dod’s software acquisition pathway acquisition...2 #1 recommendation: establish a new software...
TRANSCRIPT
DoD’s Software Acquisition PathwayDigital Delivery at the Speed of Relevance
DAU West - Let’s Talk Agile6 Jan 2020
Sean BradyDoD Senior Lead for SW Acq
USD(A&S)/Acq Enablers
1
https://aaf.dau.edu/aaf/software/
• …prioritize speed of delivery, continuous adaptation, and frequent modular upgrades.
• The Department must change. The United States must have the ability to update our systems rapidly.
• Speed & Cycle time matter. Faster is more reliable. More Secure. Faster is possible.
Urgency to Modernize
2#1 recommendation: establish a new software acquisition pathway(s)
Congressional Direction to Modernize
3
Sec 800 Software
Pathway and CI/CD Acq
Process
Sec 862 Software
Training, Mgmt, Certification and
Proficiency
Sec 255 Software S&T
Strategy
Sec 230 Digital Talent Mgmt, Career
Tracks, Competencies
Sec 256 AI Education
Strategy, Competencies
and Skills
Sec 231 Digital
Engineering to Automate T&E
Software Engineering Legislative Ecosystem
Clear Signal: Digitalization of the DoD Workforce is a National Security Issue
DODI 5000.87
• 2nd priority: “do everything I can to insert speed into the processes inside the Pentagon.”
• Biggest thing we have to do in acquisition
allow people to take risk
give them the authority and responsibility
• the process that we have for building SW is horrible.
Gen Hyten - Vice Chairman of the Joint Chiefs of Staff
| 4 |https://www.csis.org/events/conversation-general-john-hyten-vice-chairman-joint-chiefs-staff
“What keeps me up at night is not North Korea, but that the U.S. has lost it’s ability to go fast.”- Gen Hyten as STRATCOM Commander at AFA in 2017
Key Elements of SW Acquisition Pathway
5
Source: DODI 5000.02 Section 4.2
• Modern SW development practices
• Human-centered design
• Active, committed user engagement
• Enterprise services/platforms
• Rapid and iterative deliveries
• Gov’t-industry software teams
• Automated tools
Establish two pathways to provide for the efficient and effective acquisition, development, integration, and timely delivery of secure software
Applications and Embedded Systems
• Software programs shall not be treated as an MDAP• Exempt from JCIDS (unless VCJCS, A&S, SAEs agree on new process)• Streamline SW requirements, budget, acquisition processes• Demonstrate viability and effectiveness of capabilities for
operational use within one year after funds first obligated
FY20 NDAA Section 800
6https://www.congress.gov/bill/116th-congress/senate-bill/1790/text
Focuses on understanding the users’ and systems’ needs and planning the approach to deliver capabilities to meet those needs
Key Artifacts• Capability Needs Statement• User Agreement• Program Strategies• Cost Estimate
Planning Phase
8https://aaf.dau.edu/aaf/software/planning-phase/
A high-level capture of need with enough information to define the software solution space and consider the threat environment.
• Sponsor and Requirements Manager ID operational software capabilities needed
• Draft CNS to start the Software Pathway
• Refine during Planning Phase and approve prior to entry into Execution Phase
Capabilities Needs Statement (CNS)
9
Clear Understanding of What is Needed
https://aaf.dau.edu/aaf/software/user-engagement/ Draft CNS Template
A&S Acquisition Enablers shop collaborating with Components to encourage adoption of flexible and streamlined requirement processes for the SWP.
Evolving Software “Requirements”
10
Draft CNSOperations
Strategic
Warfighter
Periodic updates
Active user engagement
Roadmap
BacklogsMVP MVCR Release 2 Release n
Evolving Mission, Adoption, Performance, Threats, Priorities, Tech
Dynamic requirements process that regularly
updates planned features and designs based on
active feedback loop from regular releases, user
feedback, and changing environments
Agreement between the operational and acquisition communities to ensure active user involvement and informed decision making.
