e-dokumen.com

UnclassifiedThe vision for software modernization is simple - deliver resilient software capability at the speedof relevance. Resilience implies software that is high-quality and secure, able to withstand andrecover in the face of challenging conditions. Speed of relevance implies the accelerated deliveryneeded to maintain a competitive advantage. The approach is practical - unify efforts across DoDand partner with industry-leading software institutions to produce a portfolio of best-in-classsoftware capabilities enabled by DoD processes. These capabilities must augment and integratewith other infrastructure components to include Zero Trust Architectures (ZTA), electromagneticspectrum capabilities, and a growing inventory of connected military devices. The followingsections identify a set of principles to unify efforts, a framework to organize activities, and initialgoals and objectives to set implementation direction.3Unifying PrinciplesThe unifying principles of this strategy form the underlying basis of intent as the Departmentimplements software modernization. These principles consider existing DoD strategies andmaintain broader themes at the forefront, ensuring a holistic to include, but not be limited to, justa technical perspective. A Primacy of Security, Stability, and Quality at Speed - DoD must not allow thependulum to move based strictly on the metrics of speed. Resilient software must bedefined first by execution stability, quality, and dependable cyber-survivability. Theseattributes can be achieved at speed by aggressively adopting modern softwaredevelopment practices that effectively integrate performance and security throughout thesoftware development lifecycle. Cloud Smart/Data Smart - Cloud services and data are fundamental to softwaremodernization. Software must smartly utilize cloud services and incorporate data bestpractices to ultimately deliver impactful capabilities. DoD must accelerate cloud adoptionto enable software modernization and proactively manage data following the DoD DataStrategy. Enterprise First - The Department's technical delivery is bound by fiscal realities thatrequire an efficient and cost-effective portfolio. Enterprise capabilities are a critical part ofthe portfolio. Collaborative stewardship of enterprise capabilities facilitates adoption andallows DoD Components to maximize value under constrained resources. No One Left Behind - Software modernization introduces improved capabilities andgreater automation. This modernization must be driven by strong leadership, powered bytechnical talent, and leveraged by an upskilled workforce. As such, development, training,and recruiting of the Department's workforce are critical aspects of softwaremodernization. More Than Code - Software modernization is more than just code development. Itincludes the many policies, processes, and standards that take a concept from idea toreality. Considerations such as contracting and intellectual property rights, as well astransition from development to fielding, are often overlooked and underappreciated. Thesepolicies, processes, and standards must not hinder, but empower the vision of thisstrategy.Unclassified2

Unclassified4Software Modernization FrameworkThere are multiple ways to obtain software: adopt existing applications and platforms availablethrough DoD Component-sponsored capabilities; buy software or the components for developingsoftware through traditional software licenses to include those for low-code/no-code platformsand cloud software-as-a-service subscriptions; or custom develop software, oftentimes for DoD unique capabilities which may include complex systems of systems, simple web applications, orembedded code.Regardless of how software is obtained, software delivery is not a one-and-done activity andactions that treat software this way are harmful and counter-productive. Whether adopted, bought,or created, all modern software approaches incorporate modular design tenets and automationto achieve speed and secure continuous delivery.The Software Modernization Framework in Figure 1 identifies a minimum set of technical enablersand processes that must be addressed to modernize software delivery. It serves as a commonlexicon and organizing construct for discussing and coordinating software modernizationactivities. It is not intended to be all-inclusive or final but instead serves as a guardrail to focusimplementation . Its level of applicability depends on the approach taken in obtaining software asdictated by mission (i.e., adopt, buy, or create), complexity of software development (e.g., asimple website to a system of systems) , and consideration for the software end user (e.g .,warfighter, healthcare provider, or recruiter).---·-. .,- --MUil-.-----""""MilSlevolvethe workb"ceto ,ctia,ges111 p t O C t t e n i lnp9db-,'MIBl.dnw ICJltsd - - - 'Mdbc» n1 OaQ c:oq,etlncm Figure 1: Software Modernization FrameworkTechnical Enablers: DoD must continuously adopt the latest technologies and approaches todeliver resilient software capability at the speed of relevance. These technical enablers addressmission requirements, enable interoperability, and ensure security. Enablers depicted in theframework are not all inclusive and are not independent of each other. They are represented asconcentric circles to indicate that these complementary capabilities must be integrated to achievemaximum value and that their evolution , just like software delivery, is continuous in nature. DoD Enterprise Cloud Environment- The DoD Enterprise Cloud Environment is a multi cloud, multi-vendor ecosystem providing cloud services across the Department. Cloudservices include infrastructure, platform , and software services. This environment remainsUnclassified3

