The CIO’s recently released software modernization implementation plan for fiscal 2025 and 2026 marks another call from Pentagon leadership for the entire department to improve delivery of software-based capabilities. The document lists three key goals for the next two years — focusing on software factories, enterprise cloud and transforming processes — as well as specific tasks for each goal that aims to improve overall software modernization.

The goals and tasks in the document build upon the DOD CIO’s first software modernization implementation plan for fiscal 2023 and 2024. According to the new roadmap, the Pentagon completed 27 out of 41 of the tasks outlined in the previous plan, carried 12 tasks over to FY25 and FY26 and combined two tasks with others in the updated document.

Rob Vietmeyer, chief software officer for the deputy CIO for information enterprise, said that while working through the goals in the first implementation plan, the office realized that some of the associated tasks weren’t mature enough to fully execute on.

“For a small portion, we learned that we didn’t know enough about a couple of those activities, so we dropped them. And then some of them, we were maybe over aggressive or they evolved,” he said Wednesday during a panel discussion at AFCEA’s TechNet Cyber conference. “I’ll say, from an agile perspective, we didn’t have the user score exactly right, so some of these stories have continued into the implementation plan two.”

The first goal outlined in the new plan is to accelerate and scale the Pentagon’s enterprise cloud environment. Along with its multi-cloud, multi-vendor contract known as the Joint Warfighting Cloud Capability (JWCC), the department also has a number of other efforts aimed at providing cloud infrastructure overseas and at the tactical edge. 

Vietmeyer said that even though JWCC has been a relative success — noting that the department has awarded at least $2.7 billion worth of task orders under the program — the contract vehicle was “suboptimal” for large acquisitions. The CIO is currently planning for what it calls JWCC 2.0, a follow-on phase that adds more vendors and different contracting mechanisms to the program.

Beyond JWCC, the implementation plan calls for the establishment of additional contract options for cloud innovation — specifically geared towards small business and “niche providers” — that can be awarded before the end of fiscal 2026.

“In the implementation plan, we’re trying to build that next-generation cloud infrastructure and extend it. Not just looking at JWCC, but we’re also looking at how we extend for small business cloud providers,” Vietmeyer said. 

The document also offers guidance for Pentagon efforts to expand cloud access to the edge, such as through Stratus or the Joint Operational Edge (JOE) environments. In the next two years, the department will develop a reference design for an “underlying cloud mesh” that facilitates data transport, software development and information-sharing across different infrastructures overseas, according to the plan.

The mesh architecture would allow warfighters from one military service to access a cloud node operated by a different service, or one owned by the Defense Information Systems Agency, Vietmeyer explained.

“We’ve seen that one of the challenges is moving to a mesh type of architecture, so we can identify where computing infrastructure exists and allow the warfighters to take advantage [of it],” he said. “How do we start to build the ability for applications and data to scale across that infrastructure in a highly resilient way?”

Along with enterprise cloud, another goal within the updated implementation plan focuses on creating a Pentagon-wide software factory ecosystem that fully leverages a DevSecOps approach. The CIO intends to take successful practices from the various software factories in DOD and replicate them across the department, according to the plan.

“DoD must continue to scale success and bridge the right disciplines together … to ensure end-to-end enablement and realization of the software modernization vision and adoption of software platforms and factories organized by domain,” the document stated.

The CIO will also work to remove existing processes and red tape that prevents software developers from accessing critical tools and capabilities; increase the number of platforms with continuous authorization to operate (cATO) approvals; and create a DevSecOps reference design for artificial intelligence and software-based automation deployment.

Lastly, the implementation plan outlines multiple tasks geared towards evolving the Pentagon’s policies, regulations and standards to better support software development and delivery — including creating secure software standards, improving software deployment in weapons platforms and growing its workforce.

Although work to accelerate the Pentagon’s software modernization has been happening for years, leaders at the department have begun pushing for more focused efforts to remove bureaucratic red tape through new guidance — such as Secretary of Defense Pete Hegseth’s Modern Software Acquisition memo released in March, and the CIO’s new Software Fast Track (SWIFT) program.

“For modern practices to become the routine way of developing and delivering software, policy, regulations, and standards must be reviewed and updated,” the implementation plan stated. “DoD must work with DoD Components to update policy and guidance to reduce the barriers to adopting new practices and to accelerate software delivery and cybersecurity approvals to enable adoption of the latest tools and services.”

