DEPUTY SECRETARY OF DEFENSE1010 DEFENSE PENTAGONWASHINGTON, DC 20301-1010FEB - 1 2022CLEAREDFor Open PublicationMEMORANDUM FOR SENIOR PENTAGON LEADERSHIPCOMMANDANT OF THE COAST GUARDFeb 02, 2022COMMANDERSOFTHECOMBATANTCOMMANDSDEFENSE AGENCY AND DOD FIELD ACTIVITY DIRECTORSDepartment of DefenseOFFICE OF PREPUBLICATION AND SECURITY REVIEWSUBJECT: Department of Defense Software ModernizationDelivering a more lethal force requires the ability to evolve faster and be more adaptablethan our adversaries. The Department's adaptability increasingly relies on software and theability to securely and rapidly deliver resilient software capability is a competitive advantage thatwill define future conflicts. Transforming software delivery times from years to minutes willrequire significant change to our processes, policies, workforce, and technology.To that end, I have approved the DoD Software Modernization Strategy (attached) andam directing the DoD Chief Information Officer (CIO), the Under Secretary of Defense forAcquisition and Sustainment, and the Under Secretary of Defense for Research and Engineeringto lead implementation of the strategy through the Software Modernization Senior SteeringGroup (SW Mod SSG). To ensure progress, the SW Mod SSG will deliver an implementationplan within 180 days and will oversee enterprise-wide progress reported through Business HealthMetrics. These efforts include, but are not limited to: DoD Component execution of DoD CIO Capability Programming Guidance in supportofDoD CIO budget certification for Cloud and development, security, and operations(DevSecOps) investments. Enterprise-wide implementation of innovative acquisition authorities and policies, toinclude DoD Instruction 5000.87, Operation of the Software Acquisition Pathway. Increased DoD Component utilization of software factories and secure DevSecOpspipelines.The DoD Software Modernization Strategy provides the approach for achieving fasterdelivery of software capabilities in support of Department priorities such as Joint All DomainCommand and Control and artificial intelligence. Given this requires the combined focus ofDoD senior leadership, I expect all offices and personnel to provide the support necessary tomake software modernization a reality.Attachment:As stated

UnclassifiedCLEAREDFor Open PublicationFeb 02, 2022Department of DefenseOFFICE OF PREPUBLICATION AND SECURITY REVIEWDepartment of DefenseSoftware ModernizationStrategyNovember 2021Version 1.0UnclaHified

UnclassifiedForeword" . running beneath many of these broad trends is a revolution in technology that posesboth peril and promise. The world's leading powers are racing to develop and deployemerging technologies . that could shape everything from the economic and militarybalance to the future of work . "Interim National Security Strategic Guidance, March 2021Five Years into the Future. A natural disaster has devastated critical infrastructure across apartner nation's seaboard, threatening U.S. assets. DoD is providing disaster relief assistanceand deploys units to the region by sea and by land. Software detects the disaster and maneuverscloud computing resources to the region dynamically. Response personnel deploy a push-buttoncollaboration environment with enterprise security, compliance, and credentialing solutions inplace within minutes. Collaboration across units is enabled, and data and communications flowsecurely and rapidly despite surrounding infrastructure damage.Three Years into the Future. In theater, cyber warfare has become a retaliatory series ofincreasingly sophisticated and frequent attacks threatening to destabilize regional security,escalating responses into the kinetic realm. DoD software factories automatically and proactivelydeploy measures based on current and future threats to vulnerable systems, from fighter aircraftto communications equipment, enabling continued joint operations.Today. A global pandemic has forced millions out of the office and into isolation. National Guardpersonnel are deployed to assist with vaccination rollout to the tune of 1.5 million doses per day.Collaboration, logistics, and communications software must be seamlessly acquired and securelyscaled to support the Department's operations.The Department's competitive advantage, today and tomorrow, is reliant on strategic insight,proactive innovation, and effective technology integration enabled through software capabilities.Software modernization, the ability to quickly deliver high-quality, secure software through reuse,acquisition, or custom development, must be part of the Department's DNA.The DoD Software Modernization Strategy sets a path for technology and process transformationthat will enable the delivery of resilient software capability at the speed of relevance. It is one in aset of sub-strategies of the DoD Digital Modernization Strategy and builds upon, evolves, andreplaces the DoD Cloud Strategy. Given software's role and pervasiveness across all aspects ofmission capabilities and supporting infrastructure, implementation success of this strategy will relyheavily on partnerships across the Department.In this era of competition and race for digital dominance, we cannot settle for incremental change.The Department must join together to deliver software better and operate as a 21st century force.Unclassified