Unclassifiedfundamental to software modernization, providing global compute and access to industryinnovation at a rate unattainable by DoD alone. A structured approach in establishing andmaintaining this environment promotes consistency in service quality, economies of scale,and avoidance of risk posed by cloud sprawl. Design Patterns - Design patterns are reusable solutions to commonly occurringproblems within a given context in a software design. The automation of these designpatterns accelerates secure cloud adoption and software development. The initial focusof this enabler are the common activities needed to stand-up a virtual environment, whichincludes security compliance scanning and access management. These design patternscan be automated through standard blueprints or templates. Use of these blueprints ortemplates promotes the execution of consistent architectures and configurations acrossthe software development landscape and plays a critical role in enabling scale,interoperability, security, and faster time to mission. Development, Security, and Operations (DevSecOps)nooling - DevSecOps is anorganizational software engineering culture and practice that aims at unifying softwaredevelopment, security, and operations. The main characteristic of DevSecOps is toautomate, monitor, and apply security at all phases of the software lifecycle: plan, develop,build, test, release and deliver, deploy, operate, and monitor. The benefits of adoptingDevSecOps include reduced time from development to deployment, more robust security,and faster capability at the speed of relevance. DevSecOps/Tooling represents the set ofcapabilities enabling the continuous integration and delivery (Cl/CD) of secure softwareas produced through a software factory. A software factory is a software assembly plantfor development and integration that contains multiple pipelines, equipped with a set oftools, process workflows, scripts, and environments, to produce a set of softwaredeployable artifacts with minimal human intervention. It automates the activities in thedevelop, build, test, release, and deliver phases and supports multi-tenancy. To realizethe full benefit, these capabilities must effectively couple technology (e.g., tools andplatforms) with process change (e.g., security authorization and testing). Enterprise Services - Enterprise services provide ready-to-use composable functions(e.g., security services, identity management, application programming interfaces, anddata analytics) to support software modernization efforts. They allow DoD Components torapidly adopt and use secure capabilities in support of mission requirements, thereby,freeing up limited talent for unique software features and innovation. Additionally,enterprise services are a mechanism for obtaining improved financial value; buy once andaccessible to all.Tech Force Multipliers: New and emerging technologies continually change the digitallandscape. In adopting these tech force multipliers, leveraging the DoD Science and TechnologyStrategy, DoD must consider the impact to technical enablers and processes of softwaremodernization. In reassessing technical enablers and processes, DoD cannot limit itself to currentsoftware development concepts but must be prepared to think differently under new parameters.Process Transformation: The software modernization framework recognizes that processesmust change to take advantage of new technology. These changes must consider not only paceand agility, but incentives to facilitate new behavior, policy updates to allow for innovation andexperimentation, and a shift from software compliance to operational readiness. At DoD's scale,these changes should start small but allow for incremental growth and eventual enterpriseadoption. Desired outcomes from transformation efforts include shortening acquisition timelines,Unclassified4