The post Pentagon sets out two-year plan to scale enterprise cloud offerings, software factories appeared first on DefenseScoop.

The Marine Corps Software Factory (MCSWF) was stood up in 2023 as a three-year pilot to hone and demonstrate troops’ coding skills, show that there’s a demand for the concept and that it can be scaled. It’s co-located with the Army Software Factory in Austin, Texas, one of the nation’s top technology hubs.

“What we’re doing is we’re almost singularly focused on generating a force with the right technical skill sets to be able to provide an operational capability in terms of digital operations. And when I say ‘digital operations,’ I’m talking about software development, data analytics, AI, machine learning, that type of thing. Just to provide these commanders a meaningful way of being able to compete with our peer adversaries,” Lt. Col. Charlie Bahk, a communications officer and director of the organization, said during a panel at GovCIO’s Defense IT Summit Feb. 9.

Marines there have already churned out four new applications. Three of them are tactical in nature, he told DefenseScoop during an audience Q&A at the event.

“I have to be cognizant of the clearance levels, you know, OpSec and all that. But one of them is about maximizing our maritime radar assets to be able to give the fleet commander a more comprehensive picture of what is happening in that domain. And it’s fully interoperable. It’s interoperable with not just one, but multiple different types of sensors out there. Full-motion video as well,” he noted.

Another uses QR-code technology that can transmit information from unit to unit across long distances and in areas where satellite transmissions or radio transmissions are being jammed and impeded.

The other tactical app is related to “blue-force” signature management, or “understanding where or how brightly you glow on a common operational picture, based off your electromagnetic spectrum activity,” Bahk said.

The fourth app is intended to streamline back-office operations.

“It’s on the garrison or the business side where our monitors or detailers, you know, like the people that cut orders for Marines to their next assignments and work out the retention packages and things like that,” he noted. “You can imagine, due to the sheer numbers of people that they have to engage with, the potential for miscommunication and long wait times and missed appointments and hurt feelings … I mean, it’s just tremendously high.”

To address that, the software factory built a tool to gather data from service members before they meet with those types of officials.

“What we’ve done is created a simple application that streamlines a lot of that, cuts down dramatically the wait times for each of those Marines. It compels them to preload a lot of the standardized information that the monitors should already know about them, [such as] whether or not their spouse is in a graduate-level program or has a very important job or if they have an exceptional family member in the family,” he explained.

The interview window is short, in many cases only about 10 minutes, according to Bahk. The app is intended to make better use of that time.

“Most of those 10 minutes are used in discussing things that should already be known. So what this application does is it helps us streamline the flow of information. And now all of those 10 minutes are used in meaningful conversation that the Marine wants to cover with their monitor. Which if you ask me, I think that downstream of this, it helps to feed into the Marine’s mindset as far as: ‘Am I cared for by the institution? Should I reenlist? Do I want to continue to serve?’” Bahk said.

The software factory pilot is unfolding at a time when the Pentagon is putting increased emphasis on digital modernization and the rapid fielding and upgrading of software. That trend is expected to continue as the military acquires more AI capabilities and pursues new warfighting concepts like Combined Joint All-Domain Command and Control (CJADC2).

Building up coding skills within the Marine Corps is seen as a way to better connect software gurus with deployed warfighters and provide operational value more quickly without relying on contractor support.

“When we have organic uniformed service members doing this type of work and leveraging the infrastructure … we tend to immediately open up a line of like an iteration loop, that’s a line of communication with the commanders on the ground, and say, ‘Hey, here’s our [minimum viable product] that we’re delivering to you within weeks — days, weeks and months, not years. Right? And make sure that we got it right. And if we don’t, roger that, we’ll see you next week and we’ll deliver it — or we’ll see you later today,” Bahk said.

“When we delivered these applications, we got to see them employ it in real-time. And as any rollout goes, there are a couple of hiccups here and there. Zero findings, but a couple of hiccups, performance issues — or maybe the users then think of a feature that they would like us to work on and deploy. We were able to do that. And we’re doing that today, within the same day. We’re pushing to production several times a day. And the responsiveness and the quality — the user base is tremendously happy with that model,” he said.