UnclassifiedContentsForeword . . . . . . . . . . . . . . . . ii1Introduction . . . . . . . . . . . . . . . . . . . . . 12Software Modernization Vision . . . . . . . . . 13Unifying Principles . . . . . . . . . . . . . 24Software Modernization Framework . . . . . . . . . . . . . . 35Goals and Objectives . . . 65.1Goal 1: Accelerate the DoD Enterprise Cloud Environment . . . . . . . 65.2Goal 2: Establish Department-wide Software Factory Ecosystem . . . . . . . .75.3Goal 3: Transform Processesto Enable Resilience and Speed . . . . 86Unified Implementation . . . . . 1O7Conclusion . . . . . . . 10Unclassifiediii

Unclassified1IntroductionNow is the time to be bold.Early innovators within the Department have mounted ambitious challenges to what were onceconventional expectations for DoD software delivery. The DoD Software Modernization Strategyspearheads their legacy, identifying a vision, along with goals and objectives, with the purpose ofdelivering better software faster. The strategy targets the following outcomes:2 Shift secure software delivery left through modern infrastructure and platforms. Thestrategy recognizes the importance of technology in evolving how the Department deliverssoftware. It emphasizes the importance of commercial partnerships through the adoptionof cloud and establishes a new commitment toward a Department-wide approach forsoftware factories. Enable this shift through true process transformation and people development. Theinternal processes of the Department do not readily enable the software delivery pacerequired to compete. DoD must review and modernize requirements, budget, acquisition,and security processes to take advantage of new approaches and technologies, ensuringnot only speed, but better quality and protection. This transformation must be coupled witha focus on people and their contribution to software modernization success.Software Modernization VisionDeliver Resilient Software Capability at the Speed of RelevanceDefending our nation and ideals of freedom is no longer confined to traditional battlefields.Adversaries now target not just our military facilities, defensive assets, and soldiers, but also thenetworks, critical infrastructure, and individual citizens that support our way of life. Their weaponand/or target of choice - information and data. Their enabling means - software.Software is everywhere. It is integrated into our homes; drives us to work; and defines our health,economic, and military capabilities. DoD increasingly relies on software for automation, decisionmaking, and execution of action . Software capabilities create opportunities for efficiencies andinnovation while at the same time, expose new attack surfaces and risks. Adversaries know this.They continue to invest in technology and talent, leveraging software capabilities to undermineour operations, threaten our infrastructure, and manipulate democracy.Fighting and winning on the next battlefield will depend on DoD's proficiency to rapidly andsecurely deliver resilient software capabilities. This proficiency must empower the warfighter andcyber defenders with the latest innovations to better understand the battlefield, enable Joint AllDomain Command and Control (JADC2) with automation and machine learning, and arm leaderswith a decision advantage through the aggregation and processing of data. To accomplish this,the Department cannot rely on antiquated platforms and processes of the past, and cannot do italone.Unclassified1

