Sean Brady DoD Senior Lead for SW Acq Acquisition Enablers USD(A&S ) 1 https://aaf.dau.edu/aaf/software/ DoD’s Software Acquisition Pathway Digital Delivery at the Speed of Relevance DAU South Bob Skertic IT/SW/DSO Academy Learning Director Defense Acquisition University
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Sean BradyDoD Senior Lead for SW Acq
Acquisition EnablersUSD(A&S)
1
https://aaf.dau.edu/aaf/software/
DoD’s Software Acquisition PathwayDigital Delivery at the Speed of Relevance
DevSecOps MaturityVery Difficult to Adopt – Requires time - $
14
Monolithic Architecture, Manual Processes
Agile, Microservices, Test Driven Development
Continuous Integration
DevOps
DevSecOps
Continuous ATO(cATO)
End to end cycle time – Design to Delivery
Iterative with Hybrid or SOA Monolithic Architectures
Dev
SecO
ps M
atur
ity
High
Low
Shift Cybersecurity Left
Continuous ATO (cATO) enables bug and security fixes in minutes instead of months to years and provides rapid deployment of critical capabilities to the war fighter at the speed of relevance.
Agile
DevOps
DevSecOps
Continuous MonitoringTelemetry Capture
Service MeshSecure Containers
Adop
tion
Cha
lleng
e
DifficultSignificant investment of time, effort and tools are required to achieve high
DevSecOps maturity
Brady Stark Smith Triangle of DSO Success
Contracting Considerations
15
Instead of a single monolithic contract for
software solution
Portfolio of contracts of using Modular Contracting*
*FAR 39.103
Example Modular Contracting StrategyContract Strategies
Agile S/W Dev Team(s) (Services)
FAR 8.4, FAR 12, FAR 13.5, FAR 16.5
Microservice Solutions(Tools)
FAR 8.4, FAR 12, FAR 13.5, FAR 16.5
DevSecOps-aaS(Manage CI/CD Pipeline)
FAR 8.4, FAR 12, FAR 13.5, FAR 16.5
Platform-aaS(CI/CD Pipeline)
FAR 16.5, BOAs (i.e., Platform One)
Infrastructure-aaS(Cloud solution)
FAR 16.5 (i.e., Cloud One, AWS GovCloud)
Agile Software Dev Contracts(may have separate contracts for each dev team)
Objective: Support small, frequent releases, respond to change, consider programmatic
• Spectrum of FAR and Non-FAR strategies• Common applications, pros/cons, comparison, resources• Filters strategies to explore for SW Dev, IT Services, IT HW, etc.
Goal Question Notional MetricsValue Is the program providing value to the users
commensurate with the cost and schedule?• ROI• Demonstrated time savings to execute a
mission process• Reduced burden on warfighter• Demonstrated cost savings
Scale Has the program implemented technical enablers necessary to continually deliver modern, responsive solutions, at scale, in a predictable manner?
• Scale of Automation and Transformation• % of product lines w/ build automation; %
of tests-cases automated• Architecture-related?
Product Performance Is the program able to maintain product stability and quality at acceptable levels for the user?Is the program able to meet key performance and quality attributes?
Is the program able to deliver capability quickly and continually to the warfighter at the speed of relevance?
• Delivery Speed and Cadence (throughput)• Lead time; Deployment frequency • Planned, delivered and deferred
features/capabilities (and priorities)
Business Ops Responsiveness
Is the program’s business operations responsive to change?
Cultural Responsiveness
Does culture eat your strategy for breakfast? Does the program culture and operating model support agility?
Cyber Resilience Is the program baking cybersecurity in and enabling continuous monitoring? Is the program able to rapidly address vulnerabilities, and roll back or fail forward?
• Cybersecurity (time to patch vulnerabilities; time to achieve ATO)
Program-Specific Goals & Risks
Idiosyncratic/contextual Idiosyncratic/contextual
29
Notional Outcomes and Key Results to achieve Better Software Faster
Demonstrate the following outcomes:• value and performance delivered to operational users (warfighting effectiveness)• operationally effective, suitable, and survivable for use• timely release of user prioritized capability needs• operational monitoring of all critical functionality• cyber event monitoring and detection• rapid and effective response to operational outage• rapid and effective response to cyber-attack• early and continuous user involvement and feedback• speed & increasing velocity for releases to operations (or operationally relevant
Acquisition, Contracting, and Test Strategies Acquisition, Contracting, Test Strategies
MVCR Release n Release n+1
ADM to Use SW Pathway
User Agreement
Identify and Secure Funding
S: Sponsor/UsersPM: Program ManagerDA: Decision AuthoritySE: Systems EngineerTE: TestCON: Contracting OfficerFM: Financial Management
S
S, PM
PM, CON, SE, TEPM, CON, SE, TE
PM, SE, TE
DA
S, PM, FM
S, PM, SE, TES
ADM to BeginExecute Phase
DA
1: Upgrading a Weapon System
MaterialSolutionsAnalysis
TechnologyMaturation and Risk Reduction
Engineering and ManufacturingDevelopment
Production and
Deployment
MDD MS A MS B MS C IOC FOC
MVP
Program FundingS, PM, FM
4: Weapon System w/HW&SW DevelopmentMajor Capability Acquisition
PlanningPhase
S1 S2…
MVP MVCR Rn
Sn Sn SnExecution Phase
< 1 year
Software Acquisition
CDD
Capability NeedsStatement
Dynamic Backlogsof User Stories
Acquisition, Contracting, and Test Strategies
MVCR Release n Release n+1
ADM to Use SW Pathway
User Agreement
S: Sponsor/UsersPM: Program ManagerDA: Decision AuthoritySE: Systems EngineerTE: TestCON: Contracting OfficerFM: Financial Management
S
S, PM
PM, CON, SE, TE
DA
S, PM, SE, TE
S
ADM to BeginExecute Phase
DA
MaterialSolutionsAnalysis
TechnologyMaturation and Risk Reduction
Engineering and ManufacturingDevelopment
Production and
Deployment
MDD MS A MS B MS C IOC FOC
MVP
Identify and Secure FundingS, PM, FM
Design, Develop, and Produce HardwarePM, SE, TE
• The initial cost estimate must be completed prior to entry into the execution phase and must be updated annually
• Cost estimates are tailored for uniqueaspects of software development
• CAPE ICE required for software programs over ACAT II threshold
• Cost estimates consider the content of the CNS, strategies, and enterprise services in planning and integrate the roadmap, backlogs, and cost actuals throughout development phase
• Where applicable, cost and software data reporting, to include software resources data reports, must be submitted
Cost Estimate
32
Critical to the success of software development to ensure delivered software address their priority needs
• Understand their needs and operational environment• Solicit their feedback on MVPs, designs, developments
Active User Engagements
33
Plan For Enterprise Services and DevSecOps Pipeline (Software Factory)
34
People + Process + Tools = DSO Ecosystem• Well-balanced Ecosystem & skilled workforce: path to DSO enlightenment• Keystones: Culture and Continuous improvement Test Driven Development & Frequent Small Batch Delivery Evolutionary Architecture must support frequent deliveries/interoperability Refactoring and pay down technical debt
Secure Software & Cyber Security Plan
35
• The Sec in DevSecOps is baked into the planning, architecture and design, and embedded throughout the entire process
• DevSecOps shifts Cybersecurity to the left; true risk managed process• Cybersecurity risk is continuously scanned, evaluated & monitored –
yields accessible, automated artifacts enabling continuous ATO
DevSecOps Success: Value@Scale
36
Stark Brady Smith Trijoined Triangles of DSO Success