User Agreement
11
Establish Strong Ties to Users from Start
• Ensure proper resourcing of user involvement to support development
• Commit to active user involvement throughout design and development during planning phase
• Signed by sponsor, PMO prior to entry into Execution Phase
https://aaf.dau.edu/aaf/software/user-engagement/ Draft UA Template
• Product Roadmap
Develop summary of planned releases over time
Create backlogs
• Active User Engagements
Understand ops environment, user feedback
• Develop and Deliver Software
Small, frequent releases to operations
Deliver MVP and MVCR within a year
Use Ent Services, DevSecOps pipeline
Engage T&E, Cyber, and Product Support
• Track metrics; Assess value to users
Execution Phase – Key Activities
12
Continuous improvement of designs, services,
strategies, processes, and capability deliveries to
maximize mission impact.
https://aaf.dau.edu/aaf/software/execution/
DevSecOps Reference Design Pillars
13
“preferred software practice for all DoD components to deliver at speed of relevance” – DoD CIO, USD(A&S)
DoD Enterprise DevSecOps Reference Design
DevSecOps MaturityVery Difficult to Adopt – Requires time - $
14
Monolithic Architecture, Manual Processes
Agile, Microservices, Test Driven Development
Continuous Integration
DevOps
DevSecOps
Continuous ATO(cATO)
End to end cycle time – Design to Delivery
Iterative with Hybrid or SOA Monolithic Architectures
Dev
SecO
ps M
atur
ity
High
Low
Shift Cybersecurity Left
Continuous ATO (cATO) enables bug and security fixes in minutes instead of months to years and provides rapid deployment of critical capabilities to the war fighter at the speed of relevance.
Agile
DevOps
DevSecOps
Continuous MonitoringTelemetry Capture
Service MeshSecure Containers
Ado
ptio
n C
halle
nge
DifficultSignificant investment
of time, effort and tools are required to achieve
high DevSecOpsmaturity
Brady Stark Smith Triangle of DSO Success
Contracting Considerations
15
Instead of a single monolithic contract for Software solution dev…
Portfolio of contracts of leveraging Modular
Contracting*
*FAR 39.103
Example Modular Contracting Strategy
Contract Strategies
Agile S/W Dev Team(s) (Services)
FAR 8.4, FAR 12, FAR 13.5, FAR 16.5
Microservice Solutions(Tools)
FAR 8.4, FAR 12, FAR 13.5, FAR 16.5
DevSecOps-aaS(Manage CI/CD Pipeline)
FAR 8.4, FAR 12, FAR 13.5, FAR 16.5
Platform-aaS(CI/CD Pipeline)
FAR 16.5, BOAs (i.e., Platform One)
Infrastructure-aaS(Cloud solution)
FAR 16.5 (i.e., Cloud One, AWS GovCloud)
Agile S/W Dev Contracts(may have separate contracts for each dev team)
Objective: Support small, frequent releases, respond to change, consider programmatic
risks, and program scope/objectives
• Tailored acquisition processes for software development
• No formal milestones – Delegated decision authorities
• Exempt from JCIDS (unless VCJCS, A&S, SAEs agree on new process)
• Streamlined reviews and documentation – No MDAPs
• Leverages enterprise services and not “rebuilding the factory” for every program
• Program tailoring and flexibility for Services/Agencies
Benefits of Software Acquisition Pathway
16
Software Acquisition Pathway and DevSecOps provide the framework that prioritizes speed and adaptability to win a future fight
AAF Website: https://aaf.dau.edu/aaf/software/SW Pathway CoI: https://www.milsuite.mil/book/groups/sw-pathway-community-of-interest
Insight Metrics for Reporting: https://www.milsuite.mil/book/docs/DOC-892770A&S mailbox for notification: [email protected]
Join our CoP Newsletter: https://www.acq.osd.mil/ae/#/acquisition-approaches-managementTeams: teams.microsoft.com/l/team/19%3a4ceb92fba85a4ab9b248955098812c29%40thread.skype/conversations?groupId=fc5b5c84-
8e04-4cd0-bb62-5da79812a39b&tenantId=21acfbb3-32be-4715-9025-1e2f015cbbe9
Sean BradyDoD Senior Lead for SW Acq
USD(A&S)/Acq [email protected]
17
Stay Engaged
OSD’s Software Acquisition Team is here to ENABLE
your success.