UnclassifiedThe vision for software modernization is simple - deliver resilient software capability at the speedof relevance. Resilience implies software that is high-quality and secure, able to withstand andrecover in the face of challenging conditions. Speed of relevance implies the accelerated deliveryneeded to maintain a competitive advantage. The approach is practical - unify efforts across DoDand partner with industry-leading software institutions to produce a portfolio of best-in-classsoftware capabilities enabled by DoD processes. These capabilities must augment and integratewith other infrastructure components to include Zero Trust Architectures (ZTA), electromagneticspectrum capabilities, and a growing inventory of connected military devices. The followingsections identify a set of principles to unify efforts, a framework to organize activities, and initialgoals and objectives to set implementation direction.3Unifying PrinciplesThe unifying principles of this strategy form the underlying basis of intent as the Departmentimplements software modernization. These principles consider existing DoD strategies andmaintain broader themes at the forefront, ensuring a holistic to include, but not be limited to, justa technical perspective. A Primacy of Security, Stability, and Quality at Speed - DoD must not allow thependulum to move based strictly on the metrics of speed. Resilient software must bedefined first by execution stability, quality, and dependable cyber-survivability. Theseattributes can be achieved at speed by aggressively adopting modern softwaredevelopment practices that effectively integrate performance and security throughout thesoftware development lifecycle. Cloud Smart/Data Smart - Cloud services and data are fundamental to softwaremodernization. Software must smartly utilize cloud services and incorporate data bestpractices to ultimately deliver impactful capabilities. DoD must accelerate cloud adoptionto enable software modernization and proactively manage data following the DoD DataStrategy. Enterprise First - The Department's technical delivery is bound by fiscal realities thatrequire an efficient and cost-effective portfolio. Enterprise capabilities are a critical part ofthe portfolio. Collaborative stewardship of enterprise capabilities facilitates adoption andallows DoD Components to maximize value under constrained resources. No One Left Behind - Software modernization introduces improved capabilities andgreater automation. This modernization must be driven by strong leadership, powered bytechnical talent, and leveraged by an upskilled workforce. As such, development, training,and recruiting of the Department's workforce are critical aspects of softwaremodernization. More Than Code - Software modernization is more than just code development. Itincludes the many policies, processes, and standards that take a concept from idea toreality. Considerations such as contracting and intellectual property rights, as well astransition from development to fielding, are often overlooked and underappreciated. Thesepolicies, processes, and standards must not hinder, but empower the vision of thisstrategy.Unclassified2

Unclassified4Software Modernization FrameworkThere are multiple ways to obtain software: adopt existing applications and platforms availablethrough DoD Component-sponsored capabilities; buy software or the components for developingsoftware through traditional software licenses to include those for low-code/no-code platformsand cloud software-as-a-service subscriptions; or custom develop software, oftentimes for DoD unique capabilities which may include complex systems of systems, simple web applications, orembedded code.Regardless of how software is obtained, software delivery is not a one-and-done activity andactions that treat software this way are harmful and counter-productive. Whether adopted, bought,or created, all modern software approaches incorporate modular design tenets and automationto achieve speed and secure continuous delivery.The Software Modernization Framework in Figure 1 identifies a minimum set of technical enablersand processes that must be addressed to modernize software delivery. It serves as a commonlexicon and organizing construct for discussing and coordinating software modernizationactivities. It is not intended to be all-inclusive or final but instead serves as a guardrail to focusimplementation . Its level of applicability depends on the approach taken in obtaining software asdictated by mission (i.e., adopt, buy, or create), complexity of software development (e.g., asimple website to a system of systems) , and consideration for the software end user (e.g .,warfighter, healthcare provider, or recruiter).---·-. .,- --MUil-.-----""""MilSlevolvethe workb"ceto ,ctia,ges111 p t O C t t e n i lnp9db-,'MIBl.dnw ICJltsd - - - 'Mdbc» n1 OaQ c:oq,etlncm Figure 1: Software Modernization FrameworkTechnical Enablers: DoD must continuously adopt the latest technologies and approaches todeliver resilient software capability at the speed of relevance. These technical enablers addressmission requirements, enable interoperability, and ensure security. Enablers depicted in theframework are not all inclusive and are not independent of each other. They are represented asconcentric circles to indicate that these complementary capabilities must be integrated to achievemaximum value and that their evolution , just like software delivery, is continuous in nature. DoD Enterprise Cloud Environment- The DoD Enterprise Cloud Environment is a multi cloud, multi-vendor ecosystem providing cloud services across the Department. Cloudservices include infrastructure, platform , and software services. This environment remainsUnclassified3

