{"id":4877,"date":"2025-09-15T17:17:15","date_gmt":"2025-09-15T17:17:15","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4877"},"modified":"2025-09-15T17:17:15","modified_gmt":"2025-09-15T17:17:15","slug":"how-the-marine-corps-slashed-it-delays-by-shifting-to-devops-and-agile-development","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4877","title":{"rendered":"How the Marine Corps slashed IT delays by shifting to DevOps and agile development"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The U.S. Marine Corps is celebrated for its precision and ability to adapt on the battlefield. But behind the IT scenes, another battle was taking place against outdated IT systems that made it harder to serve Marines and their families.<\/p>\n

That\u2019s where Marine Corps Community Services took command. The organization is the department within the USMC responsible for programs that improve Marine quality of life, from child care and family counseling to fitness centers, retail stores, and dining facilities.<\/p>\n

Yet, MCCS was bogged down by sluggish IT processes. Approvals for new systems\u2014known as authorizations to operate (ATOs)\u2014could take years and cost more than $1 million per system. These roadblocks made it difficult to keep pace with modern needs.<\/p>\n

\u201cWith IT service delivery, there are many constraints that create very long cycle times,\u201d says David Raley, digital program manager at MCCS. \u201cIt may take five years for a capability to be available because of \u2018waterfall\u2019 practices and legacy compliance around security.\u201d<\/p>\n

That frustration set the stage for Operation StormBreaker, a groundbreaking initiative that used DevOps and agile development practices to redefine how IT systems are developed, tested for security, and approved.<\/p>\n

<\/a>Operation Stormbreaker rethinks the development playbook<\/h2>\n

By 2023, MCCS had run out of patience with the rigid, sequential waterfall development, and decided to build Operation Stormbreaker around DevOps and agile practices that rely on automation, short iterations, and constant feedback.<\/p>\n

Raley and his team began by creating a Marine Corps\u2013authorized landing zone in Amazon Web Services, allowing security controls to be inherited across multiple systems. They then paired that foundation with the Department of the Navy\u2019s RAISE (rapid assess and incorporate software engineering) certification, which applies agile and DevSecOps<\/a> practices to embed security throughout the software lifecycle. With added guidance from external partners RegScale and Raven Solutions, MCCS drastically cut down ATO approval times.<\/p>\n

\u201cWith these tools and partners, we were able to build an agile ATO process and a CI\/CD pipeline to custom-build, secure, and deploy systems much quicker,\u201d Raley explained.<\/p>\n

The impact was immediate. Rather than treating IT systems like tanks\u2014purchased once, then maintained for decades\u2014Raley and his team could now constantly push software updates through a pipeline that automatically checked for security compliance in real time.<\/p>\n

Tech services made more secure and efficient by Operation StormBreaker, include:<\/p>\n

All Marine Corps community services websites<\/p>\n

Content delivery system<\/p>\n

Event management and appointment booking systems<\/p>\n

E-commerce and point of sale systems<\/p>\n

Human resources system<\/p>\n

<\/a>The challenge of tech innovation in a bureaucracy<\/h2>\n

The biggest barrier during Operation Stormbreaker, according to Raley, was the bureaucratic nature of working inside the government.<\/p>\n

MCCS faced what Raley called the \u201cfrozen middle,\u201d a web of disconnected gatekeepers and systemic inertia that slowed innovation. As a result, Raley was consistently up against long delays that are all too common with traditional authorization processes that depend on massive batches of security checks.<\/p>\n

To push past these limits, Operation StormBreaker separated work into \u201cbatch sizes of one,\u201d validating each security control step by step instead of waiting until the end. This new process, while very effective, was a culture shock for teams accustomed to linear, project-based work.<\/p>\n

\u201cWe had to help teams understand the difference between being a waterfall project organization and a product-based team culture,\u201d says Raley. \u201cNow, we deliver in two-week sprints, focus on minimum viable products, and treat every system as a living, breathing product that evolves.\u201d<\/p>\n

Equally important was building trust across departments. Operation StormBreaker brought together compliance officers, cybersecurity leaders, and acquisition staff. With persistence and transparency, Raley and team helped turn skeptics into collaborators.<\/p>\n

<\/a>Increasing speed, strengthening security, saving money<\/h2>\n

Since launching in 2023, Operation StormBreaker has dramatically reduced ATO times and cut millions of dollars in wasted costs.<\/p>\n

\u201cThe game-changer for MCCS is we can now deliver software capability and get an authorization in one day instead of 18 months,\u201d says Raley.<\/p>\n

