Delivering Better Software, Faster

The United States is facing a new era of great power competition. A rising People’s Republic of China, a revisionist Russia, and other nation-state adversaries are challenging international security as they pursue distinct strategies for expanding their spheres of influence and realizing their own vision for international order. To maintain our nation’s global competitive advantage, the Department of Defense needs secure, reliable, and resilient software that can meet mission needs years to come; however, its aging legacy software presents perilous risks, including inability to support new requirements, abate security vulnerabilities, or prevent system failures.

To mitigate those risks, the DoD will replace aging software with more resilient software able to adapt at the pace required to compete. The Department aspires to transform software delivery times from years to minutes—a bold new challenge that requires significant changes to DoD processes, policies, technology, and workforce. Those changes include review and modernization of requirements, budget, acquisition, and security processes to leverage new approaches and technologies. To increase delivery speed, improve quality, and assure protection, the transformation process must remain focused on the workforce people instrumental for success. Failing to meet these requirements now will leave DoD in need of additional modernization efforts in the future while jeopardizing national security today.   

THE DOD SOFTWARE MODERNIZATION STRATEGY

On February 1, 2022, DoD published a new Software Modernization Strategy (SMS) for delivery of software capability at the speed of relevance. This bold new strategy aims to reduce software delivery times from years to minutes. The to achieve the desired outcome—better software faster—the strategy seeks to shifts secure software delivery to the left by leveraging modern infrastructure and platforms through commercial partnerships for adoption of cloud, a department-wide approach for software factories, and true process transformation and people development. The SMS sets forth three goals:

Goal 1. Accelerate the DoD Enterprise Cloud Environment. Collaborate with the private sector for deployment of cloud services quickly and securely. Multi-cloud, multi-vendor approach, with innovative portfolio of cloud contracts across the enterprise. Secure data in the cloud across all classification domains, from enterprise to tactical edge. Improvements to authorization processes. Defensive cyberspace operations established in the cloud. DoD will accelerate cloud adoption through reusable automated design patterns that are (a) available across the enterprise; (b) integrated into authorization processes; and (c) continuously updated and configuration controlled. This includes use of infrastructure-as-code, compliance-as-code, and hardened software containers for virtual development environments. DoD will also prepare OCONUS infrastructure (facilities to networks) for cloud, at a level of capability equal to or greater than CONUS capability.

Goal 2. Establish department-wide software factory ecosystem. Scale enterprise capabilities (tools and talent) to produce secure and resilient software at speed through a software factory ecosystem approach. DoD will accelerate software deployment at scale through automation; couple validation with automation for continuous authority to operate (cATO); streamline control points for seamless end-to-end software delivery; compress approval timelines and cybersecurity compliance processes; and enable an innovation pipeline that takes research efforts from pilot to operation at speed and scale.

Goal 3. Transform processes for resilience and speed. Transform outdated processes governing the way DoD buys, implements, and operates across its vast and diverse mission sets. DoD will address unnecessarily restrictive or misaligned software compliance standards; make acquisition lifecycles and funding of software programs more agile; and advance technical competencies through improved workforce acquisition, training, and retention.

ANALYSIS

The SMS is grounded in five core values:

1. Security, stability, and quality at speed. Software reliability and security will not be sacrificed in favor of modernization at speed.

2. Managing migration to the cloud. The capacity to manage data and applications in the cloud must be increased, especially where flexible and scalable cloud performance can be leveraged to process data into actionable intelligence. Legacy systems cannot shut down—software must be modernized iteratively but rapidly. Legacy assets must be migrated to the cloud in a way that creates fast efficiency gains. Applications and processes must be refined to support secure continuous integration and continuous development (CI/CD). 

3. Enterprise-first approach. An enterprise-first approach is sought that applies business-style cost efficiency measures, for example component reuse and code sharing. Management of software development from the top down enables better coordination of projects across the entire department portfolio.

