The Department of Defense (DoD) needs to streamline its software procurement statutory, regulatory, and budgetary framework to build and maintain the nation’s software advantage, a former DoD official told lawmakers on Wednesday during a House Armed Services Subcommittee hearing.
“Our nation has developed and operationalized technology solutions that have transformed our commercial sector and in turn our everyday lives. Now we must harness and apply this ingenuity and innovation to bolster U.S. military superiority in the digital age,” Ellen Lord, former DoD under secretary of defense for acquisition and sustainment, said during the Cyber, IT, and Innovation Subcommittee Hearing.
Lord explained to lawmakers that the DoD needs to shift how it acquires software to ensure the best technology is available at the time, scale, and speed our warfighters need.
The shift should include building a skilled workforce to acquire and deploy the best mission-focused software, building a resourcing structure that allows the department to respond securely and quickly to a digital battle space, lowering the cycle time and cost for newer innovators to support national security missions, and building the data governance and infrastructure needed.
“[DoD] agencies must acquire software to meet current mission needs while also having the agility to quickly respond to future threat environments,” Lord said. “This makes DoD’s statutory, regulatory, and budgetary framework ripe for streamlining to build and maintain the nation’s software advantage.”
One way to do this, she said, is by lowering the “barriers of entry” for new software companies that have innovative capabilities for the department.
For example, to gain approval for software systems, companies need to be granted an Authority to Operate (ATO) — a process that can take months, if not up to a year, and often processes must be replicated within programs, services, and DoD entities.
“There is an opportunity to streamline and modernize the process of certifying software for security and resiliency to deliver the competitive advantage desired,” Lord said.
Lord acknowledged that the DoD’s continuous Authority to Operate (cATO) process will provide continuous monitoring to detect cybersecurity activity, real-time cyber defense, and adoption of an approved DevSecOps reference design.
However, while DoD’s guidance on cATO is gaining momentum, “additional steps are required for the cATO promise to be fully realized,” she said.
“A critical first step is to require an ATO joint standard or common definition ATO for DoD,” Lord said. “Consistent institution and execution across DoD for the evolution from static ATO to cATO will catalyze consistency and portability as systems and software move into continuous evaluation and approval.”
She also told lawmakers that to foster a procurement culture of “buying readily available commercial software offerings” the department “must operationalize policies and procedures” that support utilizing “modern software development and delivery practices.” This includes agile software development life cycle, software-as-a-service delivery, human-centered design, DevSecOps, and modern technology stacks.
“The [DoD] procurement process is one of the greatest challenges and opportunities to software acquisition,” Lord said, adding that funding, training, and development will ensure the acquisition workforce has “key skills for implementing the full spectrum of acquisition approaches.”
Lord said this will enable the DoD to deliver “the most innovative software and technology to the national security workforce.” In short, training innovation must keep pace with software innovation.