Unclassifiedproviding economic incentives to break down siloed business operations and independently managed services, and reducing the lead time for cybersecurity compliance. Business Operations - DoD's internal economics must change to promote the adoptionof shared software development platforms and reusable software. The drivers that lead tosiloed operations and independently-managed services must evolve. There must beresource incentives to foster the sharing, reuse, and trust of software capabilities. Thisincludes building incentives into requirements and budgetary processes as well assimplifying shared services transactions through better internal management operations. Acquisition - Software needs are evolving, and software updates occur more rapidly thanever. Current acquisition and contracting cycles are too slow and may result in potentiallyobsolete software. Software acquisition must continue to change to accommodate speedand agility. This change must occur by working with industry. Cyber Survivability - A compliance mindset may lead to a false sense of security.Cybersecurity should be the driver and compliance an outcome. DoD must shift from acybersecurity "snapshot in time" compliance culture to a cybersecurity practitioner culturewhere automation, real-time continuous risk monitoring, including supply chain risk andrapid incident response, are the norm, and integrated into software development pipelines.System security engineering methods and practices must be identified early and leveragenew technologies and approaches to streamline risk processes for software, to informcontinuous authorization, and to enable Defensive Cyberspace Operations (DCO). Testing - As software plays a more significant role in weapons platforms and missioncapabilities, robust software testing must be integrated into delivery pipelines and accountfor end-to-end mission thread evaluations. Software testing must not just run throughscripts assessing software features and functions, but reflect operational scenarios toensure expectations and thresholds for operational performance are met. In support ofcyber-survivability, DoD must employ cooperative and adversarial penetration testing andpersistent cyber testing during development, and recurring cyber testing during deployedoperations to ensure proactive defense. Workforce - Modern software and delivery practices require shifts in DoD's workforce.Tuning algorithms for warfighting platforms at the tactical edge requires software talent;processing data with low-code/no-code platforms requires upskilled analysts; and theadvent of software-defined robotics requires a flexible workforce with appropriate levels ofdevelopment and engineering knowledge. DoD must attract and retain this workforcetalent, hire talent into leadership positions, and initiate upskilling efforts to successfullycompete. This shift requires not only changes in workforce process, but culture. Leadersand managers must think differently about careers, how people work together, and howto build workforce synergy across the Department because the software-defined futureneeds multi-disciplined individuals, a better bridge between communities of experts andoperators, and a technology-literate Joint Force.Outcomes: The ultimate outcome of technical enablers and process transformation is bettercapability to the warfighter faster. Resilient software will deploy to mission capabilities at a fasterpace, business operations will be more efficient and effective through greater automation, real time cyber defenses will stay to the left of threat, and software will enable a strengthened dataadvantage by promoting a data-centric, data-driven operating environment. The following sectionidentifies the goals and objectives that provide initial implementation direction for achieving theseoutcomes.Unclassified5

Unclassified5Goals and ObjectivesSoftware modernization goals represent long-term endeavors aimed toward achieving the vision.The objectives of each goal are near-term targets focused on the technical enablers and processtransformation of the framework.5.1Goal 1: Accelerate the DoD Enterprise Cloud EnvironmentThe DoD Enterprise Cloud Environment is the foundation for softwaremodernization. The multi-cloud, multi-vendor approach still holds true. Therequirement for cloud across all classification domains, from enterprise to tacticaledge, is still valid. The need to transition from disparate cloud efforts to astructured, integrated, and cost-effective cloud portfolio remains the Department'sintent. Working with commercial cloud service providers continues to be critical asthe Department technically evolves. DoD and commercial cloud service providers must worktogether to quickly and securely deploy cloud services and ensure transparency of cybersecurityactivities to maintain the protection of DoD data. This goal is central to the President's ExecutiveOrder on Improving the Nation's Cybersecurity, Executive Order 14028, directing acceleratedmovement to secure cloud services and emphasizing the importance of commercial relationships.Objectives: Mature an Innovative Portfolio of Cloud Contracts. DoD must provide access to cloudservices across the enterprise, maintaining parity with the commercial market. Aninnovative portfolio includes a meaningfully differentiated set of enterprise contracts thatleverages existing acquisition success while avoiding duplication. The DoD acquisitioncommunity must work closely with industry to continuously improve contracting processesfor cloud services, to ensure access to the full breadth of cloud security services, and toachieve a more holistic and diverse contract portfolio that benefits the entire DoDenterprise. Contractual delays impact DoD's competitive advantage and ultimately, placewarfighters and their missions at risk. Secure Data in the Cloud. Securing data in the cloud consists of two key thrusts:improving authorization processes and establishing DCO in the cloud.Securing cloud for the Department begins with Federal-level processes (i.e., FedRAMP)and proceeds with DoD-specific processes (i.e., provisional authorization) coupled withcooperative independent government cybersecurity test and evaluation. These processesestablish a list of approved cloud service offerings that meet DoD security criteria. Systemor application security compliance processes (i.e., Authority to Operate) ensure theappropriate implementation of security controls within a DoD Component's risk tolerance.These processes must be coupled with independent government developmental andoperational cybersecurity testing to enhance understanding of the operational-resilienceof the system or application to hostile attacks. All of these authorization processes mustbe faster to deliver in an agile era without sacrificing security.Critical to managing cybersecurity risk is establishing DCO in the cloud . DCO must enablethe Department to stay ahead of threats, discover vulnerabilities early, and respond toquestionable behavior quickly, taking into account recurring cybersecurity test andevaluation. A coordinated response to cyber incidents in the cloud requires cooperationacross DoD organizations and between DoD and industry. DoD must mature and deliverUnclassified6