4. Workforce modernization. The importance of people to the software modernization process is critical—as technology evolves, so must the workforce. As DoD migrates and future-proofs its legacy code, it must also prioritize technical and leadership skills. Recruitment and training are foremost; the department cannot simply rely on college-taught skills.

5. Policy and practice. Successful software modernization involves more than just code. Secure, speedy, and scalable software development requires partnerships among organizations and communities governed by department policies for verification of code performance, ownership of intellectual property, health of software across its entire life cycle, and a host of other considerations.

THE OPPORTUNITIES FOR LEIDOS

The SMS presents significant opportunities for Leidos. Primary drivers are harnessing the power of cloud computing, the ability to build applications continuously, improving cybersecurity, and placing technology at the fingertips of warfighters (versus delivering hardware-intensive platforms).

Danielle Metz, DoD's Deputy Chief Information Officer for Information Enterprise, believes it does not make sense to separate software modernization from cloud adoption—software simply cannot be modernized without cloud. Likewise, new software-defined capabilities will need new architectures and code. In its 2020 budget, the Army pledged to invest $57B in modernization across the next five years—a 137% increase from the previous five-year plan. Part of the modernization will involve a much-needed overhaul of the legacy software systems that support the DoD mission.

Turning software from a limiting factor to an advantage that keeps pace with changing mission demands requires a “continuous improvement" approach to development, validation, and security. The SMS promotes a dynamic approach to development and security through creation of software factories—assembly plants for automated software development and integration—built from tools, process workflows, and scripts. The vision is for multiple software factories throughout the DoD, each responsible for different groups of systems and governed by a top-down model to realize benefits of technology across multiple domains. 

As development evolves, so must cybersecurity. DoD legacy software is brittle and suffers from diminished functionality; older technologies (or new developments driven by legacy development practices) create increased cybersecurity risk. In 2018 the General Accountability Office reported that nearly all the DoD's computerized and networked weapons were vulnerable to attack. Testers playing the role of adversary were able to take control of systems with relative ease and operate largely undetected. Today, DoD authority to operate (ATO) marks certification at a single moment in time, which cannot protect against unforeseen changes in real-world operating environments and makes compliance drift a real risk. The SMS envisions automation of ATO processes for a continuous authority to operate. Software teams would focus on security and reliability monitoring not just during software development, but throughout deployment and operation as well. Continuous authority requires ongoing cycles of refinement using telemetry gathered from software in the field to adapt and harden software against evolving threats.

Finally, the SMS envisions operator-adaptive software that allows operators themselves to adapt software to meet shifting objectives. Often, it will be easier and faster to adapt software-defined features in existing systems than to invest in entirely new hardware—a benefit that reduces development costs and stretches defense budgets further.

HOW LEIDOS CAN MEET THE CHALLENGES

Leidos leads the way in software modernization. Our experience with cloud computing, a foundational goal of the SMS, is extensive. Our multi-cloud strategy and government cloud migration won us the 2021 AWS Public Sector Partner of the Year award from Amazon Web Services. We conduct refactoring and development for cloud-native technologies, such as security-hardened Kubernetes and microservice capabilities that unlock legacy data. These technologies enable realization of cloud-based modernization benefits, allowing secure development operations with the tools and methods needed to protect and defend operational software proactively. We compliment these key differentiators with world-class Leidos Trusted AI and offensive/defensive cyber co-development, enabling us to meet the DoD’s goal for secure, adaptable, and resilient software delivered continuously, at the speed needed to keep pace with mission changes and evolving threats.

For years we have pioneered software factories and enterprise DevSecOps, employing reusable tooling and an “everything as code” approach. We use agile development for building advanced command, control, and analysis applications for DoD, the Intelligence Community, and even healthcare environments. Our secure development operations (SecDevOps) fulfill a key requirement for delivery of modernized software into federal space. Our fast and reliable software development benefits DoD today, through modernization of software architectures and transformation of the delivery model. An excellent example is the Kessel Run on the Command and Control Incident Management Emergency Response Application (C2IMERA), for which we slashed development cycles from the incumbent’s 25 months to just two weeks.

