Software Acquisition

AAF  > Software Acquisition  >  Software NDAAs

Software in NDAAs

How to use this site

Each page in this pathway presents a wealth of curated knowledge from acquisition policies, guides, templates, training, reports, websites, case studies, and other resources. It also provides a framework for functional experts and practitioners across DoD to contribute to the collective knowledge base. This site aggregates official DoD policies, guides, references, and more.

DoD and Service policy is indicated by a BLUE vertical line.

Directly quoted material is preceeded with a link to the Reference Source.

 

 

Congress in recent National Defense Authorization Acts (NDAAs) included many provisions on DoD Software Modernization.

FY18 NDAA

Section 872: Defense Innovation Board Analysis of Software Acquisition Regulations.

FY18 NDAA Section 872

SEC. 872. DEFENSE INNOVATION BOARD ANALYSIS OF SOFTWARE ACQUISITION REGULATIONS.

(a) Study.—

(1) IN GENERAL.—Not later than 30 days after the date of the enactment of this Act, the Secretary of Defense shall direct the Defense Innovation Board to undertake a study on streamlining software development and acquisition regulations.

(2) MEMBER PARTICIPATION.—The Chairman of the Defense Innovation Board shall select appropriate members from the membership of the Board to participate in the study, and may recommend additional temporary members or contracted support personnel to the Secretary of Defense for the purposes of the study. In considering additional appointments to the study, the Secretary of Defense shall ensure that members have significant technical, legislative, or regulatory expertise and reflect diverse experiences in the public and private sector.

(3) SCOPE.—The study conducted pursuant to paragraph (1) shall—

(A) review the acquisition regulations applicable to, and organizational structures within, the Department of Defense with a view toward streamlining and improving the efficiency and effectiveness of software acquisition in order to maintain defense technology advantage;

(B) review ongoing software development and acquisition programs, including a cross section of programs that offer a variety of application types, functional communities, and scale, in order to identify case studies of best and worst practices currently in use within the Department of Defense;

(C) produce specific and detailed recommendations for any legislation, including the amendment or repeal of regulations, as well as non-legislative approaches, that the members of the Board conducting the study determine necessary to—

(i) streamline development and procurement of software;

(ii) adopt or adapt best practices from the private sector applicable to Government use;

(iii) promote rapid adoption of new technology;

(iv) improve the talent management of the software acquisition workforce, including by providing incentives for the recruitment and retention of such workforce within the Department of Defense;

(v) ensure continuing financial and ethical integrity in procurement; and

(vi) protect the best interests of the Department of Defense; and

(D) produce such additional recommendations for legislation as such members consider appropriate.

(4) ACCESS TO INFORMATION.—The Secretary of Defense shall provide the Defense Innovation Board with timely access to appropriate information, data, resources, and analysis so that the Board may conduct a thorough and independent analysis as required under this subsection.

(b) Reports.—

(1) INTERIM REPORTS.—Not later than 150 days after the date of the enactment of this Act, the Secretary of Defense shall submit a report to or brief the congressional defense committees on the interim findings of the study conducted pursuant to subsection (a). The Defense Innovation Board shall provide regular updates to the Secretary of Defense and the congressional defense committees for purposes of providing the interim report.

(2) FINAL REPORT.—Not later than one year after the Secretary of Defense directs the Defense Advisory Board to conduct the study, the Board shall transmit a final report of the study to the Secretary. Not later than 30 days after receiving the final report, the Secretary of Defense shall transmit the final report, together with such comments as the Secretary determines appropriate, to the congressional defense committees.

FY18 NDAA Section 872 Conference Report

Defense Innovation Board analysis of software acquisition regulations (sec. 872)

The Senate amendment contained a provision (sec. 882) that would require the Defense Innovation Board to complete an analysis of software development and acquisition regulations for the Department of Defense. This provision would require the Secretary of Defense to report to the congressional defense committees on the preliminary findings no later than 150 days after the enactment of this Act. No later than 1 year after the Secretary tasks the Defense Innovation Board with the study, the Board should submit its report to the Secretary; no later than 30 days after receipt, the Secretary should submit the final report, together with such comments as the Secretary determines appropriate, to the congressional defense committees.

The House bill contained no similar provision.

The House recedes with an amendment that would provide additional focus to the scope of the analysis.

Section 873: Pilot Program to Use Agile or Iterative Development Methods to Tailor Major Software-Intensive Warfighting Systems and Defense Business Systems.

FY18 NDAA Section 873

SEC. 873. PILOT PROGRAM TO USE AGILE OR ITERATIVE DEVELOPMENT METHODS TO TAILOR MAJOR SOFTWARE-INTENSIVE WARFIGHTING SYSTEMS AND DEFENSE BUSINESS SYSTEMS.

(a) Pilot Program.—

(1) IN GENERAL.—Not later than 30 days after the date of the enactment of this Act, the Secretary of Defense, in consultation with the Secretaries of the military departments and the chiefs of the armed forces, shall establish a pilot program to tailor and simplify software development requirements and methods for major software-intensive warfighting systems and defense business systems.

(2) IMPLEMENTATION PLAN FOR PILOT PROGRAM.—Not later than 120 days after the date of the enactment of this Act, the Secretary of Defense, in consultation with the Secretaries of the military departments and the chiefs of the armed forces, shall develop a plan for implementing the pilot program required under this subsection, including guidance for implementing the program and for selecting systems for participation in the program.

(3) SELECTION OF SYSTEMS FOR PILOT PROGRAM.—

(A) The implementation plan shall require that systems be selected as follows:

(i) For major software-intensive warfighting systems, one system per armed force and one defense-wide system, including at least one major defense acquisition program or major automated information system.

(ii) For defense business systems, not fewer than two systems and not greater than eight systems.

(B) In selecting systems for participation, the Secretary shall prioritize systems as follows:

(i) For major software-intensive warfighting systems, systems that—

(I) have identified software development as a high risk;

(II) have experienced cost growth and schedule delay; and

(III) did not deliver any operational capability within the prior calendar year.

(ii) For defense business systems, systems that—

(I) have experienced cost growth and schedule delay;

(II) did not deliver any operational capability within the prior calendar year; and

(III) are underperforming other systems within a defense business system portfolio with similar user requirements.

(b) Realignment Plans.—

(1) IN GENERAL.—Not later than 60 days after selecting a system for the pilot program under subsection (a)(3), the Secretary shall develop a plan for realigning the system by breaking down the system into smaller increments using agile or iterative development methods. The realignment plan shall include a revised cost estimate that is lower than the cost estimate for the system that was current as of the date of the enactment of this Act.

(2) REALIGNMENT EXECUTION.—Each increment for a realigned system shall—

(A) be designed to deliver a meaningfully useful capability within the first 180 days following realignment;

(B) be designed to deliver subsequent meaningfully useful capabilities in time periods of less than 180 days;

(C) incorporate multidisciplinary teams focused on software production that prioritize user needs and control of total cost of ownership;

(D) be staffed with highly qualified technically trained staff and personnel with management and business process expertise in leadership positions to support requirements modification, acquisition strategy, and program decisionmaking;

(E) ensure that the acquisition strategy for the realigned system is broad enough to allow for proposals of a service, system, modified business practice, configuration of personnel, or combination thereof for implementing the strategy;

(F) include periodic engagement with the user community, as well as representation by the user community in program management and software production activity;

(G) ensure that the acquisition strategy for the realigned system favors outcomes-based requirements definition and capability as a service, including the establishment of technical evaluation criteria as outcomes to be used to negotiate service-level agreements with vendors; and

(H) consider options for termination of the relationship with any vendor unable or unwilling to offer terms that meet the requirements of this section.

(c) Removal Of Systems.—The Secretary may remove a system selected for the pilot program under subsection (a)(3) only after the Secretary submits to the Committees on Armed Services of the Senate and House of Representatives a written determination that indicates that the selected system has been unsuccessful in reducing cost or schedule growth, or is not meeting the overall needs of the pilot program.

