Legacy ATO process is slowing software upgrades at DOD, experts say
The Pentagon’s current approach to managing and minimizing risk when acquiring commercial software products presents a barrier to the speedy adoption of new capabilities, experts warned during a congressional hearing.
The Department of Defense should consider adjusting its procurement process to speed up the deployment of new software capabilities needed to stay one step ahead of global adversaries, lawmakers and experts said on Wednesday.
During a House Armed Services Cyber, Information Technologies and Innovation Subcommittee hearing, Rep. Ro Khanna, D-Calif. — the panel’s ranking member — said the Pentagon must work with industry partners and others to better understand “the dynamic nature of software, how quickly it changes [and] how much we need that innovation to keep us the strongest military and country in the world.”
Richard Murray, a professor of control and dynamical systems and bioengineering at the California Institute of Technology, noted that he co-chaired a May 2019 Defense Innovation Board study on DOD’s software acquisition and practices, which found that the department and Congress have been struggling for decades on how to best use software for national security purposes.
Murray said the report identified three key issues when it comes to enhancing DOD’s adoption of software, which still remain areas of concern for the department. These include improving the development and deployment of critical capabilities; attracting and retaining high-tech talent; and considering software development as “fundamentally different than hardware development” when it comes to department regulations.
Ellen Lord, former defense undersecretary for acquisition and sustainment, agreed with Murray’s assessment, calling DOD’s procurement process “one of the greatest challenges and opportunities to software acquisition,” particularly when it comes to addressing and revising department regulations to “support the use of modern software development and delivery practices.”
“Funding professional training and development for acquisition professionals to ensure they have key skills for implementing the full spectrum of acquisition approaches will enable the best and most innovative software and technology to be quickly provided for our national security workforce,” Lord said, although she added that “training the acquisition workforce is necessary, but not sufficient to modernize software development and deployment.”
One potential roadblock to modernization that lawmakers and experts identified is DOD’s authorization to operate — or ATO — process, which is meant to minimize and manage risk but was criticized during the hearing for slowing down the implementation of innovative capabilities needed to advance the Pentagon’s global missions.
Rep. Morgan Luttrell, R-Texas, said “the authority to operate seems to be bogging the system down” when it comes to the Pentagon’s decades-long struggles with adopting new capabilities in a timely manner.
Lord said the challenge DOD faces “is the need for speed,” adding that “continuous ATOs” — which would enable constant risk monitoring once authorization has been reached — could allow the department to more easily deploy and update software. She noted, however, that this process has not yet been implemented.
As it stands, the experts said, the current ATO process is ill-suited to drive forward the agile software deployment that the department needs — an issue related, in part, to the broader lumping together of software with other hardware products and devices.
Daniel Patt, a senior fellow at the conservative Hudson Institute think tank, said Pentagon officials too often think of ATOs “like this old fashioned box software model.”
“We forget the risk of not updating the software, of not deploying new features which will make us more successful in our mission,” he added, saying DOD instead becomes “too focused on compliance” and the rote process of checking off steps instead of looking at updating or adding new features to acquired software.
To enable a broader shift in DOD’s effective deployment and use of software capabilities, the experts said the Pentagon should also consider ways of better utilizing the private sector’s expertise.
“We have to change the culture,” CalTech's Murray said. “We're not going to change the culture by just taking the people who are there and saying, ‘change.’ I think we do that by bringing people in who look different and think about things differently.”
NEXT STORY: Can IT restore Congress’ trust in the Pentagon?