS now has a Continuous Authority to Operate (C-ATO), meaning it will be approved for use throughout its lifecycle. It’s the first C-ATO of its kind in the industry, and ultimately means that the process of keeping America safe is more efficient and effective.
The Future
Going forward, the Marine Corps can utilize and develop applications to better serve its business operations and, in turn, its warfighters. Having that secure, approved environment also saves time and money when completing agency objectives.
With success MCBOSS, federal agencies are no longer doubting the effectiveness of the DevSecOps approach. We expect to see the practice become the norm rather than the exception. Improvements in integration, automation, security, and remediation have become important influences across the government, in developing and prioritizing secure code.
Learn more:
ExecutiveGov: Navy Dept Stands Up Organization to Apply DevSecOps Software Dev’t
Want to learn even more about DevSecOps?
Download our free eBook to learn how to navigate DevSecOps for yourself and your team.
