In recent years, the Department of Defense (DoD) has been releasing increasingly direct and expansive directives to modernize software acquisitions and software development in order to “enable the delivery of resilient software capability at the speed of relevance.” The two points of emphasis that underpin software modernization are the adoption of leading commercial software development processes, such as DevSecOps, and the integration of industry leading tools to accelerate the delivery of applications.
Below, we list three ways that DoD can accelerate commercial software adoption.
1. Shift the Software Accreditation Process Left
The DoD software accreditation process is used to manage risk in the organization’s networks by evaluating the security controls for new and existing systems. Being granted an Authority to Operate (ATO) certifies that the organization explicitly accepts that the benefits of using the system outweigh the operational risks it introduces.
However, this process usually happens at the end of the software development cycle, and can take months, or even years, to be finalized. Additionally, by waiting until the end of the software development process to grant an ATO, DoD end users are largely unable to provide user feedback on the UI/UX of the app or effectively evaluate its functionality with the actual data it is intended to interact with.
DevSecOps is a software development practice that integrates security with DevOps methodologies to build more secure software from the start. DoD has begun to adopt DevSecOps as best practice, including by publishing a DevSecOps Playbook to help the Department and its partners integrate security testing and user feedback earlier in the software development process.
This practice was combined with a memo on the Continuous ATO (cATO) process, which aims to enable ongoing cybersecurity monitoring of applications while also allowing companies to adopt Agile software best practices by continuing to develop their application in an ongoing fashion based on user feedback and pushing updates more regularly.
Driving the adoption of these best practices across the enterprise, and combining them with cybersecurity and software development tooling, has the potential to dramatically improve the software-enabled capabilities of DoD.
2. Build and Maintain Accredited ‘Sandbox’ Testing and Evaluation Environments
DoD needs a more resource-effective way to test outside applications for mission effectiveness using actual mission data to assess whether or not the software serves its intended purpose, or to evaluate several competitive tools—particularly at scale.
A common approach is a sandbox environment for testing and evaluation, with actual or representative data and functionality but not connected to in-production or mission-critical systems. This use case is particularly relevant for research and development (R&D) components throughout the Department who are tasked with working with early-stage companies that present a novel solution to a complex problem and are looking to validate their hypothesis before their DoD partner awards them a larger dollar value contract.
This provides DoD with a “try before you buy”-style approach to software acquisition, which reduces the risk of purchasing ineffective software, and being bound to the solution for years to come.
3. Establish Accreditation Reciprocity Across Services
As it stands, Authorizing Officials (AO) have the responsibility of granting software applications the opportunity to run applications in a specific network for a specific service. Meaning that if a company developed an app with mission critical functionality that was applicable to more than one service or agency, it would have to go through the accreditation process multiple times, even if it wanted to run at the same Impact Level in all instances.
To reduce friction in the deployment of applications, the services and agencies throughout the DoD should come to reciprocity agreements, where the accreditation of an app from one AO for an app to run in a certain Impact Level, should be accepted by other AOs in equivalent circumstances.
This would reduce the cost of doing business for both DoD and for software companies, bridging the relationship between the two parties and accelerating the delivery of capabilities to DoD end users.
In recent years, DoD has had significant successes in addressing the long-recognized need to adopt commercial software and software development best practices for critical functions, spanning from back office applications to front line operations. However, there is more that DoD can do to equip warfighters with the tools they need to effectively do their jobs.
By adopting these three recommendations, the Department will be able to accelerate the rate at which software integrates throughout the enterprise, and in turn, streamline the development of capabilities and create a more diverse, resilient, and competitive defense industrial base.