The post Marine Corps software factory rolls out 4 new apps for tactical and back-office operations appeared first on DefenseScoop.

The annual update to Commandant Gen. David Berger’s controversial vision for transforming the Marine Corps was released Monday, outlining the service’s latest plans to prepare for potential conflict in the Indo-Pacific and any challenges it anticipates. One of the tenets of Berger’s vision is to include more of a “combined arms” approach to Marine ops and integrating capabilities from multiple domains.

But according to the annual update, the service’s legacy command-and-control systems are stovepiped and need to be modernized.

“The successful integration of intelligence, fires, and C2 is the heart of the targeting cycle and is required to enable and conduct kill webs across multiple domains. The need to expand traditional Marine Air-Ground Task Force (MAGTF) operations to address all-domain activities is compelling and requires us to address multiple challenges,” the document states.

To address those challenges, the Corps plans to begin a yearlong campaign to evaluate the service’s current C2 capabilities and begin experimenting with new technologies that enable all-domain communications.

By August, Lt. Gen. Karsten Heckl, deputy commandant of combat development and integration, is set to conduct an approved acquisition objective review of command-and-control systems “to provide near-term multi-domain capability solutions for the MAGTF. This review will identify which systems to retain or eliminate,” the document notes.

According to the annual report, the Marine Corps currently lacks a common Marine Air-Ground Task Force C2 system that can access advanced technologies, as well as C2 technologies that are not bound to single warfare domains and classification bureaucracies.  

Following the acquisition review, Heckl’s office will begin developing a single product that combines capabilities across the service’s family of integrated targeting cells, air C2 family of systems, and ground C2 family of systems. That tool will immediately begin experimenting with U.S. Indo-Pacific Command’s joint fires network, per the update.

“The bridging solution must drive convergence of currently disparate air-land centric C2 programs of record to a singular, all-domain MAGTF C2 capability,” the document notes.

The Marine Corps also plans to implement changes in its force structure and operational concepts that better align with multi-domain ops. Beginning in March 2024, the service will begin a campaign of experimentation focused on all-domain operations that will inform these changes. Wargames and planning teams are also expected to inform evolving capabilities, formations and concepts throughout the year.

In addition to more combined C2 capabilities, the Marine Corps is revamping its approach to gathering, curating and using information to aid operations. In October, the service plans to publish a Marine Corps data implementation plan that coincides with the Defense Department’s data strategy.

“We must evolve from our current framework of siloed data management to an integrated environment that converges data across the [Fleet Marine Force] and supporting establishment,” the Force Design 2030 update states. “Establishing a data collection plan with measurable objectives will be critical to this effort.”

While the service has done work to advance its data science capabilities in recent years, the document emphasizes the need to embrace data as a “critical element” of modern conflict.

Looking forward, the Corps is also considering how artificial intelligence could be used to help facilitate its data strategy. During a media call with reporters Friday, Brig. Gen. Kyle Ellison, commanding general of the Marine Corps Warfighting Lab, highlighted how AI could become a key tool as the service becomes more data-centric.

“More information and more data is not always better — it’s how that data is fused and, in some cases, correlated to enable the decision maker,” he said. “And that’s where we’re moving to — a level of access to information and an ability to fuse information to speed up decision-making, which in the past required human brain cells. Well, we can use those brain cells for the decision-making itself and use AI to help us get to the right decision.”

Ellison also pointed to the value of the Marine Corps’ new software factory, which the service launched in March. When asked by DefenseScoop how the facility would contribute to the service’s Force Design 2030 efforts, he said there is a lot of promise for what the capability will bring to the fight — especially for the military-wide goal to better connect sensors and shooters across the services known as Joint All-Domain Command and Control (JADC2).

“What is extremely important as it relates in particular to JADC2 … is an ability to change rapidly with the evolution of software, and so it is critically important for us to maintain pace with that software evolution,” Ellison said. “It is gonna have to be tied into the rest of the joint force when we do it, so as we continue to develop interoperability and integration — which ultimately is JADC2 — a lot of it is about software. We can have systems within the Marine Corps that, if we have the right software, can be interoperable with the rest of the joint force without having to change the hardware.”

The post Marine force design plans include overhauling C2, data capabilities to support ‘all-domain’ ops appeared first on DefenseScoop.

