All Marine Corps websitesContent delivery systemEvent management and appointment booking systemsE-commerce and point of sale systemsHuman resources system The challenge of tech innovation in a bureaucracy: The biggest barrier during Operation Stormbreaker, according to Raley, was the bureaucratic nature of working inside the government.MCCS faced what Raley called the “frozen middle,” a web of disconnected gatekeepers and systemic inertia that slowed innovation. As a result, Raley was consistently up against long delays that are all too common with traditional authorization processes that depend on massive batches of security checks.To push past these limits, Operation StormBreaker separated work into “batch sizes of one,” validating each security control step by step instead of waiting until the end. This new process, while very effective, was a culture shock for teams accustomed to linear, project-based work.”We had to help teams understand the difference between being a waterfall project organization and a product-based team culture,” says Raley. “Now, we deliver in two-week sprints, focus on minimum viable products, and treat every system as a living, breathing product that evolves.”Equally important was building trust across departments. Operation StormBreaker brought together compliance officers, cybersecurity leaders, and acquisition staff. With persistence and transparency, Raley and team helped turn skeptics into collaborators. Increasing speed, strengthening security, saving money: Since launching in 2023, Operation StormBreaker has dramatically reduced ATO times and cut millions of dollars in wasted costs.”The game-changer for MCCS is we can now deliver software capability and get an ATO in one day instead of 18 months,” says Raley.”When you’re doing development with a CI/CD pipeline, the RAISE process has a designation to confirm that the workload is meeting [Department of Defense] security requirements. This can be done in 15 minutes through automation. So, that bottleneck of waiting 18 months to get the ATO is gone because we get authorization while we’re building.”Additionally, by shifting cybersecurity “to the left,” developers now get instant feedback, learning to code securely from the start. That approach has significantly decreased security vulnerabilities as well as approval times.In terms of financial impact, each system approved through the new DevOps and agile development process saves MCCS about $1 million per ATO, says Raley. In two years, the program eliminated more than $10 million in delay-related costs.Operationally, Marines and their families now experience more user-friendly digital services. One of the first wins of the project was consolidating facility websites across 17 Marine Corps installations. Before StormBreaker, each facility had its own website, making it confusing for Marines moving from one station to another.”Now they have a unified experience,” Raley said. “It’s easier to find information, navigate websites, and, most importantly, those sites now all meet DoD security requirements.”For its Operation Stormbreaker project, MCCS earned a 2025 CSO Award. The award honors security projects that demonstrate outstanding thought leadership and business value. Breaking the mold: Lessons from Operation StormBreaker: For public-sector CIOs and security leaders, Operation StormBreaker offers a classic case for how to modernize IT services without sacrificing security.Here are three lessons Raley learned during the project:
Reconsider how you think about risk
Too often in government, compliance risk overshadows mission risk. Raley urges leaders to think beyond checkboxes.”When you focus on just the compliance element, the mission or business outcome ends up serving compliance,” he says. “But that’s not the point of compliance. Compliance exists to ensure the mission and security risks are being considered. It shouldn’t overshadow the actual business outcomes you’re trying to achieve.”Don’t accept ‘no’ at face valueBureaucracies tend to default to caution, but Raley stresses that progress requires persistence.”I’m often told ‘no’ to my IT project requests, but there isn’t a real reason other than saying ‘no’ is the least risky option. So I’ve had to press through and ask, ‘Why is this a no? What is the issue? Is this something we can overcome?’”Understand that speed and security can co-existMoving faster doesn’t mean cutting corners. In fact, Raley argues, speed makes systems more secure.”There’s a misnomer that being slow and methodical leads to better security, but there doesn’t have to be a trade-off between security and speed,” he says.”With DevOps and agile development, we run workloads through a CI/CD pipeline every night. If a new vulnerability pops up, we kill it immediately. The process is continuously monitoring and showing a real-time view of your security posture. It’s proof you can move faster and be more secure.” From bottlenecks to agile breakthroughs: Operation StormBreaker is an IT success story”, but it also validates that cultural shifts are possible in a bureaucracy. By tearing down silos and embracing DevOps and agile development, MCCS has shown that even entrenched government procedures can be reinvented.And the timing couldn’t be better. With 14,000 employees and $1.2 billion in revenue supporting Marines and their families, MCCS now has the tools to deliver services at the speed of modern life.”This process allows us to deploy capabilities orders of magnitude faster, at a fraction of the cost,” Raley said. “At the end of the day, that’s the real value of Operation StormBreaker.”Modernizing IT at Mission SpeedThe Marine Corps’ Operation StormBreaker proves that even the most entrenched bureaucracies can deliver faster, more secure digital services. Discover how other CSO Award winners are driving innovation and leadership”, register for the CSO Conference & Awards today → CSO Conference & Awards
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4057207/how-the-marine-corps-slashed-it-delays-by-shifting-to-devops-and-agile-development.html
