Defense Software for a Contested Future: Agility, Assurance, and Incentives (2025)
Chapter: Front Matter
Consensus Study Report
NATIONAL ACADEMIES PRESS 500 Fifth Street, NW Washington, DC 20001
This study was supported by grant number HR00112310002 to the National Academy of Sciences from the Defense Advanced Research Projects Agency. Any opinions, findings, conclusions, or recommendations expressed in this publication do not necessarily reflect the views of any organization or agency that provided support for the project.
International Standard Book Number-13: 978-0-309-99273-2
Digital Object Identifier: https://doi.org/10.17226/29129
This publication is available from the National Academies Press, 500 Fifth Street, NW, Keck 360, Washington, DC 20001; (800) 624-6242; https://nap.nationalacademies.org.
The manufacturer’s authorized representative in the European Union for product safety is Authorised Rep Compliance Ltd., Ground Floor, 71 Lower Baggot Street, Dublin D02 P593 Ireland; www.arccompliance.com.
Copyright 2025 by the National Academy of Sciences. National Academies of Sciences, Engineering, and Medicine and National Academies Press and the graphical logos for each are all trademarks of the National Academy of Sciences. All rights reserved.
Printed in the United States of America.
Suggested citation: National Academies of Sciences, Engineering, and Medicine. 2025. Defense Software for a Contested Future: Agility, Assurance, and Incentives. Washington, DC: National Academies Press. https://doi.org/10.17226/29129.
The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, nongovernmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president.
The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. Tsu-Jae Liu is president.
The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president.
The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine.
Learn more about the National Academies of Sciences, Engineering, and Medicine at www.nationalacademies.org.
Consensus Study Reports published by the National Academies of Sciences, Engineering, and Medicine document the evidence-based consensus on the study’s statement of task by an authoring committee of experts. Reports typically include findings, conclusions, and recommendations based on information gathered by the committee and the committee’s deliberations. Each report has been subjected to a rigorous and independent peer-review process and it represents the position of the National Academies on the statement of task.
Proceedings published by the National Academies of Sciences, Engineering, and Medicine chronicle the presentations and discussions at a workshop, symposium, or other event convened by the National Academies. The statements and opinions contained in proceedings are those of the participants and are not endorsed by other participants, the planning committee, or the National Academies.
Rapid Expert Consultations published by the National Academies of Sciences, Engineering, and Medicine are authored by subject-matter experts on narrowly focused topics that can be supported by a body of evidence. The discussions contained in rapid expert consultations are considered those of the authors and do not contain policy recommendations. Rapid expert consultations are reviewed by the institution before release.
For information about other products and activities of the National Academies, please visit www.nationalacademies.org/about/whatwedo.
COMMITTEE ON ENHANCING THE ASSURANCE AND NIMBLENESS OF LARGE-SCALE INTEGRATED SOFTWARE-BASED SYSTEMS
STEVE LIPNER (NAE), SAFECode, Co-Chair
J. GREG MORRISETT, Cornell University, Co-Chair
JANDRIA S. ALEXANDER, Booz Allen Hamilton
TIMOTHY BOOHER, Leidos
STEVEN W. BOUTELLE, U.S. Army (retired)
ALEXANDER GANTMAN, Qualcomm
HELEN GILL, National Science Foundation (retired)
MICHAEL HICKS, University of Pennsylvania and Amazon Web Services
JOHN LAUNCHBURY, Galois
DAWN C. MEYERRIECKS, The MITRE Corporation
RICHARD WARD, Microsoft (retired)
Study Staff
THƠ H. NGUYỄN, Senior Program Officer, Study Director
JON K. EISENBERG, Senior Board Director, Computer Science and Telecommunications Board
NNEKA UDEAGBALA, Associate Program Officer
SHENAE A. BRADLEY, Administrative Coordinator
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
LAURA HAAS (NAE), University of Massachusetts Amherst, Chair
DAVID DANKS, University of California, San Diego
CHARLES ISBELL, University of Wisconsin–Madison
ECE KAMAR, Microsoft Research Redmond
JAMES F. KUROSE (NAE), University of Massachusetts Amherst
DAVID LUEBKE, NVIDIA Corporation
DAWN C. MEYERRIECKS, The MITRE Corporation
WILLIAM SCHERLIS, Carnegie Mellon University
HENNING SCHULZRINNE, Columbia University
NAMBIRAJAN SESHADRI (NAE), University of California, San Diego
KENNETH E. WASHINGTON (NAE), Medtronic, Inc.
