Sigma Defense uses GitLab to speed software delivery to US Navy

Based in Perry, GA, Sigma Defense has approximately 800 employees, with more than a dozen locations around the globe. The company builds and deploys command and control software for the U.S. Navy’s Aegis system, autonomy software for unmanned vehicles, and communication systems for F-18 supersonic aircraft.

Sigma Defense’s customers depend on them to quickly, efficiently, and securely provide them with software and systems that are critical to U.S. national security. The organization is tasked with building advanced solutions that stay ahead of emerging threats, and accelerate information collection and sharing for faster decision-making and better mission outcomes.

Before Sigma Defense first adopted GitLab early in 2021, the company was weighed down with a growing sprawl of software factories, an umbrella term for DevOps tools and processes, the people who use them, the buildings they work in, and even the ships, planes, and unmanned vehicles the software works in. For each new project the company began working on, a new software factory had to be spun up with team members choosing their own tools, which created a costly duplication in time, infrastructure, and investment. It also meant silos were repeatedly popping up across the organization, prohibiting different teams from working together and sharing a common place for reusable code to live—bridling their productivity, efficiency and speed.

Sigma Defense, working with the Navy’s IT services team, PEO Digital, created the DevSecOps environment, Black Pearl, to eliminate that duplication and the silos and complexities that came along with it. GitLab’s AI-powered, end-to-end DevSecOps platform is at the heart of that new environment, dismantling silos, fueling collaboration, and speeding software development and delivery—all while more easily and efficiently meeting compliance regulations.

GitLab, in essence, gives Black Pearl its DevSecOps capabilities and a single platform to power its pipelines and tools. Automated security scanning is conducted, and software planning, development, testing, documentation, and deployment all occur within GitLab. By using GitLab, DevSecOps teams from across Sigma Defense now can work together on projects, visualize progress and bottlenecks, help create efficiencies, and speed secure software to deployment.

After adopting GitLab, the organization saw benefits in both time and money. For instance, the time it takes to set up software factories was cut from about six months to three to five days. As for the cost of software factory deployments, that was slashed 90%, going from about $4 million to $400,000.

“GitLab is the core of our DevSecOps capabilities. It’s where we go to develop, deliver, and work together. It’s where we get things done,” says Josh Metheney, director of engineering at Sigma Defense, noting that they upgraded from GitLab Premium to GitLab Ultimate in 2022. “GitLab and DevSecOps are synonymous at Sigma Defense and are critical to the success of Black Pearl and the Sigma Defense team.”

Black Pearl, with GitLab at its core, has become pivotal to creating and deploying mission-critical software systems onboard U.S. Naval ships. When ships are at sea for months at a time, the Navy needs to be able to continuously update their software systems, fixing vulnerabilities, adding capabilities, and responding to feature needs.

“The legacy approach to software updating was basically like cutting a hole in the ship, pulling out racks of hardware, and dropping in new ones,” says Metheney. “Now with GitLab, it is much easier to update the software, push it through the CI/CD pipeline up into the cloud and down to the ship onto the existing hardware.”

For the Naval project, the DevSecOps team simply took Black Pearl and built project-specific processes on top of it. “If there’s a vulnerability in a critical system on a Naval ship, we can’t wait two years to fix it,” he adds, noting that with GitLab, the time it takes for discovery and remediation of bugs has gone from months to days. “It’s fundamental to national security that we do it in days, if not hours. GitLab is fundamental to how we do that.”

A multitude of software factories, and the silos that came along with them, had caused a lot of challenges and headaches for Sigma Defense and the broader DoD. For example, without a common environment that all teams could use—and a platform to power it—DevSecOps team members had no way to come together to support each other and work jointly on projects, sharing ideas, experiences, and best practices. Now with GitLab as the foundation of Black Pearl, there are far fewer pockets of people duplicating efforts, and collaboration has become the norm. DevSecOps team members from across the country can collaborate, expediting projects and dramatically increasing efficiencies.

“Collaboration was a fundamental problem,” says Metheney. “Now we have one place for everyone to work, and all the data and capabilities are in one place. One of the powers of GitLab is that everyone and everything — the codes, the builds, the scans — are in one place. Now our people, even if they’re not in the same building or the same state or even the same division of the Navy, can work together—easily.”

With Sigma Defense’s DevSecOps teams working in Black Pearl’s GitLab-powered environment, they now also have visibility into projects and workflows that they never had before. Without having to wait weeks or months for project reports to come in, teams are able to make real-time decisions about priorities and deployments. And with insight from GitLab analytics and dashboards into where bottlenecks are happening, they can jump in, fix problems, and move projects forward.

Before adopting GitLab and creating Black Pearl, silos meant that project team members had to be physically located in the same geographic area. There was no way for them to collaborate unless they were sitting in the same building. That dramatically narrowed the talent pool.

With GitLab, everything from project planning, development, and code and security scanning all are done in one environment that is accessible to team members using Black Pearl in any geographic location. “Regardless of what building or state they’re in, they can work together in GitLab,” says Edward Anderson, executive vice president of Innovative Mission Solutions at Sigma Defense. “We can bring in external people with new ideas and new approaches to reinvigorate the community and production—without concern for where they’re located. Now we have more opportunities for innovation.”

With GitLab, Sigma Defense has expanded the areas where developers working for the company can be located from two locations to anywhere across the nation. As a result, the company is able to offer a broader and richer pool of talent to its customers.

Working so closely with the DoD means the software that Sigma Defense develops must be fully compliant with government laws, regulations, and standards, like the National Institute of Standards and Technology's Secure Software Development Framework (SSDF). A significant benefit of using GitLab is that they now are better, and more easily, prepared to meet those regulations, avoiding making expensive software modifications, struggling to find needed project documentation, and potentially losing contracts because of compliance failures.

A major piece of being compliant is being able to predictably and consistently supply the needed information to prove it. Metheney says they have a leg up with that because working on GitLab’s end-to-end platform means all of their information—whether it’s data on security scans running in necessary pipelines, automated security practices, or approvals on merge requests—all can be found, and aggregated, in one place.

“Being able to visualize, enforce, and report on compliance is something GitLab enables us to do,” says Metheney. “Before we were using different tools so scan results might be here or there. Sometimes they’d be put into a spreadsheet and that would get emailed around. Now we have one place where we're collecting and organizing all of that data. It’s incredibly helpful to have everything in one spot so we have one source of truth.”

Metheney notes that since they’ve found success with GitLab-powered Black Pearl at the center of their DevSecOps capabilities, they are looking to expand use of it to U.S. intelligence agencies and across the DoD. Black Pearl, for instance, has been granted Authority to Operate by the Navy and the U.S. Marine Corps through reciprocity. Sigma Defense is working with the Army to deliver the same capabilities.

Early in 2024, the company launched Sigma Software Studio, a DevSecOps platform, which also has GitLab at its center. It is aimed at expanding Sigma Defense’s footprint into civilian agencies, as well.

“With GitLab at its core, Black Pearl is a critical piece of our software development,” says Anderson. “It’s a core value prop. When we see an opportunity that involves software development, we know they should just use the platform and then they can skip the hard, repetitive parts of software development and move right to the creative part.”