UnclassifiedDCO capabilities, providing both technical capability and complementary incidentreporting and response processes, to enhance our defensive posture. Accelerate Cloud Adoption through Automated Design Patterns. Automation is aforce multiplier for limited software talent and allows for the faster, more consistentadoption of cloud services. DoD must provide reusable automated design patterns, suchas Infrastructure as Code, Compliance as Code, and hardened software containers, toease the burden required in standing up and configuring virtual developmentenvironments. These automated design patterns must be available across the enterprise,integrated into authorization processes, and continuously updated and configurationcontrolled. They must be based on industry best practices and prescribed or recognizedstandards, as well as enable diverse implementation approaches. Use of these patternsacross DoD promotes consistent and robust architecture, up-to-date security, and a fasterpath to deployment. Prepare OCONUS Infrastructure for Cloud. DoD's strategic positioning outside thecontinental United States (OCONUS) is critical to maintaining a credible deterrent. Assuch, forces abroad must have access to the same, if not better, capabilities as those onthe homefront. Cloud services OCONUS are fundamental to enabling a Joint Forcecapable of quickly and decisively mobilizing air, land, sea, space, and cyberspacecapabilities in response to adversaries threatening the United States or our allies. DoDmust improve OCONUS infrastructure, from facilities to networks, to fully take advantageof cloud services, enabling persistent warfighter access to data sources and producers.5.2Goal 2: Establish Department-wide Software Factory EcosystemAs mentioned earlier, software increasingly defines military capabilities; therefore,DoD must scale its ability to produce secure and resilient software at speed tomaintain a competitive advantage. This strategy recognizes that the modernapproaches and tools, as well as the technical talent needed to do this, are notwithout cost. The Department must pursue an enterprise-wide approach,establishing a software factory ecosystem that takes advantage of investmentsalready made by the Military Services (e.g., Air Force Platform One, Navy Overmatch SoftwareArmory, Marine Corps Business Operations Support Services, and Army Coding Resources andTransformation Ecosystem) and scales their success to enable cross-Program/cross-Service useas espoused in the 2019 Defense Innovation Board Software Acquisition and Practices Report.Objectives: Advance DevSecOps through Enterprise Providers. DoD must establish requirementsfor a reasonable number of approved enterprise providers to efficiently scale softwarefactories, minimize unnecessary platform duplication, and advance DevSecOps.DevSecOps platforms at scale must provide not only technical capability but the processesto attract and onboard customers (e.g., business operations model, sustainment model,and cybersecurity processes). This ecosystem of DevSecOps platforms must also providea diversity of capability to address the Department's various mission scenarios. Accelerate Software Deployment with Continuous Authorization. Many DoDComp

Feb 03, 2022 · The world's leading powers are racing to develop and deploy . The vision for software modernization is simple - deliver resilient software capability at the speed . There are multiple ways to obtain software: ado