On March 21, 2019, the Department of Defense (DoD) Defense Innovation Board (“DIB”) released a report, Software is Never Done: Refactoring the Acquisition Code for Competitive Advantage (“the Report”), summarizing DIB’s Software Acquisition and Practices (SWAP) study, which was mandated by the National Defense Authorization Act of Fiscal Year (FY) 2018. The two-year study involved conversations with Congress, the DoD, federally-funded research and development centers, contractors, and the public focused on ways in which DoD can take advantage of the strength of the U.S. commercial software ecosystem. In addition, the Board solicited feedback on concept papers and draft versions of the Report leading up to its publication.
DIB describes the ideal approach to software development as one of “iterative development that deploys secure applications and software into operations in a continuing (and continuous) fashion.” The Report is critical of current DoD software projects where the DoD “spends years on developing requirements, taking and selecting bids from contractors, and then executing programs that must meet the listed requirements before they are ‘done.’” DIB concluded that, as a result, software is obsolete before it reaches the field, is ill-matched to the needs of users, and risks positioning the DoD behind adversaries like China, which leverages private industry to develop national security software.
The Report makes 26 specific recommendations that flow from three fundamental themes: (i) “speed and cycle time” are the critical metrics for managing the DoD’s procurement, deployment and updating of software; (ii) the DoD must do more to educate, retain, and support the best internal software developers; and (iii) software development can no longer be managed as if it were hardware.
Among other things, the Report urges the DoD to immediately:
- Require suppliers to provide access to “source code, software frameworks, and development toolchains, with appropriate intellectual property (IP) rights, for all DoD-specific code,” enabling the DoD to perform full security testing and rebuilding of binaries from the source. The Report notes that contractors should have licensing agreements to protect any IP developed with their own resources.
- Shift away from the use of “rigid requirements for software programs to a list of desired features” with minimum standards for operation, security, and interoperability.
- Make security a “first-order consideration” for all software intensive systems and acquisition programs, and prioritize “regular and automated penetration testing” to expose vulnerabilities and breach DoD systems before adversaries do.
DIB proposes that the DoD secure high-level support for the Report’s vision during FY 2019, and begin initial deployment of its recommendations in FY 2020.