To institutionalize DevSecOps, Navy’s Black Pearl aims to ‘commoditize the boring stuff’

On this week's edition of On DoD: When the Navy set out to simplifying its journey to modern software development, officials decided to not reinvent the wheel. ...

When the Navy Department set about the process of simplifying its journey to modern software development, officials decided it didn’t make much sense to reinvent the wheel. So instead of building a software factory and development pipeline from scratch, they borrowed heavily from the Air Force’s Platform One initiative and tailored it to the Navy’s needs where necessary.

On this week’s edition of On DoD, Jared Serbu talks with Manuel Gauto, the chief engineer for Black Pearl, and Bob Stevens, a vice president at Gitlab, the company that provides the development platform Black Pearl runs on.

A transcript of the interview is below:

Jared Serbu: Manuel, let’s start with you, since Black Pearl is a relatively new organization. Give us a little background on where you came from as an organization, what you’ve been up to, what some of your prime objectives are for the sea services.

Manuel Gauto: Yeah, of course. So we originated out of the CTO shop of the Department of the Navy. And what kind of happened was, with this DevSecOps revolution that was going through DoD, we had a couple upstart DevSecOps initiatives in the Navy, prior to them really being called software factories. And what happened was, we had a couple of false starts where the Navy would invest a ton of money into standing up one of these DevSecOps environments. And they would get to the point where they had some basic functionality, and then kind of got to a ‘now what?’ moment. And at that point, they’d expended resources and weren’t really putting them towards the modernization objective that’s kind of the heart of the whole thing — accelerating delivery and all of that. So the thesis behind Black Pearl is, how do we commoditize that first step, provide the infrastructure and the tooling, so that someone that has an actual mission can skip ahead to, ‘Okay, what does DevSecOps mean to my mission? How does it improve the capability that I’m delivering? And how do I ultimately help the warfighter?’

Jared Serbu: Yeah, and it seems like there’s a couple interesting things going on here, right? Not only are you, across the Department of the Navy, telling folks, ‘Hey, don’t build your own DevSecOps stack, we can do all of that process for you — let’s not reinvent the wheel. Black Pearl itself didn’t do that. You borrowed heavily from Air Force Platform One as I understand it. Can you talk about how much you grafted on to Air Force Platform One, how much is really Navy unique here, and why you chose them as a partner?

Manuel Gauto: Yeah, absolutely. So I mean, the Air Force has been honestly trailblazing with the DevSecOps stuff, with Kessel Run, and all those really famous software factories. So when it comes to Platform One, the original idea was actually to just reuse everything they had as-is, including some of their common environments. But the struggle we ran into, which has never happened in DoD history before, is we ran into compliance problems — compliance and accreditation issues. So what we ended up having to do is take a lot of the Platform One technology, and kind of backfill that paperwork to get it accredited, which required us to kind of redeploy and control certain parts of it. And we also deviated from Platform One a little bit in that, when we go to a customer, we want to be able to say, ‘Hey, we guarantee from soup to nuts every piece, and we’ll offer this as a managed service to you all, and you just do not have to worry about any of this.’ Which means that from a technical perspective, we had to do a little more in terms of security and kind of taking a little bit of choice away, ultimately, to be able to make those guarantees. But we still collaborate with them. We push code to them, they push code to us. So it’s still pretty collaborative.

Jared Serbu: And I think a lot of that assurance, or that guarantee comes from the fact that the underlying platform is accredited up to I think [impact level] five, which is run by you folks at GitLab, right, Bob? Can you talk to us a little bit about what this experience working with the Air Force and the Navy has been like, and how different bringing your product offering to a military setting has been, compared to what it’s like with your commercial customers?

Bob Stevens: Well, one of the things is they tend to drive us a little more to produce functionality or features faster, which is a good thing in the end, because that benefits not only the customer, but also the company. But just as an example, shifting security to the left, which is part of our platform, was really born out of the conversations that we’re having with the Air Force and Platform One. So you’re doing security by design, rather than bolting it on at the end. So that’s just an example of working with the government that helps drive the company to be able to produce things a lot faster. Another is speed to mission. There’s lots of facts and figures out there from from Platform One, but the bottom line is that they were able to reduce the amount of development time from months to weeks or days, which is super important when you’ve got a mission as important as our DoD does.

Jared Serbu: Manuel, pick up that thread, if you would. What sorts of other guarantees can Black Pearl make to Navy customers, stuff that they don’t have to worry about on their own?