(d) Education And Training In Agile Or Iterative Development Methods.—

(1) TRAINING REQUIREMENT.—The Secretary shall ensure that any personnel from the relevant organizations in each of the military departments and Defense Agencies participating in the pilot program, including organizations responsible for engineering, budgeting, contracting, test and evaluation, requirements validation, and certification and accreditation, receive targeted training in agile or iterative development methods, including the interim course required by section 891 of this Act.

(2) SUPPORT.—In carrying out the pilot program under subsection (a), the Secretary shall ensure that personnel participating in the program provide feedback to inform the development of education and training curricula as required by section 891.

(e) Sunset.—The pilot program required under subsection (a) shall terminate on September 30, 2023. Any system selected under subsection (a)(3) for the pilot program shall continue after that date through the execution of its realignment plan.

(f) Agile Or Iterative Development Defined.—In this section, the term “agile or iterative development”, with respect to software—

(1) means acquisition pursuant to a method for delivering multiple, rapid, incremental capabilities to the user for operational use, evaluation, and feedback not exclusively linked to any single, proprietary method or process; and

(2) involves—

(A) the incremental development and fielding of capabilities, commonly called “spirals”, “spins”, or “sprints”, which can be measured in a few weeks or months; and

(B) continuous participation and collaboration by users, testers, and requirements authorities.

FY18 NDAA Section 873 Conference Report

Pilot program to use agile or iterative development methods to tailor major software-intensive warfighting systems and defense business systems (sec. 873)

The Senate amendment contained two provisions (secs. 883 and 884) that would establish two pilots that encourage the Department’s use of tailoring to realign several major warfighting programs and defense business systems.

The House bill contained no similar provision. The House recedes with an amendment that would combine the two provisions, extend associated timelines, modify the definition of agile development, and require staff involved in programs selected under the pilot to take training on agile methods.

The conferees note that the Department of Defense’s warfighting, business, and enterprise capabilities are increasingly reliant on or driven by software and information technology. The conferees note with concern that the Department is behind other federal agencies and industry in implementing best practices for acquisition of software and information technologies, to include agile and incremental development methods.

The conferees note that existing law and acquisition regulation provide significant flexibility to the Department and that the Department has explicitly provided for tailoring in its acquisition directives and instructions.

The conferees note with concern that the organizational culture and tradition of acquiring capabilities using a hardware-dominant approach impedes effective tailoring of acquisition approaches to incorporate agile and incremental development methods. Therefore, the conferees expect that in conducting the program selection and tailoring under this section, the Secretary:

(1) Use the tools, resources, and expertise of digital and innovation organizations resident in the Department, such as the Defense Innovation Board, the Defense Innovation Unit Experimental, the Defense Science Board, the Defense Digital Services, federally funded research and development centers, research laboratories, and other technical, management, and acquisition experts;

(2) Use the digital development and acquisition expertise of the General Services Administration’s Technology Transition Service, Office of 18F; and

(3) Leverage the science, technology, and innovation activities established pursuant to section 217 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114– 92; 10 U.S.C. 2445a note).

Section 874: Pilot Program to Use Agile or Iterative Development Methods to Tailor Major Software-Intensive Warfighting Systems and Defense Business Systems.

FY18 NDAA Section 874

SEC. 874. SOFTWARE DEVELOPMENT PILOT PROGRAM USING AGILE BEST PRACTICES.

(a) In General.—Not later than 30 days after the date of the enactment of this Act, the Secretary of Defense shall identify no fewer than four and up to eight software development activities within the Department of Defense or military departments to be developed in a pilot program using agile acquisition methods.

(b) Streamlined Processes.—Software development activities identified under subsection (a) shall be selected for the pilot program and developed without incorporation of the following contract or transaction requirements:

(1) Earned value management (EVM) or EVM-like reporting.

(2) Development of integrated master schedule.

(3) Development of integrated master plan.

(4) Development of technical requirement document.

(5) Development of systems requirement documents.

(6) Use of information technology infrastructure library agreements.

(7) Use of software development life cycle (methodology).

(c) Roles And Responsibilities.—

(1) IN GENERAL.—Selected activities shall include the following roles and responsibilities:

(A) A program manager that is authorized to make all programmatic decisions within the overarching activity objectives, including resources, funding, personnel, and contract or transaction termination recommendations.

(B) A product owner that reports directly to the program manager and is responsible for the overall design of the product, prioritization of roadmap elements and interpretation of their acceptance criteria, and prioritization of the list of all features desired in the product.

(C) An engineering lead that reports directly to the program manager and is responsible for the implementation and operation of the software.

(D) A design lead that reports directly to the program manager and is responsible for identifying, communicating, and visualizing user needs through a human-centered design process.

(2) QUALIFICATIONS.—The Secretary shall establish qualifications for personnel filling the positions described in paragraph (1) prior to their selection. The qualifications may not include a positive education requirement and must be based on technical expertise or experience in delivery of software products, including agile concepts.

(3) COORDINATION PLAN FOR TESTING AND CERTIFICATION ORGANIZATIONS.—The program manager shall ensure the availability of resources for test and certification organizations support of iterative development processes.

(d) Plan.—The Secretary of Defense shall develop a plan for each selected activity under the pilot program. The plan shall include the following elements:

(1) Definition of a product vision, identifying a succinct, clearly defined need the software will address.

(2) Definition of a product road map, outlining a noncontractual plan that identifies short-term and long-term product goals and specific technology solutions to help meet those goals and adjusts to mission and user needs at the product owner’s discretion.

(3) The use of a broad agency announcement, other transaction authority, or other rapid merit-based solicitation procedure.

(4) Identification of, and continuous engagement with, end users.

(5) Frequent and iterative end user validation of features and usability consistent with the principles outlined in the Digital Services Playbook of the U.S. Digital Service.

(6) Use of commercial best practices for advanced computing systems, including, where applicable—

(A) Automated testing, integration, and deployment;

(B) compliance with applicable commercial accessibility standards;

(C) capability to support modern versions of multiple, common web browsers;

(D) capability to be viewable across commonly used end user devices, including mobile devices; and

(E) built-in application monitoring.

(e) Program Schedule.—The Secretary shall ensure that each selected activity includes—

(1) award processes that take no longer than three months after a requirement is identified;

(2) planned frequent and iterative end user validation of implemented features and their usability;

(3) delivery of a functional prototype or minimally viable product in three months or less from award; and

(4) follow-on delivery of iterative development cycles no longer than four weeks apart, including security testing and configuration management as applicable.

(f) Oversight Metrics.—The Secretary shall ensure that the selected activities—

(1) use a modern tracking tool to execute requirements backlog tracking; and

(2) use agile development metrics that, at a minimum, track—

(A) pace of work accomplishment;

(B) completeness of scope of testing activities (such as code coverage, fault tolerance, and boundary testing);

(C) product quality attributes (such as major and minor defects and measures of key performance attributes and quality attributes);

(D) delivery progress relative to the current product roadmap; and

(E) goals for each iteration.

(g) Restrictions.—

(1) USE OF FUNDS.—No funds made available for the selected activities may be expended on estimation or evaluation using source lines of code methodologies.

(2) CONTRACT TYPES.—The Secretary of Defense may not use lowest price technically acceptable contracting methods or cost plus contracts to carry out selected activities under this section, and shall encourage the use of existing streamlined and flexible contracting arrangements.

(h) Reports.—

(1) SOFTWARE DEVELOPMENT ACTIVITY COMMENCEMENT.—

(A) IN GENERAL.—Not later than 30 days before the commencement of a software development activity under the pilot program under subsection (a), the Secretary shall submit to the congressional defense committees a report on the activity (in this subsection referred to as a “pilot activity”).

(B) ELEMENTS.—The report on a pilot activity under this paragraph shall set forth a description of the pilot activity, including the following information:

(i) The purpose of the pilot activity.

(ii) The duration of the pilot activity.

(iii) The efficiencies and benefits anticipated to accrue to the Government under the pilot program.

