- The Navy has designated two mandatory enterprise IT services: the Orion DevSecOps platform for software development and the Naval C-SCRM capability for supply chain risk monitoring
- Orion is now the sole authorized environment for Git-based software work
- The C-SCRM service gives users vendor risk assessments, a shared intelligence library and decision support across the acquisition lifecycle
The Department of the Navy designated two enterprise IT services in memorandums issued in June, mandating the Orion DevSecOps platform for software development and the Naval Cyber-Supply Chain Risk Management, or C-SCRM, capability for vendor risk monitoring.
The assistant secretary of the Navy for research, development and acquisition and the department’s chief information officer jointly issued both designations, which the Navy CIO’s office announced on Tuesday.
The Navy’s move to standardize software development and lock down its supply chain speaks to the innovation-versus-resilience balance the Potomac Officers Club’s 2026 Navy Summit will explore on Aug. 27. This event features a panel on building the ‘Golden Fleet’ with software, AI and digital engineering, alongside sessions on cyber resilience and modernizing enterprise networks for information warfare readiness. Register now to hear senior Navy leaders, defense officials and industry executives discuss how the service is advancing digital modernization while safeguarding readiness.
What Does the Orion Mandate Cover?
Orion becomes the department’s enterprise IT service for all software built using Git-based workflows, issue management, software security or other DevSecOps processes. It is now the sole Navy-authorized environment for toolsets incorporating GitLab or Atlassian, spanning source code, infrastructure-as-code, configuration files and scripts. The platform lets authorized users develop software with modern tooling while giving leaders a real-time, data-informed view of activities.
Software built at Impact Level 5 and below falls under the mandate. Organizations operating at Impact Level 6 or above must designate a point of contact for future migration planning. Low-code and no-code environments are exempt from the requirement.
The designation caps a yearlong evaluation. The Navy provisionally selected Orion as its DevSecOps platform of choice in May 2025 after surveying its software factory ecosystem. Orion has since met the benchmarks required of an enterprise service.
What Will the C-SCRM Service Provide?
The second memorandum makes the Naval C-SCRM capability the mandated enterprise service for all department users to identify, analyze, resolve and monitor supply chain risks throughout the acquisition lifecycle.
Through the platform, Navy users gain three core functions: mission-focused risk assessments paired with constant vendor, hardware and software monitoring; a shared intelligence library where risk profiles on suppliers can be pulled on demand; and support for risk-based decisions at every stage of a program’s life. The Navy expects the shared service to cut duplicate spending on supply chain assessments and pool expertise to protect Navy and Marine Corps operations. C-SCRM is already running and approved in both IL5 and IL6 environments.






