A Naval Information Warfare Center (NIWC) Atlantic enterprise engineering team recently began deploying in earnest its paradigm-shifting methodology for developing software.
Modeled after the U.S. Air Force’s “Kessel Run,” the newly accredited Operational Application and Service Innovation Site (OASIS) enables NIWC Atlantic’s Expeditionary Warfare (ExW) Department to provide “DevSecOps” — development, security and operations — to the U.S. Marine Corps for the first time.
DevSecOps is a commercial best practice that has revolutionized the software industry and only recently made inroads in the U.S. military.
“When you look at industries in the commercial sector, you see they are no longer, for example, a logistics company — they are a software company with trucks,” said NIWC Atlantic Executive Director Peter C. Reddy. “The Department of the Navy has to become a software company with warfighters. And because countless software-based battlefield missions can immediately benefit from the DevSecOps approach, the future of OASIS is critically relevant to operations in the information environment.”
The U.S. Air Force was the first service to experience success employing the DevSecOps concept more than two years ago. Named after a “Star Wars” smuggling route, Kessel Run has achieved enormous success in efficiencies and attracted the attention of high-level Department of Defense (DoD) leaders.
In the broadest terms, DevSecOps means “delivering value to customers faster.” It pairs programmers (Dev) with system administrators (Ops) while also embedding security (Sec) into every step of development.
“Baking feedback into the process allows the end-users’ thoughts to make it back to the coders building their product,” said Erik Gardner, NIWC Atlantic’s OASIS director and Palmetto Tech Bridge representative. “Marines have an immediate voice in the development of what will be fielded.”
In recent years, the DevSecOps model has steadily built on the successes of “agile” and “lean startup,” two major software-development methodologies known for shrinking the traditional “waterfall” approach of planning-designing-developing-testing-delivering into small increments called minimum viable products (MVPs).
Instead of taking years to deliver a product that may fail to meet the customer’s needs, lean startup promotes a “fail fast” approach, scheduling MVPs every week or two for customers to grade and developers to improve.
Along with agile and lean startup, automation is a key driver in a DevSecOps environment. Automation enables services using artificial intelligence and machine learning to continuously report on a platform’s functional health, including key metrics related to cyberattacks, amount of users, outages and degradation.
“Software factories are popping up all over U.S. military organizations, but OASIS is unique,” said Jeff Hays, a NIWC Atlantic enterprise engineering team lead. “By not focusing on a single pipeline, or single platform, OASIS is giving technology professionals the power of the latest mainstream tools, coupled with the power of choice.”
Another major draw of DevSecOps is the enormous potential in savings. Unlike the monolithic “waterfall” processes of the past, if an MVP fails, there’s not a huge impact in terms of resources, and program risk is actually reduced, said Robert Neuman, a NIWC Atlantic technical lead in enterprise engineering and integration services.
“You roll back maybe a week,” he said. “It’s not this multi-million-dollar failure in acquisitions.”
Tony Stafford, NIWC Atlantic’s DevSecOps command coach, said the software factory concept is, in many ways, about reducing the friction between the team providing the solution and the user, while also minimizing the time and steps to get a tool into the warfighters’ hands.
“Generally speaking,” Stafford said, “government bureaucracy tends to be additive, growing the distance between builders and users. That is why OASIS is designed as a central hub for the naval enterprise, to find and minimize inefficiencies.”
Over a year ago, the ExW Department’s Expeditionary Enterprise Systems and Services (E2S2) Division initiated OASIS in support of a U.S. Marine Corps request by the Deputy Commandant for Planning and Resources to improve enterprise software development.
Last summer, E2S2 achieved initial operational capability for OASIS, cementing the status of DevSecOps at NIWC Atlantic by implementing nearly 30 inherited automated platform services and nine automated application development services — prospective DoD solutions for everything from business operations to tactical systems.
The Marine Corps Business Operations Support Services, or MCBOSS, was the very first DevSecOps capability developed by the OASIS team. MCBOSS is a multi-platform environment that includes services like PEGA, Appian, MarkLogic and Pivotal Cloud Foundry.
Critical to the overall objectives of OASIS, a team called Application, Development and Test Services (ADTS) creates the majority of the automated testing and building that makes DevSecOps possible within the MCBOSS environment.
“If the MCBOSS platforms were cars, the ADTS services would be the gasoline, oil and electricity,” noted Jason Anderson, a NIWC Atlantic cloud engineer and DevSecOps lead.
Soon after MCBOSS was stood up, the Marine Corps went live with its first OASIS-developed application, the Inspector General (IG)’s Case Action Management program, which provides real-time tracking of data related to IG investigations.
More recently, OASIS executed a Naval Innovative Science & Engineering project to verify the interoperability of U.S. Marine Corps applications developed in OASIS with the Navy’s Consolidated Afloat Network and Enterprise Services (CANES).
Anderson noted that bringing DevSecOps to a traditional organization for the first time has required considerable shifts in culture and philosophy. He said real software that addresses real problems in real time requires not only strong automation but good listening skills.
“In a DevSecOps culture, it’s better to have 20 different interviews with 20 different people who all have the same problem than reading a requirements document,” Anderson said. “We will probably hear that 12 of the 20 are saying something totally different than what’s on paper. Each perspective matters.”
In time, with its secure cloud-computing architecture ready to host applications, the OASIS team will be well positioned to integrate critical enterprise-level initiatives that seek to modernize the DoD network.
“We continue working with our NIWC Pacific peers in driving DevSecOps solutions across the Navy Enterprise and DoD as well,” said Kathryn Murphy, a senior scientific technical manager in software development. “The key to our continued success with initiatives such as OASIS will be in creating an awareness of available software factories and preparing the workforce to successfully use them.”
Neuman pointed out that getting the best technologies onto the modern battlefield has been the mission of the DOD’s Defense Innovation Board (DIB), which was stood up in 2016 to bring the technological innovations of Silicon Valley to the U.S. military.
Last year, the DIB released an important paper called the Software Acquisition and Practices study, which not only highlighted the need for a “new acquisition pathway” but also addressed the sluggish pace of software development in government.
“They basically pointed out how we had been told since the 1980s that we needed to change the way we did software,” Neuman explained. “They told us the problem wasn’t that we didn’t know that. It was that we didn’t act.”
By and large, proponents of the DevSecOps method say traditional procurement processes are fundamentally incapable of putting the latest software-powered equipment on the modern battlefield, where rapidly changing technologies alter the landscape at lightning speeds. They say mindsets must be challenged, and change is more than just inevitable: it is constant.
Gardner, who has compellingly driven the OASIS initiative from the beginning, said the bottom line is that radical cultural shifts in practice and thinking are needed in software development to speed solutions to the warfighter.
“It’s not just that old processes and regulations translate into later delivery times. It’s that the status quo in just about any area of technology will, in the end, put the wrong thing in the hands of the warfighter,” he said. “We just can’t afford to make that mistake.”
As a part of Naval Information Warfare Systems Command, NIWC Atlantic provides systems engineering and acquisition to deliver information warfare capabilities to the naval, joint and national warfighter through the acquisition, development, integration, production, test, deployment, and sustainment of interoperable command, control, communications, computer, intelligence, surveillance, and reconnaissance, cyber and information technology capabilities.
Naval Information Warfare Center Atlantic