(2) SOFTWARE DEVELOPMENT ACTIVITY COMPLETION.—

(A) IN GENERAL.—Not later than 60 days after the completion of a pilot activity, the Secretary shall submit to the congressional defense committees a report on the pilot activity.

(B) ELEMENTS.—The report on a pilot activity under this paragraph shall include the following elements:

(i) A description of results of the pilot activity.

(ii) Such recommendations for legislative or administrative action as the Secretary considers appropriate in light of the pilot activity.

(i) Definitions.—In this section:

(1) AGILE ACQUISITION.—The term “agile acquisition” means acquisition using agile or iterative development.

(2) AGILE OR ITERATIVE DEVELOPMENT.—The term “agile or iterative development”, with respect to software—

(A) means acquisition pursuant to a method for delivering multiple, rapid, incremental capabilities to the user for operational use, evaluation, and feedback not exclusively linked to any single, proprietary method or process; and

(B) involves—

(i) the incremental development and fielding of capabilities, commonly called “spirals”, “spins”, or “sprints”, which can be measured in a few weeks or months; and

(ii) continuous participation and collaboration by users, testers, and requirements authorities.

FY18 NDAA Section 874 Conference Report

Software development pilot program using agile best practices (sec. 874)

The Senate amendment contained a provision (sec. 885) that would direct the Secretary of Defense to identify between four and eight software development activities within the Department of Defense or military departments and pilot the use of modern agile methods—to include open source approaches–as well as oversight metrics appropriate for agile development.

The House recedes with amendments that would adjust the Department’s responsibilities related to data rights and modify the definition of agile development. The conferees note that the Department of Defense’s warfighting, business, and enterprise capabilities are increasingly reliant on or driven by software and information technology.

The conferees note with concern that the Department is behind other federal agencies and industry in implementing best practices for acquisition of software and information technologies, to include agile and incremental development methods.

The conferees note that existing law and acquisition regulation provide significant flexibility to the Department and that the Department has explicitly provided for tailoring in its acquisition directives and instructions.

The conferees note with concern that the organizational culture and tradition of acquiring capabilities using a hardware-dominant approach impedes effective tailoring of acquisition approaches to incorporate agile and incremental development methods.

Therefore, the conferees expect that in conducting the program selection and tailoring under this section, the Secretary:

(1) use the tools, resources, and expertise of digital and innovation organizations resident in the Department, such as the Defense Innovation Board, the Defense Innovation Unit Experimental, the Defense Science Board, the Defense Digital Services, federally funded research and development centers, research laboratories, and other technical, management, and acquisition experts;

(2) use the digital development and acquisition expertise of the General Services Administration’s Technology Transition Service, Office of 18F; and leverage the science, technology, and innovation activities established pursuant to section 217 of the National Defense Authorization Act for Fiscal Year 2016 (Public Law 114–92; 10 U.S.C. 2445a note).

FY19 NDAA

Section 868: Implementation of Recommendations of the Final Report on the Defense Science Board Task Force on the Design and Acquisition of Software for Defense Systems.

FY19 NDAA Section 868

SEC. 868. IMPLEMENTATION OF RECOMMENDATIONS OF THE FINAL REPORT OF THE DEFENSE SCIENCE BOARD TASK FORCE ON THE DESIGN AND ACQUISITION OF SOFTWARE FOR DEFENSE SYSTEMS.

(a) Implementation Required.—Not later than 18 months after the date of the enactment of this Act, the Secretary of Defense shall, except as provided under subsection (b), commence implementation of each recommendation submitted as part of the final report of the Defense Science Board Task Force on the Design and Acquisition of Software for Defense Systems.

(b) Exceptions.—

(1) DELAYED IMPLEMENTATION.—The Secretary of Defense may commence implementation of a recommendation described under subsection (a) later than the date required under such subsection if the Secretary provides the congressional defense committees with a specific justification for the delay in implementation of such recommendation.

(2) NONIMPLEMENTATION.—The Secretary of Defense may opt not to implement a recommendation described under subsection (a) if the Secretary provides to the congressional defense committees—

(A) the reasons for the decision not to implement the recommendation; and

(B) a summary of the alternative actions the Secretary plans to take to address the purposes underlying the recommendation.

(c) Implementation Plans.—For each recommendation that the Secretary is implementing, or that the Secretary plans to implement, the Secretary shall submit to the congressional defense committees—

(1) a summary of actions that have been taken to implement the recommendation; and

(2) a schedule, with specific milestones, for completing the implementation of the recommendation.

FY19 NDAA Section 868 Conference Report

Implementation of recommendations of the final report of the Defense Science Board Task Force on the Design and Acquisition of Software for Defense Systems (sec. 868)

The Senate amendment contained a provision (sec. 882) that would direct the Secretary of Defense to implement certain recommendations of the Defense Science Board Task Force in their report on the Design and Acquisition of Software for Defense Systems.

The House bill contained no similar provision.

The House recedes.

The conferees agree with the report’s emphasis on shifting the Department of Defense’s treatment of software as solely a development activity to understanding that it is enduring and that, therefore, traditional models of hardware sustainment are not suited to the treatment of software in the acquisition process. As the Department considers how each recommendation would be implemented, the conferees also encourage the Department to continue to engage the private sector for their best practices and views regarding sustainable software acquisition approaches.

Section 869: Implementation of Pilot Program to Use Agile or Iterative Development Methods Required Under Section 873 of the National Defense Authorization Act for Fiscal Year 2018.

FY19 NDAA Section 869

SEC. 869. IMPLEMENTATION OF PILOT PROGRAM TO USE AGILE OR ITERATIVE DEVELOPMENT METHODS REQUIRED UNDER SECTION 873 OF THE NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2018.

(a) In General.—Not later than 30 days after the date of the enactment of this Act, the Secretary of Defense shall include the following systems in the pilot program to use agile or iterative development methods pursuant to section 873 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 2223a note):

(1) Defense Retired and Annuitant Pay System 2 (DRAS2), Defense Logistics Agency.

(2) Army Integrated Air and Missile Defense (AIAMD), Army.

(3) Army Contract Writing System (ACWS), Army.

(4) Defense Enterprise Accounting and Management System (DEAMS) Inc2, Air Force.

(5) Item Master, Air Force.

(b) Additions To List.—Not later than 30 days after the date of the enactment of this Act, the Secretary of Defense shall identify three additional systems for participation in the pilot program pursuant to section 873 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 2223a note) and notify the congressional defense committees of the additions.

(c) Community Of Practice Advising On Agile Or Iterative Development.—The Under Secretary of Defense for Acquisition and Sustainment shall establish a Community of Practice on agile or iterative methods so that programs that have been incorporating agile or iterative methods can share with programs participating in the pilot the lessons learned, best practices, and recommendations for improvements to acquisition and supporting processes. The Service Acquisition Executives of the military departments shall send representation from the following programs, which have reported using agile or iterative methods:

(1) Air and Space Operations Center (AOC).

(2) Command Control Battle Management and Communications (C2BMC).

(3) The family of Distributed Common Ground Systems.

(4) The family of Global Command and Control Systems.

(5) Navy Personnel and Pay (NP2).

(6) Other programs and activities as appropriate.

(d) Report.—Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall report to the congressional defense committees on the status of the pilot program and each system participating in the pilot. The report shall include the following elements:

(1) A description of how cost and schedule estimates in support of the program are being conducted and using what methods.

(2) The contracting strategy and types of contracts that will be used in executing the program.

(3) A description of how intellectual property ownership issues associated with software applications developed with agile or iterative methods will be addressed to ensure future sustainment, maintenance, and upgrades to software applications after the applications are fielded.

(4) A description of the tools and software applications that are expected to be developed for the program and the costs and cost categories associated with each.

(5) A description of challenges the program has faced in realigning the program to use agile or iterative methods.