ENABLE programs to deliver balancing SPEED with RIGOR
What’s Next
18
• Data Reporting Governance
• Continual Evolution of Guidance and Templates
• Continue to attack strategic and program pain points
• Community Engagement
• Evolve vignettes to guide programs and strategies
https://aaf.dau.edu/aaf/software/19
Software Acquisition Pathway on AAF Website
Integrated policies, guidance, and resources
Welcome your inputs, feedback,
and questions.
Adding FAQs and new guidance
soon.
Backup Slides
20
21
Notional Metrics for Programs
Goal Question Notional MetricsValue Is the program providing value to the users
commensurate with the cost and schedule?• ROI• Demonstrated time savings to execute a
mission process• Reduced burden on warfighter• Demonstrated cost savings
Scale Has the program implemented technical enablers necessary to continually deliver modern, responsive solutions, at scale, in a predictable manner?
• Scale of Automation and Transformation• % of product lines w/ build automation; %
of tests-cases automated• Architecture-related?
Product Performance Is the program able to maintain product stability and quality at acceptable levels for the user?Is the program able to meet key performance and quality attributes?
• MTTR, Deployment Failure Rate • Stability and Reliability• Software Maturity (defect backlog)
Product Delivery and Engineering Responsiveness
Is the program able to deliver capability quickly and continually to the warfighter at the speed of relevance?
• Delivery Speed and Cadence (throughput)• Lead time; Deployment frequency • Planned, delivered and deferred
features/capabilities (and priorities)
Business Ops Responsiveness
Is the program’s business operations responsive to change?
Cultural Responsiveness
Does culture eat your strategy for breakfast? Does the program culture and operating model support agility?
Cyber Resilience Is the program baking cybersecurity in and enabling continuous monitoring? Is the program able to rapidly address vulnerabilities, and roll back or fail forward?
• Cybersecurity (time to patch vulnerabilities; time to achieve ATO)
Program-Specific Goals & Risks
Idiosyncratic/contextual Idiosyncratic/contextual
22
Notional Outcomes and Key Results to achieve Better Software Faster
Demonstrate the following outcomes:• value and performance delivered to operational users (warfighting effectiveness)• operationally effective, suitable, and survivable for use• timely release of user prioritized capability needs• operational monitoring of all critical functionality• cyber event monitoring and detection• rapid and effective response to operational outage• rapid and effective response to cyber-attack• early and continuous user involvement and feedback• speed & increasing velocity for releases to operations (or operationally relevant
environment)• continual quality improvements• interoperability• reuse
FY20 NDAA Section 800 (f)
5 specific concerns for
Report to Congress.
17 questions developed by
OSD necessary to address the 5
goals
Provide the necessary data to
answer the 17 questions
GQM Alignment
Goals5
Questions17
Measures10 categories
40 atomic elements
23Reporting Metrics - Pathway 1.2(l):Programs using this pathway shall report a minimal set of data to OUSD (A&S) on a semi-annual basis
SWP Reporting – Enable Data Driven Decisions
24
SWP Goal: measuring performance of the SWP• MAXIMIZE SWP Insight to improve it and
reduce bureaucracy • MINIMZE the burden on programs
Entering the Planning Phase
ADM signed by DA Draft CNS
Entering the Execution Phase
Capability Needs Statement User Agreement
Acquisition Strategy Cybersecurity Strategy
Test Strategy IP Strategy
Product Support Strategy Information Support Plan
Program Cost Estimate and ICE CARD
During the Execution Phase
System Architecture Product Roadmap
Program Backlogs Strategy Updates
CARD/Cost Estimate Updates Value Assessment
Metrics and Reporting
Information Requirements
25See details at: https://aaf.dau.edu/aaf/software/develop-strategies/
Balance speed with rigor – Focus on SW over extensive docs
SW Delivery at the Speed of Relevance?
IDEA
“We could be changing software every day as a
necessary factor for winning.”
26
New Way?
Old way?
The threat of the same-old, same-old pace is real. And the
result is the U.S. is losing its technical edge to great-power
competitors like China.
