|
Sec. 800: Authority for continuous integration and
delivery of software applications and upgrades to embedded
systems. (a) SOFTWARE
ACQUISITION AND DEVELOPMENT PATHWAYS.— The Secretary of Defense
shall establish pathways as described under subsection (b) to
provide for the efficient and effective acquisition,
development, integration, and timely delivery of secure
software. Such a pathway shall include the following:
(1) USE OF PROVEN TECHNOLOGIES AND
SOLUTIONS.—A
pathway established under this section shall provide for the
use of proven technologies and solutions to continuously
engineer and deliver capabilities in software.
(2) USE OF AUTHORITY.—In using the
authority under this
section, the Secretary shall consider how such use will—
(A) initiate the engineering of new
software capabilities
quickly; (B) demonstrate the
viability and effectiveness of such
capabilities for operational use not later than one year
after the date on which funds are first obligated to acquire
or develop software; and (C)
allow for the continuous updating and delivery
of new capabilities not less frequently than annually to
iteratively meet a requirement.
(3) TREATMENT NOT AS MAJOR DEFENSE
ACQUISITION PROGRAM.—Software acquired or developed using the
authority under this section shall not be treated as a major
defense acquisition program for purposes of section 2430 of
title 10, United States Code, or Department of Defense
Directive 5000.01 without the specific direction of the Under
Secretary
of Defense for Acquisition and Sustainment or a Senior
Acquisition Executive. (4)
RISK-BASED APPROACH.—The Secretary of Defense shall
use a risk-based approach for the consideration of innovative
technologies and new capabilities for software to be acquired
or developed under this authority to meet needs communicated
by the Joint Chiefs of Staff and the combatant commanders.
(b) PATHWAYS.—The Secretary of Defense
may establish as
many pathways as the Secretary determines appropriate and shall
establish the following pathways:
(1) APPLICATIONS.—The applications
software acquisition
pathway shall provide for the use of rapid development and
implementation of applications and other software or software
improvements operated by the Department of Defense, which
may include applications running on commercial commodity
hardware (including modified hardware) and commercially
available cloud computing platforms.
(2) EMBEDDED SYSTEMS.—The embedded
systems software
acquisition pathway shall provide for the rapid development
and insertion of upgrades and improvements for software
embedded in weapon systems and other military-unique hardware
systems.
(c) EXPEDITED PROCESS.—
(1) IN GENERAL.—A pathway established
under subsection
(a) shall provide for—
(A) a streamlined and coordinated
requirements, budget, and acquisition process to support
rapid fielding of software applications and of software
upgrades to embedded systems for operational use in a
period of not more than one year from the time that the
process is initiated; (B)
the collection of data on software fielded; and
(C) continuous engagement with the
users of software to support engineering activities, and
to support delivery of software for operational use in
periods of not more than one year.
(2) EXPEDITED SOFTWARE REQUIREMENTS
PROCESS.—
(A) INAPPLICABILITY OF JOINT
CAPABILITIES INTEGRATION AND DEVELOPMENT SYSTEM (JCIDS)
MANUAL.—Software acquisition or development conducted under
the authority of this section shall not be subject to the
Joint Capabilities Integration and Development System
Manual, except pursuant to a modified process specifically
provided for the acquisition or development of software by
the Vice Chairman of the Joint Chiefs of Staff, in
consultation with Under Secretary of Defense for Acquisition
and Sustainment and each service acquisition executive (as
defined in section 101(a)(10) of title 10, United States
Code). (B) INAPPLICABILITY OF
DEFENSE ACQUISITION SYSTEM DIRECTIVE.—Software acquisition
or development conducted under the authority of this section
shall not be subject to Department of Defense Directive
5000.01, except when specifically provided for the
acquisition or development of
software by the Under Secretary of Defense for Acquisition
and Sustainment, in consultation with the Vice Chairman of
the Joint Chiefs of Staff and each service acquisition
executive.
(d) ELEMENTS.—In implementing a pathway
established under
the authority of this section, the Secretary shall tailor
requirements
relating to—
(1) iterative development of
requirements for software to be acquired or developed under
the authority of this section through engagement with the user
community and through the use of operational user feedback, in
order to continuously define and update priorities for such
requirements; (2) early
identification of the warfighter or user need, including the
rationale for how software capabilities will support increased
lethality and efficiency, and identification of a relevant
user community; (3) initial
contract requirements and format, including the use of
summary-level lists of problems and shortcomings in existing
software and desired features or capabilities of new or
upgraded software; (4)
continuous refinement and prioritization of contract
requirements through use of evolutionary processes, informed
by continuous engagement with operational users throughout the
development and implementation period;
(5) continuous consideration of issues
related to lifecycle costs, technical data rights, and systems
interoperability; (6) planning
for support of software capabilities in cases where the
software developer may stop supporting the software;
(7) rapid contracting procedures,
including expedited timeframes for making awards, selecting
contract types, defining teaming arrangements, and defining
options; (8) program execution
processes, including supporting development and test
infrastructure, automation and tools, digital engineering,
data collection and sharing with Department of Defense
oversight organizations and with Congress, the role of
developmental and operational testing activities, key decision
making and oversight events, and supporting processes and
activities (such as independent costing activity, operational
demonstration, and performance metrics);
(9) assurances that cybersecurity metrics
of the software to be acquired or developed, such as metrics
relating to the density of vulnerabilities within the code of
such software, the time from vulnerability identification to
patch availability, the existence of common weaknesses within
such code, and other cybersecurity metrics based on
widely-recognized standards and industry best practices, are
generated and made available to the Department of Defense and
the congressional defense committees;
(10) administrative procedures, including
procedures related to who may initiate and approve an
acquisition under this authority, the roles and
responsibilities of the implementing project or product teams
and supporting activities, team selection and staffing
process, governance and oversight
roles and responsibilities, and appropriate independent
technology assessments, testing, and cost estimation
(including relevant thresholds or designation criteria);
(11) mechanisms and waivers designed to
ensure flexibility in the implementation of a pathway under
this section, including the use of other transaction
authority, broad agency announcements, and other procedures;
and (12) mechanisms the
Secretary will use for appropriate reporting to Congress on
the use of this authority, including notice of initiation of
the use of a pathway and data regarding individual programs or
acquisition activities, how acquisition activities are
reflected in budget justification materials or requests to
reprogram appropriated funds, and compliance with
other reporting requirements.