(e) Modifications To Pilot Program Selection Criteria.—Section 873(a)(3)(B) of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91; 10 U.S.C. 2223a note) is amended—

(1) by inserting “or subsystems” after “In selecting systems”;

(2) in clause (i)(II), by striking “; and” and inserting “; or”; and

(3) in clause (ii)(II), by striking “; and” and inserting “; or”.

FY19 NDAA Section 869 Conference Report

Implementation of pilot program to use agile or iterative development methods required under section 873 of the National Defense Authorization Act for Fiscal Year 2018 (sec. 869)

The Senate amendment contained a provision (sec. 883) that would provide additional direction to the Secretary of Defense in implementing the pilot program established under section 873 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91).

The House bill contained no similar provision.

The House recedes with an amendment to the list of participating systems; an amendment to make criteria for selecting program participation more permissive; an amendment that directs the Under Secretary of Defense for Acquisition and Sustainment to establish a Community of Practice on agile or iterative methods and identifies programs that should contribute; and an amendment that directs the Secretary to report certain information on the progress of programs participating in the pilot.

The conferees expect the Department to attend to compliance with Section 873 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–91). The conferees note that the adoption of agile or iterative methods remains a challenge for the Department of Defense, despite the fact that delivery of increments of useful capability no less frequently than every six months is not only a best practice for software-intensive systems but is also a government-wide requirement for such systems. Further, as the Department implements such methods, it is important to ensure good principles of management and oversight are incorporated. In particular, given how frequently programs should be delivering features, having insight to costs and capability delivered is critical to understanding risk and overall return on investment.

FY20 NDAA

Section 230: Policy on the Talent Management of Digital Expertise and Software Professionals.

FY20 NDAA Section 230

SEC. 230. POLICY ON THE TALENT MANAGEMENT OF DIGITAL EXPERTISE AND SOFTWARE PROFESSIONALS.

(a) POLICY.—

(1) IN GENERAL.—It shall be a policy of the Department of Defense to promote and maintain digital expertise and software development as core competencies of civilian and military workforces of the Department, and as a capability to support the National Defense Strategy, which policy shall be achieved by—

(A) the recruitment, development, and incentivization of retention in and to the civilian and military workforce of the Department of individuals with aptitude, experience,
proficient expertise, or a combination thereof in digital expertise and software development;

(B) at the discretion of the Secretaries of the military departments, the development and maintenance of civilian and military career tracks related to digital expertise, and related digital competencies for members of the Armed Forces, including the development and maintenance of training, education, talent management, incentives, and promotion policies in support of members at all levels of such career tracks; and

(C) the development and application of appropriate readiness standards and metrics to measure and report on the overall capability, capacity, utilization, and readiness of digital engineering professionals to develop and deliver operational capabilities and employ modern business practices.

(2) DIGITAL ENGINEERING DEFINED.—For purposes of this section, the term ‘‘digital engineering’’ means the discipline and set of skills involved in the creation, processing, transmission, integration, and storage of digital data, including data science, machine learning, software engineering, software product management, and artificial intelligence product management.

(b) IMPLEMENTATION PLAN.—Not later than May 1, 2020, the Secretary of Defense shall submit to the Committees on Armed Services of the Senate and the House of Representatives a plan that describes how the Department of Defense will execute the policy described in subsection (a).

(c) RESPONSIBILITY.—

(1) APPOINTMENT OF OFFICER.—Not later than 270 days after the date of enactment of this Act, the Secretary of Defense may appoint a civilian official responsible for the development and implementation of the policy and implementation plan set forth in subsections (a) and (b), respectively. The official shall be known as the ‘‘Chief Digital Engineering Recruitment and Management Officer of the Department of Defense’’.

(2) EXPIRATION OF APPOINTMENT.—The appointment of the Officer under paragraph (1) shall expire on September 30, 2024.

FY20 NDAA Section 230 Conference Report

Policy on the talent management of digital expertise and software professionals (sec. 230)

The House amendment contained a provision (sec. 223) that would create a Chief Digital Engineering Recruitment and Management Officer at the Department of Defense responsible for promoting and maintaining digital expertise and software development as core competencies for civilian and military employees at the Department of Defense.

The Senate bill contained a similar provision (sec. 517).

The Senate recedes with an amendment that would authorize the Secretary of Defense to appoint a Chief Digital Engineering Recruitment and Management Officer. The amendment would also require an implementation plan describing how the Department of Defense will execute its policy to promote and maintain digital expertise and software development as core competencies of the civilian and military workforce.

The conferees encourage the Secretary of Defense to include in the implementation plan required by this section the following:

(1) An assessment of progress made in recruiting an individual to serve as the Chief Digital Engineering Recruitment and Management Officer;

(2) A timeline for implementation of the policy required by this section; and

(3) Recommendations for any legislative or administrative action needed to meet the requirements of this section.

Section 231: Digital Engineering Capability to Automate Testing and Evaluation

FY20 NDAA Section 231

SEC. 231. DIGITAL ENGINEERING CAPABILITY TO AUTOMATE TESTING AND EVALUATION.

(a) DIGITAL ENGINEERING CAPABILITY.— (1) IN GENERAL.—The Secretary of Defense shall establish a digital engineering capability to be used—
(A) for the development and deployment of digital engineering models for use in the defense acquisition process;
and
(B) to provide testing infrastructure and software to support automated approaches for testing, evaluation, and deployment throughout the defense acquisition process.
(2) REQUIREMENTS.—The capability developed under subsection (a) shall meet the following requirements:
(A) The capability will be accessible to, and useable by, individuals throughout the Department of Defense who have responsibilities relating to capability design, development, testing, evaluation, and operation.
(B) The capability will provide for the development, validation, use, curation, and maintenance of technically accurate digital systems, models of systems, subsystems,
and their components, at the appropriate level of fidelity to ensure that test activities adequately simulate the environment in which a system will be deployed.
(C) The capability will include software to automate testing throughout the program life cycle, including to satisfy developmental test requirements and operational test
requirements. Such software may be developed in accordance with the authorities provided under section 800, and shall support—
(i) security testing that includes vulnerability scanning and penetration testing performed by individuals, including threat-based red team exploitations and assessments with zero-trust assumptions; and
(ii) high-confidence distribution of software to the field on a time-bound, repeatable, frequent, and iterative basis.
(b) DEMONSTRATION ACTIVITIES.— (1) IN GENERAL.—In developing the capability required under subsection (a), the Secretary of Defense shall carry out
activities to demonstrate digital engineering approaches to automated testing that—
(A) enable continuous software development and delivery;
(B) satisfy developmental test requirements for the software-intensive programs of the Department of Defense; and
(C) satisfy operational test and evaluation requirements for such programs.
(2) PROGRAM SELECTION.—Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall assess and select not fewer than four and not more than ten programs of the Department of Defense to participate in the demonstration activities under paragraph (1), including—
(A) at least one program participating in the pilot program authorized under section 873 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115–
91; 10 U.S.C. 2223a note);
(B) at least one program participating in the pilot program authorized under section 874 of such Act (Public Law 115–91; 10 U.S.C. 2302 note);
(C) at least one major defense acquisition program (as defined in section 2430 of title 10, United States Code);
(D) at least one command and control program;
(E) at least one defense business system (as defined in section 2222(i) of title 10, United States Code); and
(F) at least one program from each military service.
(3) ADDITIONAL REQUIREMENTS.—As part of the demonstration activities under paragraph (1), the Secretary shall—
(A) conduct a comparative analysis that assesses the risks and benefits of the digital engineering supported automated testing approaches of the programs participating in
the demonstration activities relative to traditional testing approaches that are not supported by digital engineering;
(B) ensure that the intellectual property strategy for each of the programs participating in the demonstration activities is best aligned to meet the goals of the program;
and
(C) develop a workforce and infrastructure plan to support any new policies and guidance implemented in connection with the demonstration activities, including any policies  and guidance implemented after the completion of such activities.
(c) POLICIES AND GUIDANCE REQUIRED.—Not later than one year after the date of the enactment of this Act, based on the results of the demonstration activities carried out under subsection (b), the Secretary of Defense shall issue or modify policies and guidance
to—
(1) promote the use of digital engineering capabilities for development and for automated testing; and
(2) address roles, responsibilities, and procedures relating to such capabilities.
(d) STEERING COMMITTEE.—
(1) IN GENERAL.—The Secretary of Defense shall establish a steering committee to assist the Secretary in carrying out subsections (a) through (c).
(2) MEMBERSHIP.—The steering committee shall be composed of the following members or their designees:
(A) The Under Secretary of Defense for Research and Engineering.
(B) The Under Secretary of Defense for Acquisition and Sustainment.
(C) The Chief Information Officer.
(D) The Director of Operational Test and Evaluation.
(E) The Director of Cost Assessment and Program Evaluation.
(F) The Service Acquisition Executives.
(G) The Service testing commands.
(H) The Director of the Defense Digital Service.
(e) REPORTS REQUIRED.—
(1) IMPLEMENTATION.—Not later than March 15, 2020, the Secretary of Defense shall submit to the congressional defense committees a report on the progress of the Secretary in implementing subsections (a) through (c). The report shall include an explanation of how the results of the demonstration activities carried out under subsection (b) will be incorporated into the policy and guidance required under subsection (c), particularly the policy and guidance of the members of the steering committee established under subsection (d).
(2) LEGISLATIVE RECOMMENDATIONS.—Not later than October 15, 2020, the Secretary of Defense shall provide to the congressional defense committees a briefing that identifies any changes to existing law that may be necessary to facilitate the implementation of subsections (a) through (c).
(f) INDEPENDENT ASSESSMENT.—
(1) IN GENERAL.—Not later than March 15, 2021, the Defense Innovation Board and the Defense Science Board shall jointly complete an independent assessment of the progress of the Secretary in implementing subsections (a) through (c). The Secretary of Defense shall ensure that the Defense Innovation Board and the Defense Science Board have access to the resources, data, and information necessary to complete the assessment.
(2) INFORMATION TO CONGRESS.—Not later than 30 days after the date on which the assessment under paragraph (1) is completed, the Defense Innovation Board and the Defense Science Board shall jointly provide to the congressional defense committees—
(A) a report summarizing the assessment; and
(B) a briefing on the findings of the assessment

