The CIO’s recently released software modernization implementation plan for fiscal 2025 and 2026 marks another call from Pentagon leadership for the entire department to improve delivery of software-based capabilities. The document lists three key goals for the next two years — focusing on software factories, enterprise cloud and transforming processes — as well as specific tasks for each goal that aims to improve overall software modernization.

The goals and tasks in the document build upon the DOD CIO’s first software modernization implementation plan for fiscal 2023 and 2024. According to the new roadmap, the Pentagon completed 27 out of 41 of the tasks outlined in the previous plan, carried 12 tasks over to FY25 and FY26 and combined two tasks with others in the updated document.

Rob Vietmeyer, chief software officer for the deputy CIO for information enterprise, said that while working through the goals in the first implementation plan, the office realized that some of the associated tasks weren’t mature enough to fully execute on.

“For a small portion, we learned that we didn’t know enough about a couple of those activities, so we dropped them. And then some of them, we were maybe over aggressive or they evolved,” he said Wednesday during a panel discussion at AFCEA’s TechNet Cyber conference. “I’ll say, from an agile perspective, we didn’t have the user score exactly right, so some of these stories have continued into the implementation plan two.”

The first goal outlined in the new plan is to accelerate and scale the Pentagon’s enterprise cloud environment. Along with its multi-cloud, multi-vendor contract known as the Joint Warfighting Cloud Capability (JWCC), the department also has a number of other efforts aimed at providing cloud infrastructure overseas and at the tactical edge. 

Vietmeyer said that even though JWCC has been a relative success — noting that the department has awarded at least $2.7 billion worth of task orders under the program — the contract vehicle was “suboptimal” for large acquisitions. The CIO is currently planning for what it calls JWCC 2.0, a follow-on phase that adds more vendors and different contracting mechanisms to the program.

Beyond JWCC, the implementation plan calls for the establishment of additional contract options for cloud innovation — specifically geared towards small business and “niche providers” — that can be awarded before the end of fiscal 2026.

“In the implementation plan, we’re trying to build that next-generation cloud infrastructure and extend it. Not just looking at JWCC, but we’re also looking at how we extend for small business cloud providers,” Vietmeyer said. 

The document also offers guidance for Pentagon efforts to expand cloud access to the edge, such as through Stratus or the Joint Operational Edge (JOE) environments. In the next two years, the department will develop a reference design for an “underlying cloud mesh” that facilitates data transport, software development and information-sharing across different infrastructures overseas, according to the plan.

The mesh architecture would allow warfighters from one military service to access a cloud node operated by a different service, or one owned by the Defense Information Systems Agency, Vietmeyer explained.

“We’ve seen that one of the challenges is moving to a mesh type of architecture, so we can identify where computing infrastructure exists and allow the warfighters to take advantage [of it],” he said. “How do we start to build the ability for applications and data to scale across that infrastructure in a highly resilient way?”

Along with enterprise cloud, another goal within the updated implementation plan focuses on creating a Pentagon-wide software factory ecosystem that fully leverages a DevSecOps approach. The CIO intends to take successful practices from the various software factories in DOD and replicate them across the department, according to the plan.

“DoD must continue to scale success and bridge the right disciplines together … to ensure end-to-end enablement and realization of the software modernization vision and adoption of software platforms and factories organized by domain,” the document stated.

The CIO will also work to remove existing processes and red tape that prevents software developers from accessing critical tools and capabilities; increase the number of platforms with continuous authorization to operate (cATO) approvals; and create a DevSecOps reference design for artificial intelligence and software-based automation deployment.

Lastly, the implementation plan outlines multiple tasks geared towards evolving the Pentagon’s policies, regulations and standards to better support software development and delivery — including creating secure software standards, improving software deployment in weapons platforms and growing its workforce.

Although work to accelerate the Pentagon’s software modernization has been happening for years, leaders at the department have begun pushing for more focused efforts to remove bureaucratic red tape through new guidance — such as Secretary of Defense Pete Hegseth’s Modern Software Acquisition memo released in March, and the CIO’s new Software Fast Track (SWIFT) program.

