The U.S. Marine Corps is celebrated for its precision and ability to adapt on the battlefield. But behind the IT scenes, another battle was taking place against outdated IT systems that made it harder to serve Marines and their families.
That’s where Marine Corps Community Services took command. The organization is the department within the USMC responsible for programs that improve Marine quality of life, from child care and family counseling to fitness centers, retail stores, and dining facilities.
Yet, MCCS was bogged down by sluggish IT processes. Approvals for new systems—known as authorizations to operate (ATOs)—could take years and cost more than $1 million per system. These roadblocks made it difficult to keep pace with modern needs.
“With IT service delivery, there are many constraints that create very long cycle times,” says David Raley, digital program manager at MCCS. “It may take five years for a capability to be available because of ‘waterfall’ practices and legacy compliance around security.”
That frustration set the stage for Operation StormBreaker, a groundbreaking initiative that used DevOps and agile development practices to redefine how IT systems are developed, tested for security, and approved.
Operation Stormbreaker rethinks the development playbook
By 2023, MCCS had run out of patience with the rigid, sequential waterfall development, and decided to build Operation Stormbreaker around DevOps and agile practices that rely on automation, short iterations, and constant feedback.
Raley and his team began by creating a Marine Corps–authorized landing zone in Amazon Web Services, allowing security controls to be inherited across multiple systems. They then paired that foundation with the Department of the Navy’s RAISE (rapid assess and incorporate software engineering) platform, which applies agile and DevSecOps practices to embed security throughout the software lifecycle. With added guidance from external partners RegScale and Raven Solutions, MCCS drastically cut down ATO approval times.
“With these tools and partners, we were able to build an agile ATO process and a CI/CD pipeline to custom-build, secure, and deploy systems much quicker,” Raley explained.
The impact was immediate. Rather than treating IT systems like tanks—purchased once, then maintained for decades—Raley and his team could now constantly push software updates through a pipeline that automatically checked for security compliance in real time.
Tech services made more secure and efficient by Operation StormBreaker, include:
- All Marine Corps websites
- Content delivery system
- Event management and appointment booking systems
- E-commerce and point of sale systems
- Human resources system
The challenge of tech innovation in a bureaucracy
The biggest barrier during Operation Stormbreaker, according to Raley, was the bureaucratic nature of working inside the government.
MCCS faced what Raley called the “frozen middle,” a web of disconnected gatekeepers and systemic inertia that slowed innovation. As a result, Raley was consistently up against long delays that are all too common with traditional authorization processes that depend on massive batches of security checks.
To push past these limits, Operation StormBreaker separated work into “batch sizes of one,” validating each security control step by step instead of waiting until the end. This new process, while very effective, was a culture shock for teams accustomed to linear, project-based work.
“We had to help teams understand the difference between being a waterfall project organization and a product-based team culture,” says Raley. “Now, we deliver in two-week sprints, focus on minimum viable products, and treat every system as a living, breathing product that evolves.”
Equally important was building trust across departments. Operation StormBreaker brought together compliance officers, cybersecurity leaders, and acquisition staff. With persistence and transparency, Raley and team helped turn skeptics into collaborators.
Increasing speed, strengthening security, saving money
Since launching in 2023, Operation StormBreaker has dramatically reduced ATO times and cut millions of dollars in wasted costs.
“The game-changer for MCCS is we can now deliver software capability and get an ATO in one day instead of 18 months,” says Raley.
“When you’re doing development with a CI/CD pipeline, the RAISE process has a designation to confirm that the workload is meeting [Department of Defense] security requirements. This can be done in 15 minutes through automation. So, that bottleneck of waiting 18 months to get the ATO is gone because we get authorization while we’re building.”
Additionally, by shifting cybersecurity “to the left,” developers now get instant feedback, learning to code securely from the start. That approach has significantly decreased security vulnerabilities as well as approval times.
In terms of financial impact, each system approved through the new DevOps and agile development process saves MCCS about $1 million per ATO, says Raley. In two years, the program eliminated more than $10 million in delay-related costs.
Operationally, Marines and their families now experience more user-friendly digital services. One of the first wins of the project was consolidating facility websites across 17 Marine Corps installations. Before StormBreaker, each facility had its own website, making it confusing for Marines moving from one station to another.
“Now they have a unified experience,” Raley said. “It’s easier to find information, navigate websites, and, most importantly, those sites now all meet DoD security requirements.”
For its Operation Stormbreaker project, MCCS earned a 2025 CSO Award. The award honors security projects that demonstrate outstanding thought leadership and business value.
Breaking the mold: Lessons from Operation StormBreaker
For public-sector CIOs and security leaders, Operation StormBreaker offers a classic case for how to modernize IT services without sacrificing security.
Here are three lessons Raley learned during the project:
Reconsider how you think about risk
Too often in government, compliance risk overshadows mission risk. Raley urges leaders to think beyond checkboxes.
“When you focus on just the compliance element, the mission or business outcome ends up serving compliance,” he says. “But that’s not the point of compliance. Compliance exists to ensure the mission and security risks are being considered. It shouldn’t overshadow the actual business outcomes you’re trying to achieve.”
Don’t accept ‘no’ at face value
Bureaucracies tend to default to caution, but Raley stresses that progress requires persistence.
“I’m often told ‘no’ to my IT project requests, but there isn’t a real reason other than saying ‘no’ is the least risky option. So I’ve had to press through and ask, ‘Why is this a no? What is the issue? Is this something we can overcome?’”
Understand that speed and security can co-exist
Moving faster doesn’t mean cutting corners. In fact, Raley argues, speed makes systems more secure.
“There’s a misnomer that being slow and methodical leads to better security, but there doesn’t have to be a trade-off between security and speed,” he says.
“With DevOps and agile development, we run workloads through a CI/CD pipeline every night. If a new vulnerability pops up, we kill it immediately. The process is continuously monitoring and showing a real-time view of your security posture. It’s proof you can move faster and be more secure.”
From bottlenecks to agile breakthroughs
Operation StormBreaker is an IT success story—but it also validates that cultural shifts are possible in a bureaucracy. By tearing down silos and embracing DevOps and agile development, MCCS has shown that even entrenched government procedures can be reinvented.
And the timing couldn’t be better. With 14,000 employees and $1.2 billion in revenue supporting Marines and their families, MCCS now has the tools to deliver services at the speed of modern life.
“This process allows us to deploy capabilities orders of magnitude faster, at a fraction of the cost,” Raley said. “At the end of the day, that’s the real value of Operation StormBreaker.”
Modernizing IT at Mission Speed
The Marine Corps’ Operation StormBreaker proves that even the most entrenched bureaucracies can deliver faster, more secure digital services. Discover how other CSO Award winners are driving innovation and leadership—register for the CSO Conference & Awards today → CSO Conference & Awards