FY20 NDAA Section 231 Conference Report

Digital engineering capability to automate testing and evaluation (sec. 231)

The House amendment contained a provision (sec. 224) that would direct the Under Secretary of Defense for Research and Engineering and the Director of Operational Test and Evaluation to establish a digital engineering capability to serve as the foundation for automated approaches to software testing and evaluation and to establish a pilot to demonstrate whether such testing could satisfy developmental and operational test requirements; that would direct associated changes to policies and guidance for both efforts;
and that would require an initial report regarding these activities to be submitted to the congressional defense committees not later than 90 days after enactment.
The Senate bill contained no similar provision.

The Senate recedes with amendments that would further elaborate the governance process and that would further define the scope of the demonstration and selection of programs to participate, as well as clarifying amendments to the roles and responsibilities of officials and organizations and technical amendments to the reporting requirements.

The conferees believe that establishing a digital engineering capability is critical to accelerating the adoption of best practices in the use of software to model and simulate complex system behavior to assess potential effects of proposed hardware or software engineering changes on system performance. Further, the conferees note the significant potential value of digital engineering capability for automating developmental and operational test and evaluation, and especially where a weapon or business system is  software-defined and is developed using agile or secure continuous development/continuous delivery methods.

Section 255: Department-Wide Software Science and Technology Strategy.

FY20 NDAA Section 255

SEC. 255. DEPARTMENT-WIDE SOFTWARE SCIENCE AND TECHNOLOGY STRATEGY.
(a) DESIGNATION OF SENIOR OFFICIAL.—Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense, acting through the Under Secretary of Defense for Research and Engineering and in consultation with the Under Secretary of Defense for Acquisition and Sustainment and appropriate public and private sector organizations, shall designate a single official or existing entity within the Department of Defense as the official or entity (as the case may be) with principal responsibility for guiding the development of science and technology activities related to next generation software and software reliant systems for the Department, including—
(1) research and development activities on new technologies for the creation of highly secure, scalable, reliable, time-sensitive, and mission-critical software;
(2) research and development activities on new approaches and tools to software development and deployment, testing, integration, and next generation software management tools to support the rapid insertion of such software into defense systems;
(3) foundational scientific research activities to support advances in software;
(4) technical workforce and infrastructure to support defense science and technology and software needs and mission requirements;
(5) providing capabilities, including technologies, systems, and technical expertise to support improved acquisition of software reliant business and warfighting systems; and
(6) providing capabilities, including technologies, systems, and technical expertise to support defense operational missions which are reliant on software.
(b) DEVELOPMENT OF STRATEGY.—The official or entity designated under subsection (a) shall develop a Department-wide strategy for the research and development of next generation software and software reliant systems for the Department of Defense, including strategies for—
(1) types of software-related activities within the science and technology portfolio of the Department;
(2) investment in new approaches to software development and deployment, and next generation management tools;
(3) ongoing research and other support of academic, commercial, and development community efforts to innovate the software development, engineering, and testing process, automated testing, assurance and certification for safety and mission critical systems, large scale deployment, and sustainment;
(4) to the extent practicable, implementing or continuing the implementation of the recommendations set forth in—
(A) the final report of the Defense Innovation Board submitted to the congressional defense committees under section 872 of the National Defense Authorization Act for
Fiscal Year 2018 (Public Law 115–91; 131 Stat. 1497);
(B) the final report of the Defense Science Board Task Force on the Design and Acquisition of Software for Defense Systems described in section 868 of the John S.
McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232; 10 U.S.C. 2223 note); and
(C) other relevant studies on software research, development, and acquisition activities of the Department of Defense.
(5) supporting the acquisition, technology development, testing, assurance, and certification and operational needs of the Department through the development of capabilities, including personnel and research and production infrastructure, and programs in—
(A) the science and technology reinvention laboratories (as designated under section 1105 of the National Defense Authorization Act for Fiscal Year 2010 (Public Law 111–
84; 10 U.S.C. 2358 note));
(B) the facilities of the Major Range and Test Facility Base (as defined in section 2358a(f)(3) of title 10, United States Code);
(C) the Defense Advanced Research Projects Agency;
and
(D) universities, federally funded research and development centers, and service organizations with activities in software engineering; and
(6) the transition of relevant capabilities and technologies to relevant programs of the Department, including software-reliant cyber-physical systems, tactical systems, enterprise systems, and business systems.
(c) SUBMITTAL TO CONGRESS.—Not later than one year after the date of the enactment of this Act, the official or entity designated under subsection (a) shall submit to the congressional defense committees the strategy developed under subsection (b).

FY20 NDAA Section 255 Conference Report

Department-wide software science and technology strategy (sec. 255)
The House amendment contained a provision (sec. 234) that would require the Secretary of Defense, acting through the Under Secretary of Defense for Research and Engineering, to designate a senior official or existing entity within the Department of Defense with the principal responsibility for guiding the direction of research and development for next generation software and software intensive systems for the Department. This provision would also require that the designated senior official or entity develop a strategy for research and development of the next generation software and software intensive systems and submit the strategy to the congressional defense committees not later than 1 year after the date of the enactment of this Act.
The Senate bill contained no similar provision.
The Senate recedes with an amendment that would expand the scope of the activities assigned under a senior official and associated scope of the strategy, to include foundational research, technical workforce and infrastructure, software acquisition, and software dependent missions; and further an amendment that would expand the strategy to incorporate activities in certain organizations to include universities, federally funded research and development centers and other entities.
Section 800: Authority for continuous integration and delivery of software applications and upgrades to embedded systems.

FY20 NDAA Section 800

Sec. 800:  Authority for continuous integration and delivery of software applications and upgrades to embedded systems.