“For modern practices to become the routine way of developing and delivering software, policy, regulations, and standards must be reviewed and updated,” the implementation plan stated. “DoD must work with DoD Components to update policy and guidance to reduce the barriers to adopting new practices and to accelerate software delivery and cybersecurity approvals to enable adoption of the latest tools and services.”

The post Pentagon sets out two-year plan to scale enterprise cloud offerings, software factories appeared first on DefenseScoop.

The new document will be released “fairly shortly,” Kevin Mulvihill, acting principal deputy CIO, said Monday during the Defense Information Systems Agency’s annual forecast to industry. The directives will build upon the Pentagon’s Software Modernization Strategy published in 2022, as well as the follow-on implementation plan published in 2023, he said at the event.

“We’re in the process right now across the various services and components to update their implementation plans in [fiscal ’25 and ’26], with the focus to accelerate those strategic goals, to adopting the enterprise cloud, really looking at the department-wide software factory ecosystem there,” Mulvihill said.

Along with the Pentagon’s enterprise-wide modernization plan, several of the military departments and other DOD components have been moving in recent years to update how they buy, develop and deploy software for their systems. Some of the services — such as the Army — have published their own software modernization strategies, and others have stood up and bolstered their respective software factories.

Mulvihill said there’s been significant progress among the individual services and components, and that all of the key initiatives outlined in the Pentagon’s implementation plan for software modernization were accomplished by their deadlines.

“Hopefully in a helpful way, we’re trying to bound that with the right level of department-wide guidance and instruction that we’ll have out here fairly shortly from the CIO’s office,” he said. “That helps with the instruction, to really try to advance those software factories but do it in such a way that we protect the software development and make it safer and secure.”

A key element to the Pentagon’s software modernization goals is the proliferation of DevSecOps principles and tools across the enterprise. DISA is in the process of bringing two of its major DevSecOps pipelines — the Command and Control Software Factory (C2SF) and Vulcan — together so that they can “combine forces” and offer more tools to users, DISA Deputy Director Christopher Barnhurst said at Monday’s event.

But more work must be done to change the culture around software development and deployment, Barnhurst added.

“Part of the challenge I see is getting folks to buy into that. And not just buy into it but to understand DevSecOps mentality and processes more in the agile development kind of way of thinking,” Barnhurst added. “Along with all of the policy and the tool sets, it’s more of a cultural shift as well that just takes time to get people in a frame of mind.”

The post DOD looking to release enterprise-wide guidance on software modernization appeared first on DefenseScoop.

The service has identified two existing Army programs that will be the first to receive cATOs, Army Chief Information Officer Leonel Garciga told DefenseScoop on Tuesday during a roundtable with reporters. The goal is to execute a four-step implementation plan over the next few months, and for the two pilots to receive cATOs by the end of the summer, he said. 

While he was unable to detail which Army programs would be part of the pilot effort, Garciga said both “are production-level systems and they are delivering to production right now. They are mature, these are not [research-and-development] programs. They’re not training, they’re not testing, these are programs that are up and running and operational today.”

Due to the growing reliance on software-based systems, organizations across the Pentagon have sought to improve the ATO process without slowing down innovation. A continuous ATO grants IT systems permission to operate without needing to be reauthorized — an often lengthy process that has been known to stifle modernization efforts — by implementing automated monitoring and security controls to ensure compliance from the early stages of development.

Much like others at the Defense Department, the Army is still at the beginning stages of reforming how it uses cATOs, Garciga said. The two pilots will be used to inform the service’s larger policy guidance on cATOs that is underway.

Overall, the Army is tracking seven programs doing DevSecOps that could be a good pool of candidates to receive a continuous ATO, Garciga said.

“I feel very confident that by the end of this year, we could potentially have up to seven programs that have certified [continuous integration and continuous deployment] pipelines,” he said.

The pilots come as the Army looks to implement modern software development and acquisition practices through its new software directive, published in March. The guidance implements a number of changes aimed at improving its approach to software, including a directive that calls on the Army to transition from the traditional ATO to a continuous ATO process.