Key Changes – Interim to
27ENABLE programs to deliver balancing SPEED with RIGOR
• Broke out Applications vs Embedded paths as directed by FY20 NDAA Clarified timelines on demonstrating capabilities for applications vs embedded SW.
• Updated for iterative planning emphasis/expectations & new graphic; clarified: key elements, iterative approach; integration of requirements, strategies, user engagement
• Services/Agencies no longer send ADM to USD(A&S), simply notify intended use, then report data bi-annually to monitor effectiveness of pathway
• Refined and enhanced details on core strategies (Acquisition, IP, Test, and Product Support) along with cybersecurity
• Added 1 additional business artifact for execution phase entry: Test Strategy (in addition to UA, CNS, AS, and ICE)
• Tenants: Restrained DODI to provide the Services/Agencies maximum FLEXIBILITY to implement at
their level; will work with services to shape their policies and procedures. Constrained policy to avoid overly prescribing procedures (e.g. implementing requirements;
how to delegate; documentation) Value Assessment introduces private sector like rigor to inform pivot or persevere decision Scaling adoption with frequent small-batch guidance best practices & lessons learned
I. Entry requirements
ADM 1---
(at PW Entry)
ADM 2DB---
(at 60 days in)
The DA will document the decision and rationale for a program to use the software acquisition pathway in an acquisition decision memorandum. (Pathway 3.1.c) • The Services will not provide the ADM directly to A&S.• They are required to provide notification to A&S via email to AAM
team - specified in guidance.ADM 1
Programs using the software acquisition pathway will be identified in component and DoD program lists and databases within 60 calendar days of initiating the planning phase in accordance with DoD’s implementation of Section 913 of Public Law 115-91 on acquisition data analysis. (Pathway 3.2.b(5))
CAPE will conduct an ICE for programs using the software acquisition pathway likely to exceed ACAT I or II thresholds before the program enters the execution phase (EP). (DoDI 5000.73)
DB
ADM 2
Requirements related to notification of Pathway use:
28
Adaptive Acquisition Framework
29https://aaf.dau.edu/
A set of acquisition pathways to enable the workforce to tailor strategies to deliver better solutions faster.
AAF Tenets• Simplify Acquisition Policy• Tailor Acquisition Approaches• Empower Program Managers• Conduct Data Driven Analysis• Actively Manage Risk• Emphasize Sustainment
Application Path
Rapid development and deployment of software running on commercial hardware (including modified hardware) and cloud computing platforms.
Embedded Software Path
Rapid development and insertion of upgrades and improvements for software embedded in weapon systems and other military-unique hardware systems.
Two Paths within Software Acq Pathway
30
• Spectrum of FAR and Non-FAR strategies• Common applications, pros/cons, comparison, resources• Filters strategies to explore for SW Dev, IT Services, IT HW, etc.
Contracting Cone
31https://aaf.dau.edu/contracting-cone/
Key Players in Software Acquisition Pathway
32
Sponsor
User Community
Decision Authority
Development Teams
ArchitectsEngineers
T&ECybersecurityContractingCost/BFMProduct Support
Product Owner Program Manager
Integrated Teams Across Operations and Acquisition; Government and Vendors; All Functions and Levels
IPT
Major Capability Acquisition
PlanningPhase
S1 S2…
MVP MVCR Rn
Sn Sn SnExecution Phase
< 1 year
Software Acquisition
CDD Capability NeedsStatement
Dynamic Backlogsof User Stories
Acquisition, Contracting, and Test Strategies Acquisition, Contracting, Test Strategies
MVCR Release n Release n+1
ADM to Use SW Pathway
User Agreement
Identify and Secure Funding
S: Sponsor/UsersPM: Program ManagerDA: Decision AuthoritySE: Systems EngineerTE: TestCON: Contracting OfficerFM: Financial Management
S
S, PM
PM, CON, SE, TEPM, CON, SE, TE
PM, SE, TE
DA
S, PM, FM
S, PM, SE, TES
ADM to BeginExecute Phase
DA
1: Upgrading a Weapon System
MaterialSolutionsAnalysis