(a) SOFTWARE ACQUISITION AND DEVELOPMENT PATHWAYS.— The Secretary of Defense shall establish pathways as described under subsection (b) to provide for the efficient and effective acquisition, development, integration, and timely delivery of secure software. Such a pathway shall include the following:

(1) USE OF PROVEN TECHNOLOGIES AND SOLUTIONS.—A pathway established under this section shall provide for the use of proven technologies and solutions to continuously engineer and deliver capabilities in software. 

(2) USE OF AUTHORITY.—In using the authority under this section, the Secretary shall consider how such use will—

(A) initiate the engineering of new software capabilities quickly;

(B) demonstrate the viability and effectiveness of such capabilities for operational use not later than one year after the date on which funds are first obligated to acquire or develop software; and

(C) allow for the continuous updating and delivery of new capabilities not less frequently than annually to iteratively meet a requirement.

(3) TREATMENT NOT AS MAJOR DEFENSE ACQUISITION PROGRAM.—Software acquired or developed using the authority under this section shall not be treated as a major defense acquisition program for purposes of section 2430 of title 10, United States Code, or Department of Defense Directive 5000.01 without the specific direction of the Under Secretary of Defense for Acquisition and Sustainment or a Senior Acquisition Executive.

(4) RISK-BASED APPROACH.—The Secretary of Defense shall use a risk-based approach for the consideration of innovative technologies and new capabilities for software to be acquired or developed under this authority to meet needs communicated by the Joint Chiefs of Staff and the combatant commanders.

(b) PATHWAYS.—The Secretary of Defense may establish as many pathways as the Secretary determines appropriate and shall establish the following pathways:

(1) APPLICATIONS.—The applications software acquisition pathway shall provide for the use of rapid development and implementation of applications and other software or software
improvements operated by the Department of Defense, which may include applications running on commercial commodity hardware (including modified hardware) and commercially available cloud computing platforms.

(2) EMBEDDED SYSTEMS.—The embedded systems software acquisition pathway shall provide for the rapid development and insertion of upgrades and improvements for software embedded in weapon systems and other military-unique hardware systems. 

(c) EXPEDITED PROCESS.—

(1) IN GENERAL.—A pathway established under subsection

(a) shall provide for—

(A) a streamlined and coordinated requirements, budget, and acquisition process to support rapid fielding of software applications and of software upgrades to embedded systems for operational use in a period of not more than one year from the time that the process is initiated;

(B) the collection of data on software fielded; and

(C) continuous engagement with the users of software to support engineering activities, and to support delivery of software for operational use in periods of not more than one year.

(2) EXPEDITED SOFTWARE REQUIREMENTS PROCESS.—

(A) INAPPLICABILITY OF JOINT CAPABILITIES INTEGRATION AND DEVELOPMENT SYSTEM (JCIDS) MANUAL.—Software acquisition or development conducted under the authority of this section shall not be subject to the Joint Capabilities Integration and Development System Manual, except pursuant to a modified process specifically provided for the acquisition or development of software by the Vice Chairman of the Joint Chiefs of Staff, in consultation with Under Secretary of Defense for Acquisition and Sustainment and each service acquisition executive (as defined in section 101(a)(10) of title 10, United States Code).

(B) INAPPLICABILITY OF DEFENSE ACQUISITION SYSTEM DIRECTIVE.—Software acquisition or development conducted under the authority of this section shall not be subject to Department of Defense Directive 5000.01, except when specifically provided for the acquisition or development of software by the Under Secretary of Defense for Acquisition and Sustainment, in consultation with the Vice Chairman of the Joint Chiefs of Staff and each service acquisition executive.

(d) ELEMENTS.—In implementing a pathway established under the authority of this section, the Secretary shall tailor requirements relating to—

(1) iterative development of requirements for software to be acquired or developed under the authority of this section through engagement with the user community and through the use of  operational user feedback, in order to continuously define and update priorities for such requirements;

(2) early identification of the warfighter or user need, including the rationale for how software capabilities will support increased lethality and efficiency, and identification of a relevant user community;

(3) initial contract requirements and format, including the use of summary-level lists of problems and shortcomings in existing software and desired features or capabilities of new or upgraded software;

(4) continuous refinement and prioritization of contract requirements through use of evolutionary processes, informed by continuous engagement with operational users throughout the development and implementation period;

(5) continuous consideration of issues related to lifecycle costs, technical data rights, and systems interoperability;

(6) planning for support of software capabilities in cases where the software developer may stop supporting the software;

(7) rapid contracting procedures, including expedited timeframes for making awards, selecting contract types, defining teaming arrangements, and defining options;

(8) program execution processes, including supporting development and test infrastructure, automation and tools, digital engineering, data collection and sharing with Department of Defense oversight organizations and with Congress, the role of developmental and operational testing activities, key decision making and oversight events, and supporting processes and activities (such as independent costing activity, operational demonstration, and performance metrics);

(9) assurances that cybersecurity metrics of the software to be acquired or developed, such as metrics relating to the density of vulnerabilities within the code of such software, the time from vulnerability identification to patch availability, the existence of common weaknesses within such code, and other cybersecurity metrics based on widely-recognized standards and industry best practices, are generated and made available to the Department of Defense and the congressional defense committees;

(10) administrative procedures, including procedures related to who may initiate and approve an acquisition under this authority, the roles and responsibilities of the implementing project or product teams and supporting activities, team selection and staffing process, governance and oversight roles and responsibilities, and appropriate independent technology assessments, testing, and cost estimation (including relevant thresholds or designation criteria);

(11) mechanisms and waivers designed to ensure flexibility in the implementation of a pathway under this section, including the use of other transaction authority, broad agency announcements, and other procedures; and

(12) mechanisms the Secretary will use for appropriate reporting to Congress on the use of this authority, including notice of initiation of the use of a pathway and data regarding individual programs or acquisition activities, how acquisition activities are reflected in budget justification materials or requests to reprogram appropriated funds, and compliance with other reporting requirements.

(e) GUIDANCE REQUIRED.—

(1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Defense shall issue initial guidance to implement the requirements of this section.

(2) LIMITATION.—If the Secretary of Defense has not issued final guidance to implement the requirements of this section before October 1, 2021, the Secretary may not use the authority under this section— 

(A) to establish a new pathway to acquire or develop software; or

(B) to continue activities to acquire or develop software using a pathway established under initial guidance described in paragraph (1).

(f) REPORT.—

(1) IN GENERAL.—Not later than October 15, 2020, the Under Secretary of Defense for Acquisition and Sustainment, in consultation with the secretaries of the military departments and other appropriate officials, shall report on the use of the authority under this section using the initial guidance issued under subsection (d).

(2) ELEMENTS.—The report required under paragraph (1) shall include the following elements:

(A) The final guidance required by subsection (d)(2), including a description of the treatment of use of the authority that was initiated before such final guidance was issued.

(B) A summary of how the authority under this section has been used, including a list of the cost estimate, schedule for development, testing and delivery, and key management risks for each initiative conducted pursuant to such authority.

(C) Accomplishments from and challenges to using the authority under this section, including organizational, cultural, talent, infrastructure, testing, and training considerations.

(D) Recommendations for legislative changes to the authority under this section.

(E) Recommendations for regulatory changes to the authority under this section to promote effective development and deployment of software acquired or developed under this section.

FY20 NDAA Section 800 Conference Report

Authority for continuous integration and delivery of software applications and upgrades to embedded systems (sec. 800)

The Senate bill contained a provision (sec. 852) that would require the Secretary of Defense to establish initial guidance, not later than 180 days after the enactment of this Act, authorizing the use of special pathways for the rapid acquisition of software applications and upgrades that are intended to be fielded within 1 year. These new pathways would prioritize continuous integration and delivery of working software in a secure manner and prioritize continuous oversight from automated analytics.

The House amendment contained a similar provision (sec. 801).  The House recedes with amendments that would modify the timeline for developing the guidance; allow for the use of one or more pathways; clarify that first fielding of capability for operational use shall occur within one year of the date funds are first obligated for software development; and direct a report on use of the authority and recommendations for any changes to statute by October 15, 2020.