As part of the four-step plan, the Army will first provide guidance that outlines what the accredited framework will need to look like — a document that will be out in “the next two weeks” for its first two pilot programs, Garciga said. Then, the service will provide additional guidance to the force on configuration management and release management for DevSecOps, he added.

“Once you have the first two, that builds the foundation for you to say, ‘Hey, this is what a [DevSecOps] pipeline looks like, and this is the bare minimum that you need to get it certified.’ Once that’s done and you have all that together, then we’re going to put out guidance that says, ‘This is how you get your cATO,’” Garciga explained.

The post Army planning 2 pilot efforts to streamline improvements in cATO processes appeared first on DefenseScoop.

A portmanteau of development, security and operations, DevSecOps refers to an evolving software engineering approach that seeks to combine all three of those elements throughout services’ production lifecycle and enable continuous delivery and integration where changes happen regularly over time. It’s key to the functions of Kessel Run, which matured from an innovation-pushing experiment for accelerating military software deployments to a congressionally-mandated program of record over the past five years. 

Last week, Kessel Run released a new umbrella Commercial Solutions Opening (CSO) via which it will “pursue innovative approaches to product and service offerings in the software and DevSecOps realm” in the near term.

The overarching objective of this new acquisition pathway is to provide a mechanism for federal and industry stakeholders to jointly “deliver state-of-the-art commercial technology directly to the warfighter,” officials wrote in the federal contracting announcement, adding that, “to do so, the government must broaden its horizons.”

Going forward, this umbrella CSO will be amended each time the Air Force Life Cycle Management Center, which heads Kessel Run, issues “calls” on behalf of branch components for what they envision to be “innovative solutions” to fulfill objectives, desired end states, or capability gaps described in the impending requests. Expedited and simplified processes will be used where possible for such procurements.

There is no cumulative ceiling estimated for the opening at this time, but officials suggested in the announcement that individual awards likely wouldn’t exceed $100 million.

The CSO will remain open for the “issuance of calls” until Sept. 30, 2027, officials wrote.

In the announcement, Kessel Run members also briefly highlighted possible call structures and submission processes for short- and longer-term collaboration that may follow. 

This CSO is intended to “serve as a foundation for the program with focused areas of interest” and submission instructions will “come later as specific requirements arise,” they wrote. Kessel Run’s press team did not provide more details on potential technology-aligned areas of interest, or their anticipated timeline, prior to publication.

The post Kessel Run reveals new plan for speedier DevSecOps deliveries appeared first on DefenseScoop.

Rob Vietmeyer has assumed the role within the information enterprise division of the Office of the Chief Information Officer, according to posts on LinkedIn and Twitter by the DOD CIO.

In his new job, Vietmeyer will lead implementation of the Pentagon’s software modernization strategy and “advocate for software development approaches, cloud services and process transformation,” according to the LinkedIn post.

The DOD’s software modernization strategy was published in February and seeks to push more software adoption within the department akin to private industry.

Vietmeyer will also be charged with advancing DOD’s adoption of DevSecOps, agile software development and cloud native modernization.

Previously, Vietmeyer held various cloud-related roles within the department, most recently as DOD’s director of cloud and software modernization.

Defense officials have maintained that the department must embrace modern software development in order to stay ahead of sophisticated adversaries, arguing that the old platform-centric and hardware-centric models of modernization are not sufficient to outpace threats or keep up with the rate of technology advancement.

The post DOD gets new chief software officer appeared first on DefenseScoop.

Alex McFarland, the technical lead for Vulcan in DISA’s Hosting and Compute Center, described Vulcan as similar to the software factories popping up across the Department of Defense, like the Air Force’s Kessel Run and Platform One, which have been instituted to specialize in scaling modern, agile software delivery across mission sets.

