How the Army makes software a front and center focus

"One of the things that we really change as part of the software implementation is, no longer is the Army going to retest everything," said Jennifer Swanson.

Pretty much every operation in warfare these days, at least until someone pulls a trigger, depends on software. That’s why the Army is on a drive it calls digital transformation. For an update on how the pieces related to software tie in,  the Federal Drive with Tom Temin  caught up with the deputy assistant Army secretary for data, engineering and software, Jennifer Swanson.

Interview transcript:

Jennifer Swanson Software Directive 2024-02 was really one of the very first things that we worked on. And so when I got to this job, there were these meetings ongoing with the under and the vice where they were really trying to drive change. And driving change in modern software was one of the key things. And so we led that effort from the beginning in terms of what are the technical things that we need to make sure get implemented, What are industry best practices, what does that look like? What is industry doing today? How does the Army evolve? And I will tell you most importantly, what processes does the Army need to change in order to be able to adopt modern software practices? Because it’s not as simple as just telling a vendor in a contract to do this, be agile. Give us devsecops, because the way we wrote requirements wasn’t conducive. The way we tested wasn’t conducive. Our release processes were not conducive. The way we contracted wouldn’t work. So there was a ton of stuff that needed to evolve.

Tom Temin That’s right, because if you want the factory approach, let’s call it for shorthand on your vendor’s part. You have to be equipped to be able to receive, test and deploy those regular releases, otherwise they’re throwing waves against a rock, so to speak.

Jennifer Swanson Exactly. And that’s really what the directive is about, is modifying Army processes where needed. And there’s a lot of modifications needed, you can see that in the directive. Every organization that got tasked, it was about, Hey, we need to change how we cost software, we need to change how we test software. And so ultimately we partnered with, like I said, DAS(DES) drove the technical stuff in that directive for the most part, we partnered with Margaret Boatner, who is the assault policy person. She’s amazing. And so she took that information and transformed it into what you see is a directive today. And did all the coordination across the Army. We supported her in that, but that was kind of the same roles or responsibilities. We are still meeting monthly with the under in the vice, because they want to make sure the implementation is happening. So all of the tasks in the directive, everybody has to go and brief. What how are you doing this month? Which is great, because it’s a forcing function. That’s what we need.

Tom Temin We’re speaking with Jennifer Swanson, deputy assistant Army Secretary for Data Engineering and Software. And that idea of them testing and verifying what you say you’re doing, you also demand that of the software. So maybe talk about the ways in which you test software that does come in. You have to have a test regime that’s continuous now, and not just episodic like the old way. But then there’s the performance side, there’s the cybersecurity side. And then I guess maybe a third aspect is integration, so that when you install a new release, it doesn’t break everything else down the line.

Jennifer Swanson So one of the things that we really change as part of the software directive implementation is, no longer is the Army going to retest everything. So the test community has agreed to leverage vendor test data that is provided. And we’re driving that vendor test data to be automated. So if you think about kind of a pipeline where we have software drop in, we want to have automated test tools that are scripted to run the tests that are needed. We get the data back, it’s very quick, gets immediate feedback. It’s really kind of you take human error out of the process because it’s an automated function. Same thing with cyber testing. So there are cyber testing tools that are part of that pipeline that give us immediate feedback on the cybersecurity of that piece of code. And these pieces of code are intentionally small so that you’re not like, Oh my God, I wrote this a year and a half ago and now I have to try to figure out how to update it. No, this is a couple of weeks worth of code at most that gets dropped into this pipeline and it goes through all of these tests, and you’re able to very quickly iteratively fix. And then that gets into users hands and users provide us feedback, etc.

Jennifer Swanson Test community is willing to take as much vendor test data as we have and give us credit. Now there is going to be a need for operational testing for some things, obviously, and so that’s something that we will continue doing. But we’re going to not retest all of the developmental things that we’ve already tested. As far as integration onto hardware, absolutely. There is hardware in the loop testing to make sure that it works on the intended hardware platform. And that will also get run through some of those operational tests to make sure we do want humans on the software at some point, because humans make mistakes and we want to make sure that those mistakes are caught and that the system doesn’t crash. So all of that is still going to happen, but it’s going to happen iteratively, and it’s going to happen a lot faster.

Tom Temin The Cybersecurity Maturity Model Certification system is coming, and that primarily applies to the business systems of vendors. Do you see it also affecting their development work for the Army? And how do you think it will affect that if it does?

Jennifer Swanson I think it does from the standpoint that CMMC is driving much more scrutiny. And I would say insight on our part in terms of what are the good cyber security practices that we want to make sure get implemented. So CMMC is going to help, like you said, make sure the vendor facility is locked down and safe from cyber infiltration. But also we are driving more cybersecurity, because cyber warfare is real. We see it all of the time, and so we need to make sure that our systems are locked down. One of the new things, Mr. Bush signed a policy in August to require vendors to provide SBOMS (Software Bill of Materials). And that’s in coordination with CISA. And there’s been a lot of federal push for that. And that will provide us really a component list of all of the things in every software drop, which is very important for us to be able to understand the cybersecurity integrity of the piece of software. So it’s a really critical step in terms of providing the transparency that we need to make sure that our software is secured.

Tom Temin And a final question or double question, what does the Army mean by the mesh concept? And how is this delineated in the [Unified Data Reference Architecture (UDRA)]?

Jennifer Swanson Yeah. So what we mean by mesh is we want a distributed decentralized way to be data centric. And by that what I mean is we don’t want to have a bunch of different data platforms in the architecture. The Network is the Army’s number one priority. We want to make sure there are really worked in what now is PEO-C3N for a long time before this job. And I can tell you there are realities on the tactical side that we have to be careful with the bandwidth that we have. And we have to use it as effectively as we can. Because it’s never going to be enough. We will always want more bandwidth. And so what Data Mesh allows us to do is not continually replicate and sync a bunch of data platforms together, but rather be able to have users have access to the data products that they need when they need them in a much more bandwidth efficient way. So that’s really what Data Mesh is about. It’s about having a single data dictionary, but you don’t have all the stuff stored there, you just have metadata. And so it’s a much more accessible way and it allows also users to create their own data products. The Unified Data Reference Architecture (UDRA) it’s also the data mesh piece of the software directive, that’s what we deliver against was UDRA. UDRA is data mesh based. And it’s not prescriptive, but it defines how we want to implement data mesh across the Army.

 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories