Marine Corps Operation StormBreaker Slashes Software Delivery Timelines by 17x

The Marine Corps Community Services’ Operation StormBreaker uses technology to dramatically accelerate software acquisition and deployment while enhancing cybersecurity. The program directly tackles the challenges of slow development cycles and burdensome authorization processes, according to MCCS Digital Program Manager David Raley, aiming to deliver critical capabilities to warfighters at the “speed of relevance.”

“Authorization was a key bottleneck, so it takes forever to acquire something and develop it and integrate and deliver it,” Raley said in an interview with GovCIO Media & Research. “And what’s unique about what Operation StormBreaker is that it’s taking a holistic end-to-end approach of that capability.”

Tackling the Bottlenecks in Defense Tech Delivery

The Department of Defense faces challenges in rapidly acquiring and deploying modern digital capabilities, hampered by lengthy waterfall development cycles, bureaucratic acquisition processes and cumbersome legacy compliance practices like the authorization to operate (ATO), according to Raley. He explained that the impetus for Stormbreaker stemmed from his own frustrations in fielding necessary digital capabilities.

“I was unable to achieve the outcomes we needed because we couldn’t get capability acquired and fielded to modernize our digital capabilities,” he stated. “Specifically, we had to, replatform all of our websites from across the enterprise and bring them in together into one unified branding thing and other many other digital things that we started to do to serve our customers.

This sentiment, he said, was widely shared across the DOD, echoing the issues being tackled by programs like the Software Fast Track (SWFT) program initiative and the reformation of the Risk Management Framework (RMF).

“I was faced by the same problems that the rest of our many other mission owners in the DOD are faced: waterfall development and acquisition practice, processes and approaches, as well as legacy compliance practices,” said Raley. “It takes forever to acquire something and develop it and integrate and deliver it, and then you bolt on the 12 to 18 months after for an authorization. You now start looking at four to five year acquisition and deployment timelines, plus 10 years of support and sustainment, because you don’t want to go do it all again.”

Inside the StormBreaker Model

Raley said that Operation Stormbreaker offers an approach to addressing these challenges be using three core capabilities built to accelerate the entire lifecycle of software deployment. The first is an authorized landing zone on Amazon Web Services (AWS), boasting FedRAMP High Security Controls Assessment (SCA) compliance, a cloud-native access point and advanced zero-trust architecture. This secure foundation is authorized by the Marine Corps and managed by the Marine Corps Cyber Operations Group.

Operation Stormbreaker also integrates the Marine Corps’ only certified DevSecOps pipeline, leveraging the Navy certification Rapid Assess and Incorporate Software Engineering  (RAISE). The third core capability is the integration of the RAISE-certified Marine Corps Software Factory within this authorized landing zone.

“That allows us to take containerized workloads and push them through the [Continuous Integration and Continuous Delivery] pipeline and deploy them into production with a continuous authorization in 15 minutes,” said Raley. “The authorizing official, through that RAISE certification process, authorizes our internal cyber team to release workloads into production without going through the [authorizing official’s] office. “

By applying DevSecOps, lean and agile methodologies to the traditional paper-based ATO process, the initiative has achieved authorizations within 30 days for workloads residing on their tiered inheritance, common control landing zone, said Raley. He added that this development delivers capabilities to the warfighter approximately 17 times faster and, thus, more relevant to mission owners.

“The longer you take to get an authorization, most likely, the less secure whatever that application is. And you’ve missed the mission outcome,” said Raley. “These cycles of technology evolution are not supporting 18 months just for authorization.”

Scaling Impact Across the Defense Department

Operation Stormbreaker aims to scale its impact across DOD. The program has submitted to become a Department of Navy enterprise service, leveraging the unique authorities of its non-appropriated fund organization within the Marine Corps, which allows it to resell services to other government agencies.

“We have our own acquisition authority, and we are not subject to the normal appropriate fund destination funding,” said Raley. “We’re interested in scaling the environment to support mission owner workloads across the DOD, who could benefit from collapsing delivery times and achieving those continuous authorizations for workloads or the 30-day authorizations for traditional workloads.”

Operation StormBreaker aligns with DOD’s software modernization goals, Raley said, by encouraging the use of marketplaces for utility software and sprint-based contracting models to improve accountability and responsiveness. Democratizing access to such platforms could significantly accelerate innovation and operational effectiveness across all branches of the military, Raley said.

“We should not be spending six, eight or 10 months writing up work statements on products that we just know we need to purchase,” Raley said.

With DOD emphasizing software modernization, the award-winning Operation StormBreaker could be part of the solution to efficiency, security and efficacy, Raley said.

“And right now we still purchase software – consumption-based software – like we’re purchasing the tank in the 1950s,” said Raley. “That’s got to stop.”