Staff
JON K. EISENBERG, Senior Board Director
THƠ H. NGUYỄN, Senior Program Officer
GABRIELLE RISICA, Program Officer
AARYA SHRESTHA, Senior Financial Business Partner
NNEKA UDEAGBALA, Associate Program Officer
SHENAE A. BRADLEY, Administrative Coordinator
Reviewers
This Consensus Study Report was reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise. The purpose of this independent review is to provide candid and critical comments that will assist the National Academies of Sciences, Engineering, and Medicine in making each published report as sound as possible and to ensure that it meets the institutional standards for quality, objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process.
We thank the following individuals for their review of this report:
Although the reviewers listed above provided many constructive comments and suggestions, they were not asked to endorse the
conclusions or recommendations of this report nor did they see the final draft before its release. The review of this report was overseen by WILLIAM GROPP (NAE). He was responsible for making certain that an independent examination of this report was carried out in accordance with the standards of the National Academies and that all review comments were carefully considered. Responsibility for the final content rests entirely with the authoring committee and the National Academies.
Contents
Continuous Stakeholder Engagement
Continuous Integration and Continuous Deployment
Agile Software Development in the Department of Defense
Commercial Off-the-Shelf Practices
Commercial Off-the-Shelf Vendors and Secure Development
Government Requirements for Secure Development
Government and Contractor Practices
Preface
Software is a critical component of the systems on which the Department of Defense (DoD) relies. Software is embedded in weapons systems, used by commanders to deploy and control forces, used by intelligence analysts to track adversary forces, and depended on to ensure that logistics systems deliver materiel to the right place at the right time. DoD requires that the software it depends on be correct, fault-tolerant, resistant to cyberattack, and adaptable to new threats and requirements.
The Defense Advanced Research Projects Agency (DARPA) requested that the National Academies of Sciences, Engineering, and Medicine establish a committee to recommend ways of improving the security assurance and nimbleness of large-scale integrated software-based systems. The objective of the committee is to recommend directions for future research into ways of improving assurance and nimbleness and to recommend shorter-term improvements in DoD system acquisition and development practices that can lead to such improvements.
In response to the statement of task, the National Academies appointed the Committee on Enhancing the Assurance and Nimbleness of Large-Scale Integrated Software-Based Systems. The committee was composed of people with experience in academia and computer science research, government acquisition program management and software development, and commercial software development. Committee members met 3 times in person and more than 40 times virtually over a period of 18 months and heard presentations from speakers representing
government agencies, government contractors, commercial software vendors, and software research organizations. This report was developed based solely on public information. (The statement of task for the committee is reproduced in Appendix A and a full list of presentations to the committee is included in Appendix B.)
This report is primarily intended to inform the Office of the Secretary of Defense and DARPA of the committee’s findings and recommendations. The committee believes that the report is timely and important for reasons related to both technology and policy. The technology of software assurance has progressed markedly over the past decade, with the wide adoption of secure software development processes by commercial vendors, the emergence and mainstream adoption of memory-safe programming languages, and, especially, the maturation of formal methods that have enabled the verification of critical software components used in commercial software products and online services. Complementing these technical trends, DoD has made a formal commitment to acquire software using a “software acquisition pathway” that is well aligned with practices that commercial vendors have used successfully to achieve nimble and assured development. This report provides findings and recommendations intended to enable DoD to take maximum advantage of these recent developments.
The committee thanks the speakers who briefed the committee for sharing their time and insights. The committee also thanks Professor William Scherlis of Carnegie Mellon University for his contributions to the planning and creation of the study as well as his briefing to the committee.
The committee operated under the auspices of the National Academies’ Computer Science and Telecommunications Board and is grateful for the able assistance of Thơ H. Nguyễn, Jon Eisenberg, Nneka Udeagbala, and Shenae Bradley of the National Academies’ staff.
Steven Lipner and J. Greg Morrisett, Co-Chairs
Committee on Enhancing the Assurance and Nimbleness of Large-Scale Integrated Software-Based Systems
August 2025