Manuel Gauto: I think fundamentally, the thing we’ve had the most success with is saying, ‘we understand you. We understand where you’re coming from.’ We deploy to different places in the Navy. There’s always interbranch politics, right? So I think our biggest thing is, hey, we know your mission. We know where you’re trying to go. And we can also talk to the same people that are causing you compliance headaches and speak their language to them to enable you guys to actually deliver and not have to sell DevSecOps anymore. We can kind of do that for them, so they can focus on actually doing their jobs, and we’ll just serve that enablement capacity for them.

Jared Serbu: Don’t necessarily need to name names here, but where have the biggest compliance headaches tended to be so far? And I’m not talking about individuals here, I’m talking about the process. Where have the biggest process problems tended to be?

Manuel Gauto: Yeah, so I think that fundamentally, the technology is ahead of the process. So we’ve had difficulties even just translating some of the ideas that a tool like GitLab provides the community, and how do you capture that and present that to someone that ultimately needs to make a risk decision in a way where they’re comfortable with it? And like just serving as that intermediary, and pushing policy forward is where we run into it.

Jared Serbu: And how about on the compliance side that you mentioned? What were some of those early compliance problems that you mentioned running into, and what have you been able to do to overcome those?

Manuel Gauto: It’s paperwork. It’s always paperwork, right? It has to be in the right format with the right boxes checked, and you have to have the right backing material. Platform One did a lot of great work from a technical perspective. So the technology was there, the security was there, we just needed to kind of take that and present it in a way that was acceptable by the Navy community, within the Navy process. It was always less about security, and more about like, ‘Hey, we gotta check that box.’ Which, as we’ve seen, the Navy is trying to move away from that. Aaron Weis has talked about how it’s more about cyber readiness, rather than cyber compliance. But I mean, tactically, there’s still boxes to check, there’s still work to be done. And it offers some value. But that’s mostly what we ran into is making sure we had the thing to check the box.

Jared Serbu: Let’s talk about what you’ve actually been able to do here so far. I know it’s still relatively early days. But talk about the size of your customer base, within the DON, what sorts of things you’ve been able to ship so far. How much has this scaled so far?

Manuel Gauto: So I think we’re officially in the high hundreds of users. We’ve had a couple cool customers come on board thus far. So we’ve been working with the Minotaur team and the F-18 teams, and they’re kind of working on mission planning, real-time intel sharing in the field. And some of the stuff that we’ve really been able to do is take real production code bases, put them in a place that everybody can get to, that everybody can collaborate around, and actually start living and breathing those agile DevSecOps ideas. And to be honest, from a shipment perspective, a lot of the Navy programs aren’t even there yet. They’re still at the stage of saying, ‘What is this agile thing?’ or realizing that you can’t just call a one hour long meeting, a stand-up, and say that’s DevSecOps. So we’re finally at a place now where I think we have the tools in place to enable the Navy to really discover what the potential is for this more modern software development approach.

Jared Serbu: You said there’s not many there yet. Are there any that you can point to that are kind of early success stories?

Manuel Gauto: Yeah, so I think the Forge [software factory] in particular and the Aegis team. They started working with Platform One originally and are now moving to work with Black Pearl. And they’re working on refactoring  the crown jewel of the Navy’s weapon system, right: the Aegis Weapon System. So they’ve delivered some cloud based apps for some of their back of the house stuff. We’ve worked with them to kind of start putting together the prototypes that they’re pushing on to an actual ship in terms of runtime platform. They haven’t quite gotten to the point of completely refactoring a multibillion dollar weapon system, but they’re definitely getting wins there in terms of delivering apps to the cloud and starting to get stuff — real software — real modern software, on a ship.

Jared Serbu: And Bob, I want to get you back in here too. The DoD, as a matter of policy, has basically said they want everything Manuel’s talking about to be the way things are done for software development across the department, and not the exception. Based on what you’ve seen in the DoD space. Is it going to be difficult to scale these tools so that that can become a reality? What are some of the challenges you see in kind of recognizing that vision and making this the de-facto way things are?

Bob Stevens: Yeah. Manuel actually said it without saying it. It’s the culture change that has to occur — it’s a new way to think about doing development. It’s super beneficial, pretty much across the board. Manuel talked about the visibility that the team has; the collaboration that can occur, right? The F-18 pilot can participate in the development of a tool that’s being built for them, and understand exactly what’s being built all along the way. So by the time the product comes out, they’re bought into it because they’ve had a piece of it. That requires a cultural shift, first of all, for the developer to trust that pilot to actually provide them with input, but also collaboration between the security team and the development team. Security folks want development to go slower, right, so that it’s the most secure product. Developers want to go faster, and of course, the end user wants it yesterday. So it’s all a cultural shift that needs to occur. I think that’s the biggest barrier.