(e) GUIDANCE REQUIRED.—
(1) IN GENERAL.—Not later than 90 days
after the date of the enactment of this Act, the Secretary of
Defense shall issue initial guidance to implement the
requirements of this section.
(2) LIMITATION.—If the Secretary of Defense has not issued
final guidance to implement the requirements of this section
before October 1, 2021, the Secretary may not use the
authority
under this section—
(A) to establish a new pathway to
acquire or develop software; or
(B) to continue activities to acquire
or develop software
using a pathway established under initial guidance
described in paragraph (1).
(f) REPORT.—
(1) IN GENERAL.—Not later than October
15, 2020, the Under Secretary of Defense for Acquisition and
Sustainment, in consultation with the secretaries of the
military departments and other appropriate officials, shall
report on the use of the authority under this section using
the initial guidance issued under subsection (d).
(2) ELEMENTS.—The report required under
paragraph (1)
shall include the following elements:
(A) The final guidance required by
subsection (d)(2),
including a description of the treatment of use of the
authority that was initiated before such final guidance
was issued. (B) A summary of
how the authority under this section
has been used, including a list of the cost estimate,
schedule
for development, testing and delivery, and key management
risks for each initiative conducted pursuant to such
authority. (C) Accomplishments
from and challenges to using the
authority under this section, including organizational,
cultural, talent, infrastructure, testing, and training
considerations. (D)
Recommendations for legislative changes to the
authority under this section.
(E) Recommendations for regulatory changes to the
authority under this section to promote effective
development and deployment of software acquired or developed
under this section.
|
Authority for
continuous integration and delivery of software applications and
upgrades to embedded systems (sec. 800)
The Senate bill contained a
provision (sec. 852) that would require the Secretary of Defense
to establish initial guidance, not later than 180 days after the
enactment of this
Act, authorizing the use of special pathways for the rapid
acquisition of software applications and upgrades that are
intended to be fielded within 1 year. These new pathways would
prioritize continuous integration and delivery of working
software in a secure manner and prioritize continuous oversight
from automated analytics.
The House amendment
contained a similar provision (sec. 801). The House
recedes with amendments that would modify the timeline for
developing the guidance; allow for the use of one or more
pathways; clarify that first fielding of capability for
operational use shall occur within one year of the date funds
are first obligated for software development; and direct a
report on use of the authority and recommendations for any
changes to statute by October 15, 2020.
The conferees commend the
Under Secretary of Defense for Acquisition and Sustainment’s
commitment to adopting the recommendations of the Defense
Innovation Board. The conferees emphasize that the ability to
deliver meaningful capability for
operational use within one year is foundational to the
establishment of this authority and associated procedures.
The
conferees remind the Department that delivery of increments of
useful software capability no less frequently than every six
months is not only a best practice for software-intensive
systems but it has also been a standing government-wide
requirement for years. Overcoming the Department’s institutional
and cultural resistance to delivering in a year or less requires
ruthless prioritization of features, which hinges on more
effective cooperation among stakeholders. The conferees also
believe that cost estimation and assessment and program
evaluation methods are critical to well-informed program
oversight, and note that, for software initiatives, such
approaches remain nascent. The conferees therefore direct the
Director, Cost Assessment and Program Evaluation, in
coordination with the Defense Digital Service and the directors
of developmental test and operational test and evaluation, to
incorporate lessons learned from the implementation of sections
873 and 874 of the National Defense Authorization Act for Fiscal
Year 2018, and sections 215 and 869 of the National Defense
Authorization Act for Fiscal Year 2019 in the development of
guidance and oversight procedures for managing, estimating, and
assessing software programs. First, the conferees remind the
Department of flexibility already written into its directive and
instruction that the milestone decision authority and program
managers “shall tailor program strategies and oversight,
including documentation of program information, acquisition
phases, the timing and scope of decision reviews, and decision
levels, to fit the particular conditions of that program,
consistent with applicable laws and regulations and the time
sensitivity of the capability need.” Accordingly, the conferees
also remind the Department that the use of source lines of code,
or “SLOC”, to estimate or to measure productivity, is
inadequate, inappropriate, and can be detrimental in
incentivizing bad code design. As such, the conferees encourage
the Department to implement the recommendations on software
metrics in the Defense Innovation Board Software Acquisition and
Practices Study. Finally, the conferees request a briefing no
later than March 30, 2020 from the Joint Staff on how the JCIDS
process can be updated to accommodate more flexibility given the
iterative and ever-changing nature of present-day acquisition of
software.
|
