Defense Software for a Contested Future: Agility, Assurance, and Incentives (2025)
Chapter: 6 Summary: Toward More Agile and Assured Systems
6
Summary: Toward More Agile and Assured Systems
With the introduction and adoption of the software acquisition pathway, the Department of Defense (DoD) has made a significant step toward acquiring or developing software that is more responsive to users’ needs and delivers better assured and more secure functionality.
The commercial software industry has pioneered many techniques that deliver software with agility and assurance. Although DoD software systems have many unique requirements, they also have a great deal of commonality with commercial systems, and DoD programs have much to learn from the successes of commercial software development organizations. The software acquisition pathway reflects many of these learnings, but there are still many opportunities for DoD to improve its acquisition and development practices.
This report’s discussion of incentives focuses on ways that DoD can improve its implementation of the software acquisition pathway. Emphasis on adoption, technical architectures, and agile development can enable DoD to realize the promise that the pathway offers.
The discussion of assurance covers a range of techniques that have been demonstrated in industry. The application of formal methods to verify the assurance of critical components has proven practical in industry, and the DoD stands to benefit from emulating and building on those successes. The development of software in modern memory-safe languages is becoming mainstream in industry and promises to eliminate a major class of software vulnerabilities. The federal government has rightly encouraged
industry to adopt memory-safe languages,1 and many vendors are following suit—DoD programs should make that transition as well. Finally, well-structured, continuously improved secure software development processes are the norm for large software vendors and are now required for government acquisition of commercial off-the-shelf software.2 DoD should adopt the same requirements for software developed by its contractors and in-house teams.
Industry incentives for delivering and sustaining agile and assured software are very different from those that have historically applied in government acquisition programs. The discussion of incentives recommends ways that DoD can motivate its development teams and suppliers to deliver software that will meet users’ requirements within the context of procurement regulations and the practicalities of government contracts.
The adoption of the software acquisition pathway has set DoD on the right path for the acquisition of agile and assured software. If the recommendations in this report are adopted, the committee believes that they will enable DoD to make rapid progress down that path.
Enhancing DoD software for a contested future requires concurrent progress in agility, assurance, and incentives. The committee’s recommendations call for cultural and procedural shifts that enable rapid, iterative software updates (agility), rigorously verified and secure software (assurance), and alignment of institutional incentives to support both.
___________________
1 Cybersecurity and Infrastructure Security Agency (CISA), 2023, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software,” Revision date October 25, https://www.cisa.gov/sites/default/files/2023-10/SecureByDesign_1025_508c.pdf.
2 M. Souppaya, K. Scarfone, and D. Dodson, 2022, “Secure Software Development Framework (SSDF) Version 1.1,” NIST Special Publication 800-218, https://csrc.nist.gov/pubs/sp/800/218/final; CISA, 2024, “Secure Software Development Attestation Form Instructions,” OMB Control #: 1670-0052, Expiration Date: 03/31/2027, Department of Homeland Security, https://www.cisa.gov/sites/default/files/2024-04/Self_Attestation_Common_Form_FINAL_508c.pdf.