\u201cWhen you\u2019re doing development with a CI\/CD pipeline, the RAISE process has a designation to confirm that the workload is meeting [Department of War] security requirements. This can be done in 15 minutes through automation. So, that bottleneck of waiting 18 months to get the ATO is gone because we get authorization while we\u2019re building.\u201d<\/p>\n

Additionally, by shifting cybersecurity \u201cto the left,\u201d developers now get instant feedback, learning to code securely from the start. That approach has significantly decreased security vulnerabilities as well as approval times.<\/p>\n

In terms of financial impact, each system approved through the new DevOps and agile development process saves MCCS about $1 million per ATO, says Raley. In two years, the program eliminated more than $10 million in delay-related costs.<\/p>\n

Operationally, Marines and their families now experience more user-friendly digital services. One of the first wins of the project was consolidating facility websites across 17 Marine Corps installations. Before StormBreaker, each facility had its own website, making it confusing for Marines moving from one station to another.<\/p>\n

\u201cNow they have a unified experience,\u201d Raley said. \u201cIt\u2019s easier to find information, navigate websites, and, most importantly, those sites now all meet DoW security requirements.\u201d<\/p>\n

For its Operation Stormbreaker project, MCCS earned a <\/em>2025 CSO Award<\/em><\/a>. The award honors security projects that <\/em>demonstrate outstanding thought leadership and business value<\/em><\/a>.<\/em><\/p>\n

<\/a>Breaking the mold: Lessons from Operation StormBreaker<\/h2>\n

For public-sector CIOs and security leaders, Operation StormBreaker offers a classic case for how to modernize IT services without sacrificing security.<\/p>\n

Here are three lessons Raley learned during the project:<\/p>\n

Reconsider how you think about risk<\/strong><\/h3>\n

Too often in government, compliance risk overshadows mission risk. Raley urges leaders to think beyond checkboxes.<\/p>\n

\u201cWhen you focus on just the compliance element, the mission or business outcome ends up serving compliance,\u201d he says. \u201cBut that\u2019s not the point of compliance. Compliance exists to ensure the mission and security risks are being considered. It shouldn\u2019t overshadow the actual business outcomes you\u2019re trying to achieve.\u201d<\/p>\n

Don\u2019t accept \u2018no\u2019 at face value<\/strong><\/h3>\n

Bureaucracies tend to default to caution, but Raley stresses that progress requires persistence.<\/p>\n

\u201cI\u2019m often told \u2018no\u2019, but there isn\u2019t a real reason other than saying \u2018no\u2019 is the least risky option. So I\u2019ve had to press through and ask, \u2018Why is this a no? What is the issue? Is this something we can overcome?\u2019\u201d<\/p>\n

Understand that speed and security can co-exist<\/strong><\/h3>\n

Moving faster doesn\u2019t mean cutting corners. In fact, Raley argues, speed makes systems more secure.<\/p>\n

\u201cThere\u2019s a misnomer that being slow and methodical leads to better security, but there doesn\u2019t have to be a trade-off between security and speed,\u201d he says.<\/p>\n

\u201cWith DevOps and agile development, we run workloads through a CI\/CD pipeline every night. If a new vulnerability pops up, we kill it immediately. The process is continuously monitoring and showing a real-time view of your security posture. It\u2019s proof you can move faster and<\/em> be more secure.\u201d<\/p>\n

<\/a>From bottlenecks to agile breakthroughs<\/h2>\n

Operation StormBreaker is an IT success story\u2014but it also validates that cultural shifts are possible in a bureaucracy. By tearing down silos and embracing DevOps and agile development, MCCS has shown that even entrenched government procedures can be reinvented.<\/p>\n

And the timing couldn\u2019t be better. With 14,000 employees and $1.2 billion in revenue supporting Marines and their families, MCCS now has the tools to deliver services at the speed of modern life.<\/p>\n

\u201cThis process allows us to deploy capabilities orders of magnitude faster, at a fraction of the cost,\u201d Raley said. \u201cAt the end of the day, that\u2019s the real value of Operation StormBreaker.\u201d<\/p>\n

Modernizing IT at Mission Speed<\/strong>
The Marine Corps\u2019 Operation StormBreaker proves that even the most entrenched bureaucracies can deliver faster, more secure digital services. Discover how other CSO Award winners are driving innovation and leadership\u2014register for the CSO Conference & Awards today \u2192\u00a0CSO Conference & Awards<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The U.S. Marine Corps is celebrated for its precision and ability to adapt on the battlefield. But behind the IT scenes, another battle was taking place against outdated IT systems that made it harder to serve Marines and their families. That\u2019s where Marine Corps Community Services took command. The organization is the department within the […]<\/p>\n","protected":false},"author":0,"featured_media":4855,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4877","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4877"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4877"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4877\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4855"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4877"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4877"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4877"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}