Whether managing data standards, replacing entire legacy system databases within hours, or first deployment of operational software applications to classified cloud instance, we understand the  need for software that can evolve. Adaptable software is driven by core design patterns that enable reuse of software in multi-cloud scenarios; design patterns that codify development and deployment processes are a key enabler for scalable, consistent development. We coordinate software modernization across multiple development teams and disparate software with expertise. To avoid vendor lock-in, high license costs, and restrictive evolution paths, we employ open and agnostic design that enables software evolution on a continuous basis. Our unique microservice design patterns, deployed from cloud to edge, enable dynamic adaptability with security and availability of data always in mind. Our scale across a range of industries ensures that design patterns are truly scalable. By providing these capabilities as reusable services and automated components, we make them easy and available to all government customers. 

Our secure tools and software supply chain investments enable us to consistently meet or exceed industry demands. We were delivering operational supplier bill of materials (SBOM) capability internally, and offering that solution to our customers, even before it was advocated in Executive Order 14028. But while we consider SBOM to be a prudent measure, we believe it is not enough. True supply chain security requires continuous monitoring of risk even after deployment. Our SecDevOps tools continuously identify new requirements and automatically evolve the CI/CD pipeline. We include continuous monitoring of security risk at all stages, a key requirement for continuous authority to operate.

Continuous authority to operate isn’t just about certifying a CI/CD pipeline—it’s about more complete and proactive cybersecurity. We accomplish this through (1) secure data, (2) zero trust, from network and infrastructure to microservices, through dynamic policy management, and (3) the use of trusted AI to monitor software behavior. In addition, we combine AI and advanced approaches to perform offensive and defensive co-development to ensure inherent security and resilience of software even before it is deployed.

Our expertise includes those process transformations that form the backbone of the SMS. We are already helping DoD to rethink their business processes and software acquisition strategies to ensure faster access to new technologies. Of particular importance is the resiliency of systems, especially with respect to the risk of cascading failures that can jeopardize mission. Better data from metrics-driven software development and better telemetry from software in the field are central to system resiliency, as is testing. Traditional software testing normally occurs late in the development process, leaving little or no time for remediation. We help customers shift left, testing early in the development cycle to find performance, reliability, and security issues. We recommend use of automated tests and gating procedures as part of the CI/CD pipeline to ensure quality software deployment. But to truly support the mission, testing must go beyond development and staging to assessment of software in production. We apply AI/ML capabilities, a strong understanding of enterprise data pedigree and provenance, and rapid deployment of software analytics to operational architectures to continuously monitor and detect subtle behaviors in software during production. Our deep investments in Zero Trust and AI operations give us real-time insights for policy-driven actions that provide protection and manage potential events otherwise detectable only after they cause cascading failures.

One of the most challenging and valuable elements of the DoD's SMS journey is workforce transformation. DoD must upskill its analysts and software developers to deliver code in accordance with the defining principles of the SMS. Our concept of "software factory” extends beyond tools, processes, and scripts to include culture as a defining factor. Leidos supports workforce transformation through unique staff sourcing and training—our software factory ecosystem tightly couples technology investment and development with staffing and upskilling. By including culture and people in the equation, we enable career growth and retention of talent with unsurpassed success. The Leidos Way for training and organizing software factory people is a key differentiator that aligns directly with the “true process transformation and people development” desired by the DoD.

CONCLUSION

Modernized software can mean the difference between victory and defeat. The DoD Software Modernization Strategy is a first step, providing the overarching principles, common framework for understanding, and initial goals and objectives needed for success. DoD must continue to strive as an enterprise toward delivery of resilient software capability at the speed of relevance. By leveraging the expertise provided by Leidos, the Department will increase its capability for resilient, adaptable software that meets mission needs for decades to come.