Speaking during a panel at this week’s Trellix’s Cybersecurity Summit, produced by FedScoop and CyberScoop, McFarland shared the vision for Vulcan as both a toolset for developers “to help bootstrap some of these [DevSecOps] processes” — things like CI/CD and collaborative tooling to jumpstart their secure, modern software development efforts — but also a mechanism to spread the cultural transformation associated with such modern software workflows.

“One thing I promised myself, I just didn’t want to sell a program,” McFarland said. “I want to sell them with cultural change in the work management side of it. Because if you’re going to effectively use these tools, if you adopt CI/CD practices, but then you’re only deploying quarterly … what have you really changed, right? Like how much have you actually improved it? And if we’re not working across silos and collaborating better, then we missed the mark, I think.”

The DevSecOps idea behind Vulcan — named after the Roman god of forging and engineering — is that with the right tools and best practices on the security and compliance side, developers can continuously make small updates to software on a continuing basis rather than waiting for the expiration of an authority to operate to make a big, lengthy push for recertification.

“Let’s keep trickling changes in and stay compliant and figure out that fast feedback loop: Well, that didn’t go that well. What can we do different, where can we speed it up? … Where was the lag?” McFarland explained. He added that with these constant small changes and “all this testing, we’re increasing safety” in systems.

Currently, Vulcan is offering some free open-source tools through GitLab, but McFarland expects to expand that to a fully supported, accredited environment early next year with the program’s first customers.

The plan is to start small and to bring change incrementally across DISA to partners who can benefit from outsourcing some of their secure software development stack, before then “opening up wider and wider as we go,” McFarland said.

In the federal government, “we have a lot of legacy applications. And legacy applications are sometimes more difficult to do infrastructure as code and modernize in this way,” McFarland said of working with partners across DISA and the DOD.

“I think bringing some of this stuff to bear is going to be really interesting. And this is where you know, your first bite, sometimes it’s the way you manage work and not necessarily refactoring the whole system,” he said. “Like there gets to a point where you do refactor your code base to achieve the velocity you want to achieve. But you can also make things better just by having these conversations and talking and doing DevSecOps without having to change the whole thing.”

The post DISA to launch ‘Vulcan’ DevSecOps program appeared first on DefenseScoop.

Among the military services, the Air Force has been particularly keen on software factories, which are tasked with quickly and securely developing and delivering new software for the Department of Defense.

The service currently has 16 of them — compared, for example, to the Army’s one — and Air Force leaders are looking at shaking up that enterprise, Maj. Christopher Olsen, military deputy in the office of the Air Force’s chief software officer, told FedScoop Thursday on the sidelines of the VMware Public Sector Innovation Summit, hosted by FedScoop.

“There’s a lot of different opposing views about how we should go about doing that,” he said.

U.S. military software factories, which are government-owned and operated, practice DevSecOps — an approach that combines software development, security and IT operations.

“In the software factory reference design for the DOD, we say it’s a one or more DevSecOps [with] continuous integration, continuous delivery pipelines, producing an application or set of microservices with an emphasis on automation. So automated tools, automated processes,” Olsen said during a panel at the summit.

One question that needs to be answered is how many software factories the Air Force should have.

“I don’t know which one’s the right number,” Olsen said. “There’s probably some mix of, you know, do you want to have a software factory per capability area or mission area? Or do you want to have … one software factory and it’s just got many different functional specialties? I don’t know what the right answer is. But that’s something we’re trying to figure out currently.”

For example, the Air Force could choose to have one for intelligence, surveillance and reconnaissance, another for command and control, and others to singularly focus on other key areas.

“Do you want to do like that?” Olsen said. Or “do you … just want to kind of let it be this organic, innovative ecosystem where when an organization feels like it needs a software factory, they can stand it up? Or do you want to consolidate? Those are the kind of tradeoff decisions that leadership has to make.”

Other key questions identified by Olsen include: What should the training pipeline look like? How should they be funded? And how should work be divvied up between software factories and traditional program offices?

He declined to provide a timeline for when these decisions will be made.

During the panel, Olsen noted another key issue facing the DOD: figuring out the best way to divvy up work between military software factories and the defense industrial base.