Jared Serbu: Manuel, same question, really. I mean, you’re small, totally understandable at this point, but what challenges do you see other than the cultural ones that Bob just talked about in terms of scaling Black Pearl up?

Manuel Gauto: I want to piggyback off something Bob said really quickly. So I think that one of the unique things that Black Pearl has, that honestly feels like a challenge to me sometimes, is that we are a very real thing that tests all of these ideas, right? Everybody talks about cyber readiness. Everybody talks about modernizing software development, what does it mean when end users can give feedback? And that all sounds great, but there’s a lot of details, right? That cultural change, you hit the inertia of of a very old, very set in its way institution. Black Pearl provides the very real thing that’s trying to push for that. And we feel it every day —the pushback from the different stakeholders and everything. And in terms of scalability, in the long, long term, I think it all boils down to talent and resource management. The DoD has very, very difficult problems and the resources that are at our disposal within the DoD in terms of talent can really hold us back. One of the things that we’re trying to figure out with Black Pearl is how do we take the resources we have and offer them in a more sustainable way to the enterprise, so that when people really get stuck on an A level problem, we have the A level resources they need to fix that problem. And that’s one of the things that keeps me up at night. Who comes after Manuel? Who comes after my team? This thing is going to get bigger than me. We really need those people in the department.

Jared Serbu: The talent piece is interesting. Can either of you talk about kind of the civilian, contractor, military mix in these projects and how that’s all working? I know there’s not unlimited talent on the outside, either, but how easy is it to bring in people who do have more experience with the DevSecOps way of things and pull them in to offer some expertise?

Bob Stevens: One of the things that the pandemic did was drive people to remote work, right? And as a result of that, the software factories have been able to attract talent in places they’ve never been able to before. Some of these factories are being built in places that are desirable for people to live, and the fact that they can do this all-remote work, and collaborate, and be more productive than they have been in the past, I think has really opened up the opportunity for the DoD. I mean, if you’d told me three years ago the Air Force [Platform One team] was gonna go all remote, I’d be like, ‘You’re crazy, that’s never gonna happen.’ Today, not only have they done it, but they they’re continuing to do it. And I think they plan to do it long into the future, because I think they’ve recognized the benefits of being able to get talent anywhere in the United States, versus just basically around the bases. That’s just not the case anymore. So I think that that has really, really helped DoD become better at at the development game.

Jared Serbu: Manuel, you want to elaborate on the talent piece at all?

Manuel Gauto: So one of the big changes I’m seeing is — for example, I’m a contractor. I don’t think I would work directly for the government. I don’t think I would be a government GS schedule employee, just considering how things are in the market right now. So I think one thing that has changed for the better is that the government is being much more collaborative with the contracting community, the industrial base, and willing to empower them to make decisions and run the platform. So I don’t get pushback from some government person when I make a technical decision. They’ll ask questions, but I’ve never been told completely like a flat out, ‘No, you can’t do that. I like this better, you have to use this.’ And I think that’s the right step forward. Outside those key positions, thankfully the remote thing makes it much easier because we can access a talent pool we didn’t have before. But we do need to figure how we incentivize people to come work for the government, even on the contractor side. And how do we encourage them to stay? Because we have really cool problems to solve. So I feel like we have a really good product to sell in terms of attracting talent.

Jared Serbu: It’s, I gotta say, surprising to me that you’re a contractor. It’s not what I would have assumed. Any observations from either of you about increasing openness among DoD leadership to allow that sort of thing? That feels really new to me that that’s even a possibility.

Manuel Gauto: I think it is, and I think this is one of the things that Black Pearl has done well. So we actually were started [as part of] the Presidential Innovation Fellows Program. We had a PIF with us to kind of first start breaking down the doors. And that’s one of the big wins from his time is he went to leadership and said, ‘These are the guys you want, they’re going to make it happen, and you need to work with them to make this happen.’ And ever since then, we’ve worked really closely with Navy leadership all the way up to the SES levels, the C suit. And Mr. Weis, and [DON CTO Jane] Rathbun have all been super-open to hear ideas. They listened to us and we speak to them directly about where we think these things should go. And they’re more than willing to say, ‘This is  how I feel about it, this what I think should change.’ And I think more broadly, they let us speak to the community about how we think things should be done, and they’re willing to let us kind of evangelize our own ideas as well.