The ability to rapidly develop and deliver software is a key element of the Pentagon’s modernization plans to respond to adversary threats. The department’s Software Modernization Strategy from 2022 notes that these efforts will require a shift in the DOD’s workforce, and that developing, training and recruiting employees are “critical aspects of software modernization.”

A GAO report published Thursday noted that “building a workforce — with critical skills and competencies — that can implement these reforms is foundational to all of DOD’s planned actions. Until DOD determines when and how it will conduct effective workforce planning for its software workforce, its ability to implement its planned actions and meaningfully transform its software acquisition practices as intended remains in question.”

The Defense Department has taken initial steps in planning for the future software workforce by identifying and defining key software engineering roles necessary for the Pentagon’s plans to swiftly deliver capabilities, the report said. 

A DOD official told the watchdog organization that they are collecting data to identify department-wide information on its current software workforce composition, expertise and skill sets, but added that these efforts are challenging because these employees work across a wide variety of occupations. 

It’s estimated to take from 12 to 18 months to collect this data, which will be used to help determine what resources the Defense Department will need to stand up a robust software workforce, officials told the GAO.

The report emphasized, however, that identifying the workforce is only the beginning of a longer process to ensure the Defense Department will have the people needed to carry out its plans for software modernization. With the current focus on collecting internal data, the department has not yet determined how it plans to execute a broader strategic workforce planning process, it said.

“Strategic workforce planning for software modernization efforts is likely to take a number of years and will need to involve the coordinated efforts of management, employees, and key stakeholders across DOD,” the report said. “Developing a department-wide strategic workforce plan for DOD’s software workforce—including strategies tailored to address gaps in the critical skills and competencies—will help position DOD to execute next steps in this planning process and achieve future software modernization goals.”

Once its existing software workforce is identified, the GAO recommends that relevant entities use that information to develop a department-wide software workforce plan.

The Defense Department “partially concurred” with the recommendations, adding that the Office of the Undersecretary of Defense for Acquisition and Sustainment plans to work with the Office of the Undersecretary of Defense for Personnel and Readiness in developing a “targeted strategic workforce plan that will address any identified skills or competency gaps,” the report said.

The findings within the GAO report aren’t the first time red flags have been raised regarding the DOD’s software workforce. Separate reports from the Defense Science Board and the Defense Innovation Board released in 2018 and 2019, respectively, called on the Pentagon to develop a cadre of software developers, as well as relevant training curriculums.

The GAO report did acknowledge that the Defense Department has taken several steps in recent years to transform how it develops and buys software. For example, the Pentagon has embraced acquisition strategies that promote agile development and stood up its software factory ecosystem.

The watchdog is also suggesting that the department take other actions, including finalizing implementation plans for future software modernization efforts, to ensure it is poised to implement its goals. 

The post DOD behind on expanding its software development workforce, watchdog finds appeared first on DefenseScoop.

A portmanteau of development, security and operations, DevSecOps refers to an evolving software engineering approach that seeks to combine all three of those elements throughout services’ production lifecycle and enable continuous delivery and integration where changes happen regularly over time. It’s key to the functions of Kessel Run, which matured from an innovation-pushing experiment for accelerating military software deployments to a congressionally-mandated program of record over the past five years. 

Last week, Kessel Run released a new umbrella Commercial Solutions Opening (CSO) via which it will “pursue innovative approaches to product and service offerings in the software and DevSecOps realm” in the near term.

The overarching objective of this new acquisition pathway is to provide a mechanism for federal and industry stakeholders to jointly “deliver state-of-the-art commercial technology directly to the warfighter,” officials wrote in the federal contracting announcement, adding that, “to do so, the government must broaden its horizons.”

Going forward, this umbrella CSO will be amended each time the Air Force Life Cycle Management Center, which heads Kessel Run, issues “calls” on behalf of branch components for what they envision to be “innovative solutions” to fulfill objectives, desired end states, or capability gaps described in the impending requests. Expedited and simplified processes will be used where possible for such procurements.

There is no cumulative ceiling estimated for the opening at this time, but officials suggested in the announcement that individual awards likely wouldn’t exceed $100 million.

The CSO will remain open for the “issuance of calls” until Sept. 30, 2027, officials wrote.

