The strategy, published Wednesday, was accompanied by recent memos on strengthening cybersecurity with a “continuous Authority to Operate” and another on the importance of open-source software.
Together, the documents aim to push software closer to the center of how DOD does business and wages war with a more collaborative approach to coding across software factories and services.
“We are approaching that apex point where we are going forward concretely, decisively and it’s really exciting,” Jason Weiss, the DOD’s chief software officer, told FedScoop in an interview about the documents.
Weiss added the timing on the three memos was simply “fortuitous.”
The new Software Modernization Strategy calls for an enterprise approach to the services needed to build software. Its main goals include increasing migration to an enterprise cloud, establishing a departmentwide software factory ecosystem and transforming processes to enable faster and more resilient code deployment.
Weiss said a key enabler of achieving these goals will be a collaboration between the 29 software factories and creating “enterprise shared services.”
“Our ability to execute as a single team means we actually need to start sharing more,” he said.
How that sharing will work is still an unanswered question. Some collaboration will come down to the factories publishing reference designs, sharing tools they build and signing agreements like Platform One and Kessel Run recently did.
But the deployment of shared services cuts across budgetary and cultural silos that Weiss said will require a “hybrid model” of different military departments taking the lead on different aspects of services available to all.
“I am actually pretty bullish on our ability to solve this,” he said.
Making ATOs continuous
Often the longest part of deploying a new piece of software is getting it an authority to operate (ATO), which is typically given after a system is checked against a long list of security controls. But all that means is the system passed security checks at one point in time and there are few means to monitor how well the software is holding up to new forms of attack.
The DOD issued a separate memo Wednesday aimed at modernizing the ATO process, also by enhancing collaboration. The goal is to remake the ATO process into a “continuous” one by giving what Weiss calls a “shared language” to the services.
“They were coming along with languages that were ‘service proprietary,’” he said about talks on reciprocity and how to accredit systems from different services.
Now, the DOD chief information security officer has the ability to create cATOs, an authority Weiss said will only temporarily be unique to the CISO.
“He does not intend to retain that long-term,” Weiss said, citing the possibilities of creating new bottlenecks.
The basic principles come down to visibility of cybersecurity activities inside the system, active cyber defense and using a DevSecOps reference design to be able to continuously update code based on user feedback and security needs.
“We are starting to see some significant momentum behind DevSecOps,” Weiss said.
Collectivity, the memos and new strategy push the department to a more software-focused future. Yet another example of this is a Jan. 24 memo on open source software that pushes the DOD to use code from the public to the “maximum extent practical” as a means to get away from vendor lock and reduce cost.
“Collaboration is tantamount to success,” Weiss said of the new policies.