• Sponsored

Stop building custom IT: A smarter approach to tech adoption in the defense sector

For defense agencies and contractors staring down the grueling, months-long process of achieving Cybersecurity Maturity Model Certification (CMMC), a former federal IT official has a clear message: Stop building compliance environments from scratch.

Nick Totten, a former deputy CIO at the Department of Treasury, and now CIO for SAP National Security Services (SAP NS2), argues that defense organizations must fundamentally shift how they approach federal IT modernization if they want to keep pace with rapid advancements in artificial intelligence.

Speaking on a recent episode of the Ctrl + Alt + Defense podcast, Totten warned that building a CMMC-compliant environment can be an exhausting nine-month endeavor that drains capital and personnel from critical technology goals. Instead of wasting time on bespoke infrastructure builds, defense organizations should strategically leverage security controls from existing, accredited cloud platforms.

“It’s much easier just to adopt and embrace an existing certification or accreditation versus doing it themselves,” Totten said. He emphasized that the time lost to manual compliance is a massive opportunity cost, particularly when AI progress is now measured in months rather than years.

By utilizing a certified cloud environment operated by SAP NS2, which currently holds a Level 2 CMMC certification and aims for Level 3 by 2027, the defense contractors can bypass this compliance gridlock and immediately focus on delivering required capabilities.

That’s a critical step for defense agencies as well. Transitioning away from on-premises legacy systems to the cloud is essential for eliminating rigid capacity constraints, supply chain dependencies, and the ongoing budget battles associated with multi-year hardware refresh cycles.

However, Totten cautioned that merely lifting and shifting old applications to the cloud is a wasted investment. Agencies must fundamentally update their legacy business processes when migrating to enterprise resource planning (ERP) systems.

“You never want to replicate technology to do exactly what you did before,” Totten explained. He noted that moving to a modern software-as-a-service solution unlocks new operational capabilities, rather than simply putting a new user interface on old workflows.

The ultimate reward for inheriting accredited infrastructure is the ability to rapidly and securely deploy AI tools. As the Department of Defense races to integrate autonomous capabilities, the risk of exposing sensitive data grows exponentially. Totten warned of a recent real-world incident in which a company accidentally lost its entire codebase due to insecure AI practices.

To prevent this, he advocated for an “autonomous enterprise” approach, where organizations access AI models directly within pre-secured, hosted environments. This structure ensures that AI efficiencies are realized using tightly controlled, table-driven data without ever breaching the established cybersecurity perimeter.

“You have to have 100% accuracy, you can’t risk an AI agent making an inference,” Totten said, stressing the absolute need for precision when handling sensitive financial, supply chain, or human capital data.

By abandoning the instinct to custom-build every secure IT environment, the defense enterprise can more rapidly align the uncompromising demand for security with the absolute imperative to innovate at speed.

Listen to the full podcast segment to hear Totten’s insights on leveraging SAP NS2’s expertise in support of defense innovation. This podcast was produced by Scoop News Group, for DefenseScoop, and underwritten by SAP NS2.