In the announcement, Kessel Run members also briefly highlighted possible call structures and submission processes for short- and longer-term collaboration that may follow. 

This CSO is intended to “serve as a foundation for the program with focused areas of interest” and submission instructions will “come later as specific requirements arise,” they wrote. Kessel Run’s press team did not provide more details on potential technology-aligned areas of interest, or their anticipated timeline, prior to publication.

The post Kessel Run reveals new plan for speedier DevSecOps deliveries appeared first on DefenseScoop.

Alex McFarland, the technical lead for Vulcan in DISA’s Hosting and Compute Center, described Vulcan as similar to the software factories popping up across the Department of Defense, like the Air Force’s Kessel Run and Platform One, which have been instituted to specialize in scaling modern, agile software delivery across mission sets.

Speaking during a panel at this week’s Trellix’s Cybersecurity Summit, produced by FedScoop and CyberScoop, McFarland shared the vision for Vulcan as both a toolset for developers “to help bootstrap some of these [DevSecOps] processes” — things like CI/CD and collaborative tooling to jumpstart their secure, modern software development efforts — but also a mechanism to spread the cultural transformation associated with such modern software workflows.

“One thing I promised myself, I just didn’t want to sell a program,” McFarland said. “I want to sell them with cultural change in the work management side of it. Because if you’re going to effectively use these tools, if you adopt CI/CD practices, but then you’re only deploying quarterly … what have you really changed, right? Like how much have you actually improved it? And if we’re not working across silos and collaborating better, then we missed the mark, I think.”

The DevSecOps idea behind Vulcan — named after the Roman god of forging and engineering — is that with the right tools and best practices on the security and compliance side, developers can continuously make small updates to software on a continuing basis rather than waiting for the expiration of an authority to operate to make a big, lengthy push for recertification.

“Let’s keep trickling changes in and stay compliant and figure out that fast feedback loop: Well, that didn’t go that well. What can we do different, where can we speed it up? … Where was the lag?” McFarland explained. He added that with these constant small changes and “all this testing, we’re increasing safety” in systems.

Currently, Vulcan is offering some free open-source tools through GitLab, but McFarland expects to expand that to a fully supported, accredited environment early next year with the program’s first customers.

The plan is to start small and to bring change incrementally across DISA to partners who can benefit from outsourcing some of their secure software development stack, before then “opening up wider and wider as we go,” McFarland said.

In the federal government, “we have a lot of legacy applications. And legacy applications are sometimes more difficult to do infrastructure as code and modernize in this way,” McFarland said of working with partners across DISA and the DOD.

“I think bringing some of this stuff to bear is going to be really interesting. And this is where you know, your first bite, sometimes it’s the way you manage work and not necessarily refactoring the whole system,” he said. “Like there gets to a point where you do refactor your code base to achieve the velocity you want to achieve. But you can also make things better just by having these conversations and talking and doing DevSecOps without having to change the whole thing.”

The post DISA to launch ‘Vulcan’ DevSecOps program appeared first on DefenseScoop.

Among the military services, the Air Force has been particularly keen on software factories, which are tasked with quickly and securely developing and delivering new software for the Department of Defense.

The service currently has 16 of them — compared, for example, to the Army’s one — and Air Force leaders are looking at shaking up that enterprise, Maj. Christopher Olsen, military deputy in the office of the Air Force’s chief software officer, told FedScoop Thursday on the sidelines of the VMware Public Sector Innovation Summit, hosted by FedScoop.

“There’s a lot of different opposing views about how we should go about doing that,” he said.

U.S. military software factories, which are government-owned and operated, practice DevSecOps — an approach that combines software development, security and IT operations.

“In the software factory reference design for the DOD, we say it’s a one or more DevSecOps [with] continuous integration, continuous delivery pipelines, producing an application or set of microservices with an emphasis on automation. So automated tools, automated processes,” Olsen said during a panel at the summit.

One question that needs to be answered is how many software factories the Air Force should have.

“I don’t know which one’s the right number,” Olsen said. “There’s probably some mix of, you know, do you want to have a software factory per capability area or mission area? Or do you want to have … one software factory and it’s just got many different functional specialties? I don’t know what the right answer is. But that’s something we’re trying to figure out currently.”