Unclassifiedfundamental to software modernization, providing global compute and access to industryinnovation at a rate unattainable by DoD alone. A structured approach in establishing andmaintaining this environment promotes consistency in service quality, economies of scale,and avoidance of risk posed by cloud sprawl. Design Patterns - Design patterns are reusable solutions to commonly occurringproblems within a given context in a software design. The automation of these designpatterns accelerates secure cloud adoption and software development. The initial focusof this enabler are the common activities needed to stand-up a virtual environment, whichincludes security compliance scanning and access management. These design patternscan be automated through standard blueprints or templates. Use of these blueprints ortemplates promotes the execution of consistent architectures and configurations acrossthe software development landscape and plays a critical role in enabling scale,interoperability, security, and faster time to mission. Development, Security, and Operations (DevSecOps)nooling - DevSecOps is anorganizational software engineering culture and practice that aims at unifying softwaredevelopment, security, and operations. The main characteristic of DevSecOps is toautomate, monitor, and apply security at all phases of the software lifecycle: plan, develop,build, test, release and deliver, deploy, operate, and monitor. The benefits of adoptingDevSecOps include reduced time from development to deployment, more robust security,and faster capability at the speed of relevance. DevSecOps/Tooling represents the set ofcapabilities enabling the continuous integration and delivery (Cl/CD) of secure softwareas produced through a software factory. A software factory is a software assembly plantfor development and integration that contains multiple pipelines, equipped with a set oftools, process workflows, scripts, and environments, to produce a set of softwaredeployable artifacts with minimal human intervention. It automates the activities in thedevelop, build, test, release, and deliver phases and supports multi-tenancy. To realizethe full benefit, these capabilities must effectively couple technology (e.g., tools andplatforms) with process change (e.g., security authorization and testing). Enterprise Services - Enterprise services provide ready-to-use composable functions(e.g., security services, identity management, application programming interfaces, anddata analytics) to support software modernization efforts. They allow DoD Components torapidly adopt and use secure capabilities in support of mission requirements, thereby,freeing up limited talent for unique software features and innovation. Additionally,enterprise services are a mechanism for obtaining improved financial value; buy once andaccessible to all.Tech Force Multipliers: New and emerging technologies continually change the digitallandscape. In adopting these tech force multipliers, leveraging the DoD Science and TechnologyStrategy, DoD must consider the impact to technical enablers and processes of softwaremodernization. In reassessing technical enablers and processes, DoD cannot limit itself to currentsoftware development concepts but must be prepared to think differently under new parameters.Process Transformation: The software modernization framework recognizes that processesmust change to take advantage of new technology. These changes must consider not only paceand agility, but incentives to facilitate new behavior, policy updates to allow for innovation andexperimentation, and a shift from software compliance to operational readiness. At DoD's scale,these changes should start small but allow for incremental growth and eventual enterpriseadoption. Desired outcomes from transformation efforts include shortening acquisition timelines,Unclassified4