“We found in the chief software office that those factories are great at solving problems with software that are within a certain kind of criteria, a certain scale, certain size,” he said.

As an example, he pointed to the work that Kessel Run is doing producing software for air operations centers.

“That’s a niche area [for] specific missions, specific capability. And it’s a great area for a software factory to be in,” he said.

However, the Air Force will never have software factories producing all the software and doing all the software engineering for a major acquisition program like the F-35 joint strike fighter. That work is better suited for the defense industrial base, he asserted.

However, there may be some gray areas where it’s less clear cut, he suggested.

“I think that what the challenge the department is going to have going into the future is putting in place the institutional mechanisms to decide what work is appropriate for a software factory, and what work is appropriate for going through the traditional contracting process to be done at the defense industrial base” level, Olsen said.

The post Air Force considering shaking up its software factories appeared first on DefenseScoop.

Weiss came into the job in October 2021 having served as the director of software modernization since January of that year. He oversaw the adoption of software development and modernization of legacy applications in the department.

He was the first department-wide chief software officer, a role created in late 2021 as part of the DOD’s plans to pursue a more joined-up approach to digital warfare. The appointment came shortly after the departure of Air Force chief software officer Nic Chaillan in September.

In his post, Weiss touted progress on a variety of initiatives to include, the DOD’s DevSecOps strategy, the API task force and software modernization strategy, which was signed by the deputy secretary of defense Feb. 2.

The department is in the midst of evolving into what leaders have referred to as a data centric future where software is modernized and data is organized in a way to allow information to flow easier for faster decision making.

As part of the department’s push toward realizing its new concept of joint all-domain command and control (JADC2), which seeks to more seamlessly connect sensors and shooters to allow for faster decision making on the battlefield, it is moving out on two specific DevSecOps projects.

The first is modernizing how the department patches applications, aligning it to the way commercial industry does it, and the second is reformatting problematic applications to allow them to better share data on the network.

It is unclear who will fill Weiss’s role after he departs on April 15.

The post Department of Defense software leader to depart appeared first on DefenseScoop.

“Yes, very clearly. We’ve already had placeholders,” Lt. Gen. Dennis Crall, who heads the Pentagon’s JADC2 efforts, told reporters Friday when asked if there will be funding recommendations reflected in the 2023 budget for that.

The fiscal blueprint will be released March 28, according to reporting from Bloomberg.

The joint all-domain command and control initiative seeks to more seamlessly connect sensors and shooters to allow for faster decision making on the battlefield. Deputy Defense Secretary Kathleen Hicks signed the implementation plan for the JADC2 strategy earlier this week.

However, the military services still have to get on board and fund the programs and efforts that support this larger push to connect systems and improve data flows to allow for decision advantage on the future battlefield.

“Even though … the [implementation] plan itself was recently signed, we’ve been in constant battle or other events with our leadership on where we saw this forming up,” Crall said. “It’s not as though it was just dropped in the environment and we’re now trying to take a look at this for the first time. We had a pretty strong understanding of where these would fall out. And so yes, we have a solid plan, I think, or at least a good recommendation maybe on how that’ll land for ’23.”

There has also been a partnership between the Joint Staff’s Joint Requirements Oversight Council and the deputy secretary of defense through the Deputy’s Management Action Group, a senior review panel, to try to ensure that funding is available to realize the vision for JADC2, Crall said.

Funding should never be put against something that doesn’t have a validated requirement, he added.

First JADC2 efforts

Despite ongoing efforts with the services to game-out concepts and technologies for JADC2, Crall said there are two specific areas that are getting a “disproportional amount of attention” upfront: DevSecOps and the mission partner environment.

On the DevSecOps front, Crall described getting the department onto a modern footing on par with how Fortune 500 companies do business. While not novel in the commercial world, this is a first for the DOD and thus a large undertaking.

First, he explained, the Pentagon is going to take a series of applications the military services have identified and create a secure application and toolkit to allow for real-time patching. In the current environment, patching protocol is problematic, he said.