The conferees commend the Under Secretary of Defense for Acquisition and Sustainment’s commitment to adopting the recommendations of the Defense Innovation Board. The conferees emphasize that the ability to deliver meaningful capability for operational use within one year is foundational to the establishment of this authority and associated procedures.

The conferees remind the Department that delivery of increments of useful software capability no less frequently than every six months is not only a best practice for software-intensive systems but it has also been a standing government-wide requirement for years. Overcoming the Department’s institutional and cultural resistance to delivering in a year or less requires ruthless prioritization of features, which hinges on more effective cooperation among stakeholders. The conferees also believe that cost estimation and assessment and program evaluation methods are critical to well-informed program oversight, and note that, for software initiatives, such approaches remain nascent. The conferees therefore direct the
Director, Cost Assessment and Program Evaluation, in coordination with the Defense Digital Service and the directors of developmental test and operational test and evaluation, to incorporate lessons learned from the implementation of sections 873 and 874 of the National Defense Authorization Act for Fiscal Year 2018, and sections 215 and 869 of the National Defense Authorization Act for Fiscal Year 2019 in the development of guidance and oversight procedures for managing, estimating, and assessing software programs. First, the conferees remind the Department of flexibility already written into its directive and instruction that the milestone decision authority and program managers “shall tailor program strategies and oversight, including documentation of program information, acquisition phases, the timing and scope of decision reviews, and decision levels, to fit the particular conditions of that program, consistent with applicable laws and regulations and the time sensitivity of the capability need.” Accordingly, the conferees also remind the Department that the use of source lines of code, or “SLOC”, to estimate or to measure productivity, is inadequate, inappropriate, and can be detrimental in incentivizing bad code design. As such, the conferees encourage the Department to implement the recommendations on software metrics in the Defense Innovation Board Software Acquisition and Practices Study. Finally, the conferees request a briefing no later than March 30, 2020 from the Joint Staff on how the JCIDS process can be updated to accommodate more flexibility given the iterative and ever-changing nature of present-day acquisition of software.

FY21 NDAA

Section 834: Pilot Program on the Use of Consumption-Based Solutions to Address Software-Intensive Warfighting Capability.

FY21 NDAA Section 834

SEC. 834. PILOT PROGRAM ON THE USE OF CONSUMPTION-BASED SOLUTIONS TO ADDRESS SOFTWARE-INTENSIVE WARFIGHTING CAPABILITY.

(a) In General.–Subject to the availability of appropriations, the Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability.

(b) Selection of Initiatives.–Each Secretary of a military department and each commander of a combatant command with acquisition authority shall propose for selection by the Secretary of Defense for the pilot program at least one and not more than three initiatives that are well-suited to explore consumption-based solutions, to include addressing software-intensive warfighting capability. The initiatives may be new or existing programs of record, and may include applications that–

(1) rapidly analyze sensor data;

(2) secure warfighter networks, including multilevel security;

(3) swiftly transport information across various networks and network modalities;

(4) enable joint all-domain operational concepts, including in a contested environment; or

(5) advance military capabilities and effectiveness.

(c) Requirements.–A contract or other agreement for consumption-based solutions entered into under the pilot program shall require–

(1) the effectiveness of the solution to be measurable at regular intervals customary for the type of solution provided under contract or other agreement; and

(2) that the awardee notify the Secretary of Defense when consumption under the contract or other agreement reaches 75 percent and 90 percent of the funded amount, respectively, of the contract or other agreement.

(d) Exemption.–A modification to a contract or other agreement entered into under this section to add new features or capabilities in an amount less than or equal to 25 percent of the total value of such contract or other agreement shall be exempt from the requirements of full and open competition (as defined in section 2302 of title 10, United States Code).

(e) Duration.–The duration of a contract or other agreement entered into under this section may not exceed three years.

(f) Monitoring and Evaluation of Pilot Program.–The Director of Cost Assessment and Program Evaluation shall continuously monitor and evaluate the pilot program, including by collecting data on cost, schedule, and performance from the program office, the user community, and the awardees involved in the program.

(g) Reports.–

(1) Initial report.–Not later than May 15, 2021, the Secretary of Defense shall submit to the congressional defense committees a report on initiatives selected for the pilot program, roles, and responsibilities for implementing the program, and the monitoring and evaluation approach that will be used for the program.

(2) Progress report.–Not later than October 15, 2021, the Secretary of Defense shall submit to the congressional defense committees a report on the progress of the initiatives selected for the pilot program.

(3) Final report.–Not later than 3 years after the date of the enactment of this Act, the Secretary of Defense shall submit to the congressional defense committees a report on the cost, schedule, and performance outcomes of the initiatives carried out under the pilot program. The report shall also include lessons learned about the use of consumption-based solutions for software-intensive capabilities and any recommendations for statutory or regulatory changes to facilitate the use of such solutions.

(h) Consumption-based Solution Defined.–In this section, the term “consumption-based solution” means any combination of software, hardware or equipment, and labor or services that provides a seamless capability that is metered and billed based on actual usage and predetermined pricing per resource unit, and includes the ability to rapidly scale capacity up or down.

FY21 NDAA Section 834 Conference Report

Pilot program on the use of consumption-based solutions to address software-intensive warfighting capability (sec. 834)

The Senate amendment contained a provision (sec. 884) that would direct the Secretary of Defense to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability, including criteria for selecting initiatives for the pilot, direction on certain contracting elements, requirements for monitoring pilot activities, and a series of congressional reporting requirements.

The House bill contained no similar provision.

The House recedes with an amendment that would expand the pilot criteria to include military applications beyond software and that would delay the reporting dates.

The conferees believe that the Department of Defense should take advantage of “as-a-service” or “aaS” approaches in commercial capability development, particularly where the capability is software-defined and cloud-enabled. The conferees note that, in its final report, the Section 809 Panel on Streamlining and Codifying Acquisition recommended the adoption of consumption-based approaches at the Department of Defense, stating, “More things will be sold as a service in the future. XaaS could really mean everything in the context of the Internet of things (IoT). Consumption-based solutions are appearing in many industry sectors, from last mile transportation (e.g., bike shares and electric scooters) to agriculture (e.g., tractor-as-a-service for farmers in developing countries). Most smart phone users are familiar with software updates that provide bug fixes or new features. A more extreme example of technology innovation enabled by the IoT is the ability to deliver physical performance improvements to vehicles through over-the-air software updates . . . In the not-so-distant future, cloud computing and the IoT will enable consumption-based solution offerings and delivery models that are hard to imagine today.” Therefore, the conferees support the Department of Defense’s commitment to new approaches to development and acquisition of software, and believe that the Department should explore a variety of approaches, to include the use of consumption-based solutions for software-intensive warfighting capability.

The conferees expect that, in conducting activities under the pilot program established in this section, the Department will consider the use of the Adaptive Acquisition Framework’s
Software pathway.

Section 835: Balancing Security and Innovation in Software Development and Acquisition.

FY21 NDAA Section 835

SEC. 835. BALANCING SECURITY AND INNOVATION IN SOFTWARE DEVELOPMENT AND ACQUISITION.

(a) Requirements for Solicitations of Commercial and Developmental Solutions.–The Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop requirements for appropriate software security criteria to be included in solicitations for commercial and developmental solutions and the evaluation of bids submitted in response to such solicitations, including a delineation of what processes were or will be used for a secure software development life cycle. Such requirements shall include–

(1) establishment and enforcement of secure coding practices;

(2) management of supply chain risks and third-party software sources and component risks;

(3) security of the software development environment;

(4) secure deployment, configuration, and installation processes; and

(5) an associated vulnerability management plan and identification of tools that will be applied to achieve an appropriate level of security.

(b) Security Review of Code.–The Under Secretary of Defense for Acquisition and Sustainment, in coordination with the Chief Information Officer of the Department of Defense, shall develop–

(1) procedures for the security review of code; and

(2) other procedures necessary to fully implement the pilot program required under section 875 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91; 10 U.S.C. 2223 note).