Unclassifiedproviding economic incentives to break down siloed business operations and independently managed services, and reducing the lead time for cybersecurity compliance. Business Operations - DoD's internal economics must change to promote the adoptionof shared software development platforms and reusable software. The drivers that lead tosiloed operations and independently-managed services must evolve. There must beresource incentives to foster the sharing, reuse, and trust of software capabilities. Thisincludes building incentives into requirements and budgetary processes as well assimplifying shared services transactions through better internal management operations. Acquisition - Software needs are evolving, and software updates occur more rapidly thanever. Current acquisition and contracting cycles are too slow and may result in potentiallyobsolete software. Software acquisition must continue to change to accommodate speedand agility. This change must occur by working with industry. Cyber Survivability - A compliance mindset may lead to a false sense of security.Cybersecurity should be the driver and compliance an outcome. DoD must shift from acybersecurity "snapshot in time" compliance culture to a cybersecurity practitioner culturewhere automation, real-time continuous risk monitoring, including supply chain risk andrapid incident response, are the norm, and integrated into software development pipelines.System security engineering methods and practices must be identified early and leveragenew technologies and approaches to streamline risk processes for software, to informcontinuous authorization, and to enable Defensive Cyberspace Operations (DCO). Testing - As software plays a more significant role in weapons platforms and missioncapabilities, robust software testing must be integrated into delivery pipelines and accountfor end-to-end mission thread evaluations. Software testing must not just run throughscripts assessing software features and functions, but reflect operational scenarios toensure expectations and thresholds for operational performance are met. In support ofcyber-survivability, DoD must employ cooperative and adversarial penetration testing andpersistent cyber testing during development, and recurring cyber testing during deployedoperations to ensure proactive defense. Workforce - Modern software and delivery practices require shifts in DoD's workforce.Tuning algorithms for warfighting platforms at the tactical edge requires software talent;processing data with low-code/no-code platforms requires upskilled analysts; and theadvent of software-defined robotics requires a flexible workforce with appropriate levels ofdevelopment and engineering knowledge. DoD must attract and retain this workforcetalent, hire talent into leadership positions, and initiate upskilling efforts to successfullycompete. This shift requires not only changes in workforce process, but culture. Leadersand managers must think differently about careers, how people work together, and howto build workforce synergy across the Department because the software-defined futureneeds multi-disciplined individuals, a better bridge between communities of experts andoperators, and a technology-literate Joint Force.Outcomes: The ultimate outcome of technical enablers and process transformation is bettercapability to the warfighter faster. Resilient software will deploy to mission capabilities at a fasterpace, business operations will be more efficient and effective through greater automation, real time cyber defenses will stay to the left of threat, and software will enable a strengthened dataadvantage by promoting a data-centric, data-driven operating environment. The following sectionidentifies the goals and objectives that provide initial implementation direction for achieving theseoutcomes.Unclassified5

Unclassified5Goals and ObjectivesSoftware modernization goals represent long-term endeavors aimed toward achieving the vision.The objectives of each goal are near-term targets focused on the technical enablers and processtransformation of the framework.5.1Goal 1: Accelerate the DoD Enterprise Cloud EnvironmentThe DoD Enterprise Cloud Environment is the foundation for softwaremodernization. The multi-cloud, multi-vendor approach still holds true. Therequirement for cloud across all classification domains, from enterprise to tacticaledge, is still valid. The need to transition from disparate cloud efforts to astructured, integrated, and cost-effective cloud portfolio remains the Department'sintent. Working with commercial cloud service providers continues to be critical asthe Department technically evolves. DoD and commercial cloud service providers must worktogether to quickly and securely deploy cloud services and ensure transparency of cybersecurityactivities to maintain the protection of DoD data. This goal is central to the President's ExecutiveOrder on Improving the Nation's Cybersecurity, Executive Order 14028, directing acceleratedmovement to secure cloud services and emphasizing the importance of commercial relationships.Objectives: Mature an Innovative Portfolio of Cloud Contracts. DoD must provide access to cloudservices across the enterprise, maintaining parity with the commercial market. Aninnovative portfolio includes a meaningfully differentiated set of enterprise contracts thatleverages existing acquisition success while avoiding duplication. The DoD acquisitioncommunity must work closely with industry to continuously improve contracting processesfor cloud services, to ensure access to the full breadth of cloud security services, and toachieve a more holistic and diverse contract portfolio that benefits the entire DoDenterprise. Contractual delays impact DoD's competitive advantage and ultimately, placewarfighters and their missions at risk. Secure Data in the Cloud. Securing data in the cloud consists of two key thrusts:improving authorization processes and establishing DCO in the cloud.Securing cloud for the Department begins with Federal-level processes (i.e., FedRAMP)and proceeds with DoD-specific processes (i.e., provisional authorization) coupled withcooperative independent government cybersecurity test and evaluation. These processesestablish a list of approved cloud service offerings that meet DoD security criteria. Systemor application security compliance processes (i.e., Authority to Operate) ensure theappropriate implementation of security controls within a DoD Component's risk tolerance.These processes must be coupled with independent government developmental andoperational cybersecurity testing to enhance understanding of the operational-resilienceof the system or application to hostile attacks. All of these authorization processes mustbe faster to deliver in an agile era without sacrificing security.Critical to managing cybersecurity risk is establishing DCO in the cloud . DCO must enablethe Department to stay ahead of threats, discover vulnerabilities early, and respond toquestionable behavior quickly, taking into account recurring cybersecurity test andevaluation. A coordinated response to cyber incidents in the cloud requires cooperationacross DoD organizations and between DoD and industry. DoD must mature and deliverUnclassified6