Second, the department will take some of its most “misbehaving applications,” which Crall declined to identify, and put them in a redevelopment gauntlet to have them reformatted to allow for greater data sharing.

During the Afghanistan drawdown, the department found it difficult to share information in a timely manner. The goal now is to get applications to work properly and provide data to the people or organizations that need it.

Regarding the mission partner environment, which allows DOD and coalition partners to access information, Crall said there has been a lot of testing on data exchange, how data is stored and what security elements are best.

Officials are focusing on challenges with currently fielded systems.

“We’ve got at the Secret level and below a very wonky, problematic array right now with the way that we exchange data with our partners and it’s not sustainable,” Crall said. “It’s expensive, it doesn’t work well and almost every country has some level of bespoke configuration that makes it really hard to manage. We’re taking that on as to how do you take what you’ve got and put it in a repeatable, recognizable, affordable order.”

U.S. Central Command and U.S. Indo-Pacific Command have done “phenomenal” work to this end, Crall said.

“Rather than creating all of that here in D.C., we’ve turned to our combatant commands who have shown progress and we are helping them organize this in the cross-functional team to see if we can replicate that as a standard,” he said.

The post Soon-to-be-released defense budget will align funding toward JADC2 appeared first on DefenseScoop.

The strategy, published Wednesday, was accompanied by recent memos on strengthening cybersecurity with a “continuous Authority to Operate” and another on the importance of open-source software.

Together, the documents aim to push software closer to the center of how DOD does business and wages war with a more collaborative approach to coding across software factories and services.

“We are approaching that apex point where we are going forward concretely, decisively and it’s really exciting,” Jason Weiss, the DOD’s chief software officer, told FedScoop in an interview about the documents.

Weiss added the timing on the three memos was simply “fortuitous.”

New strategy

The new Software Modernization Strategy calls for an enterprise approach to the services needed to build software. Its main goals include increasing migration to an enterprise cloud, establishing a departmentwide software factory ecosystem and transforming processes to enable faster and more resilient code deployment.

Weiss said a key enabler of achieving these goals will be a collaboration between the 29 software factories and creating “enterprise shared services.”

“Our ability to execute as a single team means we actually need to start sharing more,” he said.

How that sharing will work is still an unanswered question. Some collaboration will come down to the factories publishing reference designs, sharing tools they build and signing agreements like Platform One and Kessel Run recently did.

But the deployment of shared services cuts across budgetary and cultural silos that Weiss said will require a “hybrid model” of different military departments taking the lead on different aspects of services available to all.

“I am actually pretty bullish on our ability to solve this,” he said.

Making ATOs continuous

Often the longest part of deploying a new piece of software is getting it an authority to operate (ATO), which is typically given after a system is checked against a long list of security controls. But all that means is the system passed security checks at one point in time and there are few means to monitor how well the software is holding up to new forms of attack.

The DOD issued a separate memo Wednesday aimed at modernizing the ATO process, also by enhancing collaboration. The goal is to remake the ATO process into a “continuous” one by giving what Weiss calls a “shared language” to the services.

“They were coming along with languages that were ‘service proprietary,’” he said about talks on reciprocity and how to accredit systems from different services.

Now, the DOD chief information security officer has the ability to create cATOs, an authority Weiss said will only temporarily be unique to the CISO.

“He does not intend to retain that long-term,” Weiss said, citing the possibilities of creating new bottlenecks.

The basic principles come down to visibility of cybersecurity activities inside the system, active cyber defense and using a DevSecOps reference design to be able to continuously update code based on user feedback and security needs.

“We are starting to see some significant momentum behind DevSecOps,” Weiss said.

Collectivity, the memos and new strategy push the department to a more software-focused future. Yet another example of this is a Jan. 24 memo on open source software that pushes the DOD to use code from the public to the “maximum extent practical” as a means to get away from vendor lock and reduce cost.

“Collaboration is tantamount to success,” Weiss said of the new policies.

The post DOD publishes new software modernization strategy, memos on code appeared first on DefenseScoop.