TechnologyMaturation and Risk Reduction
Engineering and ManufacturingDevelopment
Production and
Deployment
MDD MS A MS B MS C IOC FOC
MVP
Program FundingS, PM, FM
4: Weapon System w/HW&SW DevelopmentMajor Capability Acquisition
PlanningPhase
S1 S2…
MVP MVCR Rn
Sn Sn SnExecution Phase
< 1 year
Software Acquisition
CDD
Capability NeedsStatement
Dynamic Backlogsof User Stories
Acquisition, Contracting, and Test Strategies
MVCR Release n Release n+1
ADM to Use SW Pathway
User Agreement
S: Sponsor/UsersPM: Program ManagerDA: Decision AuthoritySE: Systems EngineerTE: TestCON: Contracting OfficerFM: Financial Management
S
S, PM
PM, CON, SE, TE
DA
S, PM, SE, TE
S
ADM to BeginExecute Phase
DA
MaterialSolutionsAnalysis
TechnologyMaturation and Risk Reduction
Engineering and ManufacturingDevelopment
Production and
Deployment
MDD MS A MS B MS C IOC FOC
MVP
Identify and Secure FundingS, PM, FM
Design, Develop, and Produce HardwarePM, SE, TE
• The initial cost estimate must be completed prior to entry into the execution phase and must be updated annually
• Cost estimates are tailored for uniqueaspects of software development
• CAPE ICE required for software programs over ACAT II threshold
• Cost estimates consider the content of the CNS, strategies, and enterprise services in planning and integrate the roadmap, backlogs, and cost actuals throughout development phase
• Where applicable, cost and software data reporting, to include software resources data reports, must be submitted
Cost Estimate
35
Critical to the success of software development to ensure delivered software address their priority needs
• Understand their needs and operational environment• Solicit their feedback on MVPs, designs, developments
Active User Engagements
36
Plan For Enterprise Services and DevSecOps Pipeline (Software Factory)
37
People + Process + Tools = DSO Ecosystem• Well-balanced Ecosystem & skilled workforce: path to DSO enlightenment• Keystones: Culture and Continuous improvement Test Driven Development & Frequent Small Batch Delivery Evolutionary Architecture must support frequent deliveries/interoperability Refactoring and pay down technical debt
Secure Software & Cyber Security Plan
38
• The Sec in DevSecOps is baked into the planning, architecture and design, and embedded throughout the entire process
• DevSecOps shifts Cybersecurity to the left; true risk managed process• Cybersecurity risk is continuously scanned, evaluated & monitored –
yields accessible, automated artifacts enabling continuous ATO
DevSecOps Success: Value@Scale
39
Stark Brady Smith Trijoined Triangles of DSO Success
Delivery Throughput = [Lead Time] + [Deployment Frequency]
Value[Failed Deployments] +
[Value to User]
Scale[Mean Time To Recover] +
[% deployed to fleet]
DevSecOps BS DETECTOR:Broken
Value/Availability/Delivery
“Enough prototyping already. How do we buy at scale?”- GEN Hyten, VCJCS
Approximating Commercial Industry
40
“… the thread that runs through all of our programs and all that we do is software and I believe that we need to catch up with the
private sector …” USD(A&S), HON Ellen Lord
People
Process & Tech
Policy
Software is eating the world
Culture eats strategy for breakfast
Set the conditions to unleash DSO
41
There is no spoon. There is no prioritization of regulatory bureaucracy and procedural bottlenecks either.
We must not accept cumbersome approval chains, wasteful
applications of resources in uncompetitive space, or overly
risk-averse thinking that impedes change.
National Defense Strategy
There is no spoon in the SW ACQ pathway.
Air Force’s Agility Prime Flying Car
Army’s Artificial Intelligence for Maneuver and Mobility, or AIMM
https://www.army.mil/article/236733/army_researchers_augment_combat_vehicles_with_ai
Army’s Leader Follower Autonomous Vehicle Program
Navy’s Medium Displacement Unmanned Surface Vehicle (MDUSV)
Navy’s X-47B Unmanned Combat Air System
Air Force’s XQ-58A Valkyrie Attritable Combat Drone
https://www.northropgrumman.com/what-we-do/air/x-47b-ucas/
https://www.autonews.com/shift/military-working-make-its-autonomous-technology-smarter