UnclassifiedDCO capabilities, providing both technical capability and complementary incidentreporting and response processes, to enhance our defensive posture. Accelerate Cloud Adoption through Automated Design Patterns. Automation is aforce multiplier for limited software talent and allows for the faster, more consistentadoption of cloud services. DoD must provide reusable automated design patterns, suchas Infrastructure as Code, Compliance as Code, and hardened software containers, toease the burden required in standing up and configuring virtual developmentenvironments. These automated design patterns must be available across the enterprise,integrated into authorization processes, and continuously updated and configurationcontrolled. They must be based on industry best practices and prescribed or recognizedstandards, as well as enable diverse implementation approaches. Use of these patternsacross DoD promotes consistent and robust architecture, up-to-date security, and a fasterpath to deployment. Prepare OCONUS Infrastructure for Cloud. DoD's strategic positioning outside thecontinental United States (OCONUS) is critical to maintaining a credible deterrent. Assuch, forces abroad must have access to the same, if not better, capabilities as those onthe homefront. Cloud services OCONUS are fundamental to enabling a Joint Forcecapable of quickly and decisively mobilizing air, land, sea, space, and cyberspacecapabilities in response to adversaries threatening the United States or our allies. DoDmust improve OCONUS infrastructure, from facilities to networks, to fully take advantageof cloud services, enabling persistent warfighter access to data sources and producers.5.2Goal 2: Establish Department-wide Software Factory EcosystemAs mentioned earlier, software increasingly defines military capabilities; therefore,DoD must scale its ability to produce secure and resilient software at speed tomaintain a competitive advantage. This strategy recognizes that the modernapproaches and tools, as well as the technical talent needed to do this, are notwithout cost. The Department must pursue an enterprise-wide approach,establishing a software factory ecosystem that takes advantage of investmentsalready made by the Military Services (e.g., Air Force Platform One, Navy Overmatch SoftwareArmory, Marine Corps Business Operations Support Services, and Army Coding Resources andTransformation Ecosystem) and scales their success to enable cross-Program/cross-Service useas espoused in the 2019 Defense Innovation Board Software Acquisition and Practices Report.Objectives: Advance DevSecOps through Enterprise Providers. DoD must establish requirementsfor a reasonable number of approved enterprise providers to efficiently scale softwarefactories, minimize unnecessary platform duplication, and advance DevSecOps.DevSecOps platforms at scale must provide not only technical capability but the processesto attract and onboard customers (e.g., business operations model, sustainment model,and cybersecurity processes). This ecosystem of DevSecOps platforms must also providea diversity of capability to address the Department's various mission scenarios. Accelerate Software Deployment with Continuous Authorization. Many DoDComp

Feb 03, 2022 · The world's leading powers are racing to develop and deploy . The vision for software modernization is simple - deliver resilient software capability at the speed . There are multiple ways to obtain software: ado