1

Introduction

This report focuses on three key areas—agility,¹ assurance, and incentives—where the committee believes the Department of Defense (DoD) can dramatically improve its approach to the development of software-intensive systems. What follows expands on these three key themes and pays particular attention to how some commercial off-the-shelf (COTS) developers manage to achieve relatively high levels of agility and assurance when compared to DoD programs,² and the differences in incentives that need to be taken into account for adapting lessons learned from the COTS world to the DoD context.

The committee discussed developments in the application of machine learning (ML) and artificial intelligence (AI) to software development and found that ML/AI is an important area of rapid progress that could easily justify a separate study. Consistent with the statement of task, most of this report focuses on other areas that contribute to assurance and agility, but the report also includes a discussion of progress and issues in the application of ML/AI to software development.

___________________

¹ Although the statement of task refers to “nimbleness,” this report uses the term agility, which is widely accepted in the world of commercial software and online services where agile or nimble software development is in fact practiced.

² As an example of challenges with Department of Defense (DoD) software, the 2018 Government Accountability Office (GAO) report Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities stated that “testers playing the role of adversary were able to take control of systems relatively easily and operate largely undetected.”

Through its work, the committeed identified the following key findings that underpin the discussions and recommendations that follow in the report.

Finding 1: DoD established a “software pathway” for acquisition intended to streamline and expedite development and delivery of software capabilities through iterative development, agile principles, and streamlined requirements.³ The Secretary of Defense’s memorandum mandating the software pathway⁴ highlights the criticality of enhancing software assurance and agility—DoD cannot afford to fail in this endeavor. DoD must make changes to support successful adoption of the software pathway. By adapting proven industry practices for achieving agility and combining industry practices with the results of Defense Advanced Research Projects Agency (DARPA)-sponsored research in assurance, DoD has an opportunity to make radical improvements in software that is critical to the warfighter.

Finding 2: Wide adoption of the software pathway will lead to significant improvements in the agility of DoD software systems. Adherence to the software pathway will require flexibility in budgeting and contracting well beyond traditional DoD acquisition practice. Flexible contracting mechanisms, and in particular the Other Transaction Authority (OTA), can be critical to enabling agility in DoD software programs. The use and benefits of OTA are discussed in Chapter 4, “Incentives,” in the subsection “Contracts and Acquisitions.”

Finding 3: Software agility and assurance are complementary and many practices contribute to both. Both rely on a well-designed architecture that supports change and evolution. Both require that one integrate and move testing and assessment as far “left” in the development cycle as possible to catch errors and flaws at the point where it is easiest to fix them. And both are most effective when the development pipeline leverages automation.

Finding 4: Formal verification (also known as formal methods) has matured to the point where it is not only viable for (at least) critical software components to provide the highest levels of assurance, but also that commercial software developers have found that when done well, formal verification can make software development more agile.

___________________

³ DoD, 2020, “Operation of the Software Acquisition Pathway,” DoD Instruction 5000.87, October 2, https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/500087p.PDF.

⁴ P. Hegseth, 2025, “Directing Modern Software Acquisition to Maximize Lethality,” https://media.defense.gov/2025/Mar/07/2003662943/-1/-1/1/directing-modern-software-acquisition-to-maximize-lethality.pdf.

Finding 5: DoD systems often face challenges well beyond what commercial providers must address. Assurance needs are much more stringent, not only because of the life- and-death context, or the real-time constraints of flight controls and weapons systems, but because adversaries will actively seek to break and disrupt these systems. But unlike COTS software, which is exposed to hostile attack from the Internet on a daily basis, DoD systems may operate for years before being deployed in combat and exposed to adversary attack.

ORGANIZATION OF THE REPORT

Chapters 2, 3, and 4 address the topics of agility, assurance, and incentives respectively. Each of these chapters includes the committee’s related findings and recommendations. Chapter 5 addresses trends and issues in the application of AI/ML to software development. Chapter 6 provides a brief high-level summary of the findings presented in this report.