(c) Coordination With Cybersecurity Acquisition Policy Efforts.–The Under Secretary of Defense for Acquisition and Sustainment shall develop the requirements and procedures described under subsections (a) and (b) in coordination with the efforts of the Department of Defense to develop new cybersecurity and program protection policies and guidance that
are focused on cybersecurity in the context of acquisition and program management and on safeguarding information.

FY21 NDAA Section 835 Conference Report

Balancing security and innovation in software development and acquisition (sec. 835)

The Senate amendment contained a provision (sec. 882) that would require the Under Secretary of Defense for Acquisition and Sustainment to incorporate certain considerations while finalizing the interim policy for a software acquisition pathway as part of the Department of Defense’s new Adaptive Acquisition Framework.

The House bill contained no similar provision.

The House recedes with an amendment that would modify the considerations, as well as which of the Department’s policies would need to incorporate such considerations.

The conferees recognize the growing importance of assuring the security of software and determining the provenance of code and the risks posed by reliance–whether known or inadvertent–on code produced by or within adversary nations.

The conferees are also concerned about the Department’s non-compliance with section 875 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91). Section 875 required the Department to implement an Office of Management and Budget pilot relating to open source software due to significant potential benefits to the Department, to include improved performance. The conferees note that the Department has cited security concerns in connection with openly publishing certain code. The conferees further note that there is no comprehensive Department-wide process for conducting security reviews of code or parts of code and that the National Security Agency, which should have similar security concerns to the Department as a whole, has such a process for the purpose of maximizing appropriate public release.

The conferees encourage the Department to pursue the appropriate balance of innovation and security in developing, acquiring, and maintaining software.

The conferees further direct the Under Secretary of Defense for Acquisition and Sustainment and the Department of Defense Chief Information Officer to develop a roadmap with milestones that will enable the Department to require and effectively manage the submission by contractors of a software bill of materials.

Finally, the conferees direct the Under Secretary of Defense for Acquisition and Sustainment to update the Department’s policy defining a Software Pathway to more clearly demonstrate compliance with the portions of section 800 of the National Defense Authorization for Fiscal Year 2020 (Public Law 116-92) to: (1) Ensure applicability to defense business systems as defined by section 2222 of title 10, United States Code; and (2) Provide for delivery of capability to end-users not later than 1 year after funds are obligated noting that other Government-wide policy and best practices call for updates no less frequently than once every 6 months.


Senate Committee Report 116-236to Accompanying S. 4049


Balancing security and innovation in software development and acquisition (sec. 882)

The committee recommends a provision that would require the Under Secretary of Defense for Acquisition and Sustainment to incorporate certain considerations while finalizing the interim software policy for a software acquisition pathway as part of the Department of Defense’s (DOD’s) new Adaptive Acquisition Framework.

The committee recognizes the growing importance of assuring the security of software and determining the provenance of code and the risks posed by reliance–whether known or inadvertent–on code produced by or within adversary nations.

The committee is also concerned about DOD’s non-compliance with section 875 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91), which required the Department to implement an Office of Management and Budget pilot relating to open source software due to significant potential benefits to the Department, to include improved performance. The committee notes that the Department has cited security concerns in connection with openly publishing certain code. The committee further notes that there is no comprehensive Department-wide process for conducting security reviews of code or parts of code and that the National Security Agency, which should have similar security concerns to the Department as a whole, has such a process for the purpose of maximizing appropriate public release.

The committee encourages the Department to pursue the appropriate balance of innovation and security in developing, acquiring, and maintaining software.

The committee further directs the Under Secretary and the Department of Defense Chief Information Officer to develop a roadmap with milestones that will enable the Department to require and effectively manage the submission by contractors of a software bill of materials.

Finally, the committee reminds the Department that section 800 of the National Defense Authorization for Fiscal Year 2020 (Public Law 116-92) required that the Department’s software policy provide for delivery of capability to end-users no later than 1 year after funds are obligated and that other government-wide policy and best practices call for updates no less frequently than once every 6 months.

Section 838: Comptroller General Report on Implementation of Software Acquisition Reforms.

FY21 NDAA Section 838

SEC. 838. COMPTROLLER GENERAL REPORT ON IMPLEMENTATION OF SOFTWARE ACQUISITION REFORMS.

(a) Report Required.–Not later than March 15, 2021, the Comptroller General of the United States shall brief the congressional defense committees on the implementation by the Secretary of Defense of required acquisition reforms with respect to acquiring software for weapon systems, business systems, and other activities that are part of the defense acquisition system, with one or more reports based on such briefing to be submitted to such committees, as jointly determined by such committees and the Comptroller General.

(b) Elements.–The briefing and any reports required under subsection (a) shall include an assessment of the extent to which the Secretary of Defense has–

(1) implemented the recommendations set forth in–

(A) the final report of the Defense Innovation Board submitted to the congressional defense committees under section 872 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91; 131 Stat. 1497);

(B) the final report of the Defense Science Board Task Force on the Design and Acquisition of Software for Defense Systems described in section 868 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115-232; 132 Stat. 1902; 10 U.S.C. 2223a note); and

(C) other relevant studies on software research, development, and acquisition activities of the Department of Defense;

(2) carried out software acquisition activities, including programs required under–

(A) section 2322a of title 10, United States Code; and

(B) section 875 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91; 131 Stat. 1503; 10 U.S.C. 2223 note);

(3) used the authority provided under section 800 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116-92; 133 Stat. 1478; 10 U.S.C. 2223a); and

(4) carried out software acquisition pilot programs, including pilot programs required under sections 873 and 874 of the National Defense Authorization Act for Fiscal Year 2018 (Public Law 115-91; 10 U.S.C. 2223a note; 10 U.S.C. 2302 note).

(c) Assessment of Acquisition Policy, Guidance, and Practices.–Each report required under subsection (a) shall include an assessment of the extent to which the software acquisition policy, guidance, and practices of the Department of Defense reflect implementation of–

(1) relevant recommendations from software studies and pilot programs; and

(2) directives from the congressional defense committees.

(d) Defense Acquisition System Defined.–In this section, the term “defense acquisition system” has the meaning given that term in section 2545(2) of title 10, United States Code.

FY21 NDAA Section 838 Conference Report

Comptroller General report on implementation of software acquisition reforms (sec. 838)

The Senate amendment contained a provision (sec. 832) that would require the Comptroller General of the United States to assess the extent to which the Department of Defense has implemented various reforms related to the acquisition of software for weapon systems, business systems, and other activities that are part of the defense acquisition system, and that would direct certain changes to a separate Comptroller General annual assessment.

The House bill contained no similar provision.

The House recedes with an amendment that would strike the modification of requirements for a separate Comptroller General assessment of selected acquisition programs and initiatives, as that item is addressed elsewhere in this Act.

The conferees note that the Defense Science Board and Defense Innovation Board have produced substantial studies with significant recommendations for reform and that the committee has itself produced numerous provisions in prior National Defense Authorization Acts related to the reform of software acquisition. The conferees further note the Department’s commitment to implementing these reforms.


Senate Committee Report 116-236to Accompanying S. 4049


Comptroller General report on implementation of software acquisition reforms (sec. 832)

The committee recommends a provision that would require the Comptroller General of the United States to assess the extent to which the Department of Defense has implemented various reforms related to the acquisition of software for weapon systems, business systems, and other activities that are part of the defense acquisition system. The committee notes that the Defense Science Board and Defense Innovation Board have produced substantial studies with significant recommendations for reform and that the committee has itself produced numerous provisions in prior National Defense Authorization Acts related to the reform of software acquisition. The committee further notes the Department’s commitment to implementing these reforms.

The Comptroller General would brief the committee by March 15, 2021, and scope follow-on work accordingly.

The provision would also make certain modifications to the Comptroller General’s annual assessment of selected acquisition programs and initiatives.