For example, the Air Force could choose to have one for intelligence, surveillance and reconnaissance, another for command and control, and others to singularly focus on other key areas.

“Do you want to do like that?” Olsen said. Or “do you … just want to kind of let it be this organic, innovative ecosystem where when an organization feels like it needs a software factory, they can stand it up? Or do you want to consolidate? Those are the kind of tradeoff decisions that leadership has to make.”

Other key questions identified by Olsen include: What should the training pipeline look like? How should they be funded? And how should work be divvied up between software factories and traditional program offices?

He declined to provide a timeline for when these decisions will be made.

During the panel, Olsen noted another key issue facing the DOD: figuring out the best way to divvy up work between military software factories and the defense industrial base.

“We found in the chief software office that those factories are great at solving problems with software that are within a certain kind of criteria, a certain scale, certain size,” he said.

As an example, he pointed to the work that Kessel Run is doing producing software for air operations centers.

“That’s a niche area [for] specific missions, specific capability. And it’s a great area for a software factory to be in,” he said.

However, the Air Force will never have software factories producing all the software and doing all the software engineering for a major acquisition program like the F-35 joint strike fighter. That work is better suited for the defense industrial base, he asserted.

However, there may be some gray areas where it’s less clear cut, he suggested.

“I think that what the challenge the department is going to have going into the future is putting in place the institutional mechanisms to decide what work is appropriate for a software factory, and what work is appropriate for going through the traditional contracting process to be done at the defense industrial base” level, Olsen said.

The post Air Force considering shaking up its software factories appeared first on DefenseScoop.

The strategy, published Wednesday, was accompanied by recent memos on strengthening cybersecurity with a “continuous Authority to Operate” and another on the importance of open-source software.

Together, the documents aim to push software closer to the center of how DOD does business and wages war with a more collaborative approach to coding across software factories and services.

“We are approaching that apex point where we are going forward concretely, decisively and it’s really exciting,” Jason Weiss, the DOD’s chief software officer, told FedScoop in an interview about the documents.

Weiss added the timing on the three memos was simply “fortuitous.”

New strategy

The new Software Modernization Strategy calls for an enterprise approach to the services needed to build software. Its main goals include increasing migration to an enterprise cloud, establishing a departmentwide software factory ecosystem and transforming processes to enable faster and more resilient code deployment.

Weiss said a key enabler of achieving these goals will be a collaboration between the 29 software factories and creating “enterprise shared services.”

“Our ability to execute as a single team means we actually need to start sharing more,” he said.

How that sharing will work is still an unanswered question. Some collaboration will come down to the factories publishing reference designs, sharing tools they build and signing agreements like Platform One and Kessel Run recently did.

But the deployment of shared services cuts across budgetary and cultural silos that Weiss said will require a “hybrid model” of different military departments taking the lead on different aspects of services available to all.

“I am actually pretty bullish on our ability to solve this,” he said.

Making ATOs continuous

Often the longest part of deploying a new piece of software is getting it an authority to operate (ATO), which is typically given after a system is checked against a long list of security controls. But all that means is the system passed security checks at one point in time and there are few means to monitor how well the software is holding up to new forms of attack.

The DOD issued a separate memo Wednesday aimed at modernizing the ATO process, also by enhancing collaboration. The goal is to remake the ATO process into a “continuous” one by giving what Weiss calls a “shared language” to the services.

“They were coming along with languages that were ‘service proprietary,’” he said about talks on reciprocity and how to accredit systems from different services.

Now, the DOD chief information security officer has the ability to create cATOs, an authority Weiss said will only temporarily be unique to the CISO.

“He does not intend to retain that long-term,” Weiss said, citing the possibilities of creating new bottlenecks.

The basic principles come down to visibility of cybersecurity activities inside the system, active cyber defense and using a DevSecOps reference design to be able to continuously update code based on user feedback and security needs.

“We are starting to see some significant momentum behind DevSecOps,” Weiss said.

Collectivity, the memos and new strategy push the department to a more software-focused future. Yet another example of this is a Jan. 24 memo on open source software that pushes the DOD to use code from the public to the “maximum extent practical” as a means to get away from vendor lock and reduce cost.

“Collaboration is tantamount to success,” Weiss said of the new policies.

The post DOD publishes new software modernization strategy, memos on code appeared first on DefenseScoop.