Nearly every operation in warfare today relies on software, at least until someone pulls the trigger. That’s why the military is on a mission it calls digital transformation. For an update on how the pieces related to software connect, the Federal Drive with Tom Temin spoke with Deputy Assistant Army Secretary for Data, Engineering and Software Jennifer Swanson.
Transcript of the interview:
Jennifer Swanson Software Directive 2024-02 was actually one of the very first things we worked on. And so when I got this job, there were meetings going on with the underworld and the vice world, where they were really trying to effect change. And driving change in modern software was one of the most important things. And so we’ve been leading that effort from the beginning in terms of what are the technical things that we need to make sure are implemented. What are the best practices in the sector, what does that look like? What is the industry doing today? How is the military evolving? And I’ll tell you the most important thing: what processes does the military need to change to adopt modern software practices? Because it’s not as simple as telling a supplier to do this in a contract, you need to be flexible. Give us devsecops, because the way we wrote the requirements was not helpful. The way we tested was not conducive. Our release processes were not conducive. The way we entered into contracts wouldn’t work. So there was a lot of things that had to evolve.
Tom Temin That’s right, because if you want the factory approach, let’s call it shorthand for your supplier. You have to be equipped to receive, test and deploy those regular releases, otherwise they’re like throwing waves against a rock.
Jennifer Swanson Precisely. And that is actually what the guideline is about: adjusting army processes where necessary. And many adjustments are needed, as you can see in the guideline. Every organization that was commissioned was about, Hey, we need to change how we cost software, we need to change how we test software. And so we ended up working with, as I said, DAS(DES) who drove most of the technical stuff in that directive, we worked with Margaret Boatner, who is the attack policy person. She’s great. And so she took that information and transformed it into what you see as a guideline today. And took care of all coordination within the army. We supported her in that, but they were more or less the same roles or responsibilities. We still meet monthly with the subordinates, because they want to make sure that the implementation is happening. So for all tasks in the guideline, everyone must go for a briefing. How are you doing this month? That’s great because it’s a forcing function. That’s what we need.
Tom Temin We speak with Jennifer Swanson, deputy assistant secretary of the Army for data engineering and software. And that idea that they test and verify what you say you do, you also demand from the software. So maybe talk about the ways that you test software that does come in. You now need to have a testing regimen that is continuous, not just episodic like in the past. But then there’s the performance side and the cybersecurity side. And then I think maybe a third aspect is integration, so that when you install a new release, everything else doesn’t break.
Jennifer Swanson One of the things we’re really changing as part of the software directive implementation is that the military is no longer going to retest everything. Therefore, the testing community has agreed to use the provided test data from suppliers. And we ensure that supplier test data is automated. So if you think about some kind of pipeline where software comes in, we want to have automated testing tools that are scripted to run the tests that are needed. We get the data back, it’s very fast and gets immediate feedback. It’s very nice of you to remove human error from the process, because it is an automated function. The same goes for cyber testing. So there are cyber testing tools that are part of that pipeline that give us immediate feedback on the cybersecurity of that piece of code. And these bits of code are intentionally small so you don’t think, Oh my God, I wrote this a year and a half ago and now I have to try to figure out how to update it. No, this is at most a few weeks worth of code going into this pipeline and going through all these tests, and you can solve it iteratively very quickly. And then that gets into the hands of users and users give us feedback, etc.
Jennifer Swanson The testing community is willing to collect as much vendor testing data as we have and give us credit. Now, obviously, there’s going to be a need for operational testing for some things, and that’s something that we’ll continue to do. But we’re not going to retest all the development stuff we’ve already tested. As far as integration on hardware goes, absolutely. Hardware is included in the loop test to ensure it works on the intended hardware platform. And that will also go through some of that operational testing to make sure that we ever want to have people on the software, because people make mistakes and we want to make sure that those mistakes are caught and the system doesn’t crash. So that’s all still going to happen, but it’s going to happen iteratively, and it’s going to happen a lot faster.
Tom Temin The Cybersecurity Maturity Model Certification System is coming, and that especially applies to suppliers’ business systems. Do you see this also affecting their military development work? And how do you think this will impact that if it does?
Jennifer Swanson I think this is the case from the standpoint that CMMC exercises much more supervision. And I would say insight on our part in terms of what are the good cybersecurity practices that we definitely want to implement. So CMMC, as you said, is going to help ensure that the vendor facility is locked down and protected from cyber infiltration. But we also encourage more cybersecurity, because cyber warfare is real. We see it all the time and that’s why we need to make sure our systems are locked down. One of the new things was that in August, Mr. Bush signed a policy requiring suppliers to provide SBOMS (Software Bill of Materials). And this is done in coordination with CISA. And there has been a lot of federal pressure on that. And that will really give us a component list of all the things in each software drop, which is very important for us to be able to understand the cybersecurity integrity of the piece of software. So it’s a very crucial step when it comes to providing the transparency we need to ensure that our software is secure.
Tom Temin And one last question or double question: what does the military mean by the mesh concept? And how is this demarcated in the (Unified Data Reference Architecture (UDRA))?
Jennifer Swanson Yes. So what we mean by mesh is that we want a distributed, decentralized way to be data-centric. And by that I mean that we don’t want to have a lot of different data platforms in the architecture. The network is the military’s first priority. We want to ensure that this job takes a really long time to complete in what is now PEO-C3N. And I can tell you that there is a reality on the tactical side that we have to be careful with the bandwidth that we have. And we must use it as effectively as possible. Because it will never be enough. We will always want more bandwidth. And so what Data Mesh allows us to do is not continually replicate and synchronize a number of data platforms with each other, but rather give users access to the data products they need when they need them, in a much more bandwidth-efficient way. So that’s basically what Data Mesh is about. The point is that you have one data dictionary, but you don’t have all the stuff stored in there, you just have metadata. And so it’s a much more accessible way and users can also create their own data products. The Unified Data Reference Architecture (UDRA), it’s also the data mesh piece of the software directive, that’s what we’re fighting against was UDRA. UDRA is based on data mesh. And it’s not prescriptive, but it defines how we want to implement data mesh across the Army.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.