The first DevSecOps multi-platform capability
for the Marine Corps
Dated: Apr. 22, 2020
What is MCBOSS?
The Marine Corps Business Operations Support Services (MCBOSS) is a revolutionary multi-platform, cloud-enabled environment that allows users to access and build applications for Marine Corps use. It was the first DevSecOps capability developed by the Naval Information Warfare Center (NIWC) Atlantic team, providing DevSecOps to the U.S. Marine Corps for the first time.
Why was it built?
The Problem: Legacy Systems
Before MCBOSS, the Marine Corps had little in the way of cloud-enabled computing, and if they did, it took months to vet for security. Their legacy systems were operating relatively well, but software updates were slow — measured in years. They needed a cloud-enabled platform able to rapidly update with an authority to operate (ATO).
DevSecOps is the strategy—development, security, and operations. But what is the execution?
As part of the Application, Development, and Test Services (ADTS) group, our team constructed the majority of the automated testing and development, which enables the DevSecOps process within the MCBOSS environment. Our team built custom software factories, or integrated sets of tools and data, for the project. These factories can help automate development and deployment of updates to the environment after they are built.
We prioritized Infrastructure as Code (IaC), utilizing cloud agnostic tools such as Terraform to provision the environment.
We automated the security and hardening into the IaC scripts so that hardened, secure environments can be provisioned at any time.
We provided a secure, accredited hosting environment in AWS GovCloud so that application owners/developers can focus on software delivery vs software deployment, hosting, and OS hardening.
We also furnished cloud resources and operational services using the “X as a Service” concept.
Lastly, we utilized the software factories approach to provide a list of hosting platforms, accept the code base from application owners, and then deploy/host the software.
MCBOSS is now fully operational, with approved applications running on the platform. These include:
Appian – A low-code platform that provides capability for enterprise application development.
- Pega – This provides a no-code platform for model-driven, unified enterprise-grade, agile application development.
- Pivotal – This platform is a unified, multi-cloud system that runs enterprise applications at scale.
- Tactical service-oriented architecture (TSOA) – TSOA is the Marine Corps service aligned with the DoD’s net-centric services strategy (NCSS), which is an effort to better enable our warfighters by using the latest—and most secure—technology.
Most importantly, MCBOSS now has a Continuous Authority to Operate (C-ATO), meaning it will be approved for use throughout its lifecycle.
Going forward, the Marine Corps can utilize and develop applications to better serve its business operations and, in turn, its warfighters. Having that secure, approved environment also saves time and money when completing agency objectives.
With success MCBOSS, federal agencies are no longer doubting the effectiveness of the DevSecOps approach. We expect to see the practice become the norm rather than the exception. Improvements in integration, automation, security, and remediation have become important influences across the government, in developing and prioritizing secure code.
Want to learn even more about DevSecOps?
Download our free eBook to learn how to navigate DevSecOps for yourself and your team.
Subscribe to Newsletter
Geocent monthly newsletter. Best practices make perfect.