Bob Stevens: It’s about partnership. And I think that the true partnership is being embraced by the government. I think they’ve recognized for a long time, that they need industry to be able to do what they do. But — and maybe this is a result of the pandemic, I don’t know — now, it’s like, we need industry more now than ever. And there’s a ton of expertise that we can get working with contractors, and empowering the contractors is really what Manuel was saying. The contractors are empowered now to make decisions on behalf of the network, because they’ve earned that trust. And I think that that’s just going to continue to grow and be more crucial to the success of the DoD.

Jared Serbu: Changing gears a little bit here. Manuel, what’s your basic sales pitch to the to the rest of the naval community as to why they should use Black Pearl instead of doing everything they want to do within their own program management office?

Manuel Gauto: So I think fundamentally, it’s that we commoditize the boring stuff that comes with DevSecOps to enable the mission owners to do the important, cool stuff that comes with DevSecOps. We make sure the lights stay on so that the people in the office can do their jobs. I think that’s fundamentally what we’re selling.

Jared Serbu: And how do you overcome the trust piece? Because they don’t control anything that you do, and generally, people in this space want to have control. So the reaction sometimes has got to be well, what if Black Pearl goes down? What if one day I can’t rely on it anymore?

Manuel Gauto: So I think there’s a couple of pieces there, right? We’re also building off the shoulders of giants. We’re building off that Platform One pedigree. People love seeing the paperwork that we’ve done, we have our EMASS package, they can go in there and look at all the compliance stuff. We are using the same best of breed technologies, like the GitLabs of the world that they’re familiar with. And then honestly, it also comes down to the fact that this is not my first rodeo in the Navy. I was personally involved with a lot of the software factories that sprung up, I was there with the precursor to the Forge, I was helping out the ACS folks over on the west coast. Leadership has also put out like, ‘Hey, this is something where we’re behind.’ They’re seeing the trust between us and leadership. And there is still some of that, ‘I don’t control it, I’m scared, what if it goes down? But the last piece will say is it’s still better than what we have today. The government doesn’t have control, in a lot of situations, over their source code. Their integration environments are locked away in some lab, controlled by some prime contractor. And now the alternative of presenting them with a common environment you can log into today — it’s controlled by the government, it’s government managed — like, that’s a completely different pattern.

Jared Serbu: And how does the pricing structure work? Do you feel like you’ve got something in place at this point where you’ve got a funding stream that’s sufficient to keep the platform running and innovating, but at the same time isn’t cost prohibitive for the people you’re trying to attract?

Manuel Gauto: Yeah. So when I think of the the big things that we tried to do right from the beginning — lessons learned from the other software factories — we needed to be financially and programmatically viable. So we’ve priced ourselves in a way where we we did that a couple of ways. We kept the team lean, so our costs are low. And because of that we’re able to keep the prices fairly reasonable when it comes to what we offer to our users. So our general pricing structure is like any commercial software-as-a-service solution; we charge per-head, per-month. So they can plug in a number into a calculator and they get a number out. The costs are predictable and linear. And in terms of viability, we’re good. We could operate as-is indefinitely.

Jared Serbu: And do you offer anything in terms of a cloud environment to actually run the end product? Or are you just focused on the development platform at this point?

Manuel Gauto: That is a great question. So the technology is in place, the environment is actually up, it actually runs our website. We’re just doing the same exercise we did the development side: we have to go back to the accreditation officials and make them comfortable that we’re doing this the right way. And that’s what we’re going through right now.

Jared Serbu: It seems like that sweetens the pot, too. I mean, you’re coming to customers with even more of a full package that says we’re gonna do even more for you.

Manuel Gauto: Exactly. And we’re trying to grow with the customer base, because we’re having people that are getting to that point where they’re ready to start deploying right now. And we want to be there ready for them when they get to that point to be like, ‘Absolutely, we’ll put you right there, and then you can get to it wherever you want.’

Jared Serbu: Last thing, Manuel. Where do you want to go in the next 2, 3, 5 years? How big can Black Pearl get? What are your big obstacles toward becoming the preeminent development center for the entire department of the Navy?

Manuel Gauto: This is where I get in trouble. So I want Black Pearl to enable development for all software in the DON. I don’t want to control development, I don’t want to control deployment, I just want to take that problem away from everyone in the Department of the Navy, and let them focus on doing their jobs — getting software out to the fleet and making sure that they can do their jobs, that our sailors stay safe and that we’re making this nation safer.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Amelia Brust/Federal News NetworkCDM

    ‘Don’t suffer in silence,’ federal IT leaders say on DevSecOps implementation

    Read more
    DoD photo

    For Army DevSecOps trainees, emotional intelligence, teamwork more important than coding skills

    Read more