Meet MCBOSS:

The first DevSecOps multi-platform capability

for the Marine Corps developed by OASIS

3.20 MCBOSS Case Study

 

What is MCBOSS?

The Marine Corps Business Operations Support Services (MCBOSS) is a revolutionary multi-platform, cloud-enabled environment that allows users to access and build applications for Marine Corps use. It was the first DevSecOps capability developed by the Naval Information Warfare Center (NIWC) Atlantic’s newly accredited Operational Application and Service Innovation Site (OASIS) team, providing DevSecOps to the U.S. Marine Corps for the first time.

 

Why was it built?

The Problem: Legacy Systems

Before MCBOSS, the Marine Corps had little in the way of cloud-enabled computing, and if they did, it took months to vet for security. Their legacy systems were operating relatively well, but software updates were slow — measured in years. They needed a cloud-enabled platform able to rapidly update with an authority to operate (ATO).

The Approach: 

DevSecOps is the strategy—development, security, and operations. But what is the execution?

As part of the Application, Development, and Test Services (ADTS) team within OASIS, our team constructed the majority of the automated testing and development, which enables the DevSecOps process within the MCBOSS environment. Our team built custom software factories, or integrated sets of tools and data, for the project. These factories can help automate development and deployment of updates to the environment after they are built.

The details:

  • We prioritized Infrastructure as Code (IaC), utilizing cloud agnostic tools such as Terraform to provision the environment.

  • We automated the security and hardening into the IaC scripts so that hardened, secure environments can be provisioned at any time.

  • We provided a secure, accredited hosting environment in AWS GovCloud so that application owners/developers can focus on software delivery vs software deployment, hosting, and OS hardening.

  • We also furnished cloud resources and operational services using the “X as a Service” concept.

  • Lastly, we utilized the software factories approach to provide a list of hosting platforms, accept the code base from application owners, and then deploy/host the software.

 

The Results

MCBOSS is now fully operational, with approved applications running on the platform. These include:

  • Appian – A low-code platform that provides capability for enterprise application development.

  • Pega – This provides a no-code platform for model-driven, unified enterprise-grade, agile application development.

  • Pivotal – This platform is a unified, multi-cloud system that runs enterprise applications at scale.

  • Tactical service-oriented architecture (TSOA) – TSOA is the Marine Corps service aligned with the DoD’s net-centric services strategy (NCSS), which is an effort to better enable our warfighters by using the latest—and most secure—technology.

The Future

Going forward, the Marine Corps can utilize and develop applications to better serve its business operations and, in turn, its warfighters. Having that secure, approved environment also saves time and money when completing agency objectives.

With success of OASIS and MCBOSS, federal agencies are no longer doubting the effectiveness of the DevSecOps approach. We expect to see the practice become the norm rather than the exception. Improvements in integration, automation, security, and remediation have become important influences across the government, in developing and prioritizing secure code.

Learn more about OASIS: 

DVIDS: From Waterfall to OASIS: Navy Command's Excursion Through Kessel Run Brings DevSecOps to Marine Corps

ExecutiveGov: Navy Dept Stands Up Organization to Apply DevSecOps Software Dev’t

 

Want to learn even more about DevSecOps?

Download our free eBook to learn how to navigate DevSecOps for yourself and your team. 

Download Your Free Guide to DevSecOps

This post is written by Geocent