The U.S. Department of Defense (DoD) increasingly recognizes that software is fundamental to modern military capability – “software is at the core of every weapon and supporting system we field” as one recent Pentagon memo put it . Yet for decades, the DoD struggled to keep pace with commercial software innovation. Traditional defense acquisitions were built around hardware (tanks, planes, ships) and moved slowly, ill-suited to rapidly evolving digital technology. Today, the DoD is pursuing a dual approach to software: building up in-house development capacity using modern tech industry practices, and buying or partnering with commercial software vendors via more flexible contracts. This article explores how the Pentagon’s software is made – from “software factories” inside the military to new contracting mechanisms that invite Silicon Valley startups – and offers guidance for tech companies looking to work with the DoD. We’ll also examine whether the DoD prefers to write its own requirements or embrace off-the-shelf solutions in its drive to deliver better code to the warfighter.
Developing Software In-House: DoD Software Factories and DevSecOps
In the past several years, the DoD has stood up a network of internal software development hubs known as “software factories.” In simple terms, a software factory is a collection of people, tools, and processes that enables teams to continuously deliver value by deploying software for a specific set of end-users . These in-house factories adopt the techniques of modern tech firms – Agile development, DevSecOps (Development, Security, Operations), and continuous integration/continuous delivery – to produce secure software at high speed. The emphasis is on small, empowered teams, rapid iteration, and close user feedback, in contrast to the monolithic, years-long development cycles of the past.
One oft-cited example is the U.S. Air Force’s “Kessel Run” unit, which became a model for this new approach. Kessel Run began as a rogue experiment by Air Force technologists frustrated with the glacial pace of traditional military software projects. Embedding coders alongside warfighters, the Kessel Run software factory “brought speed and rapid change through modern agile development practices and ‘DevSecOps’ to USAF programs” . Small teams of Airmen and civilian developers worked side-by-side with contractors in a collaborative bullpen, releasing updates to Air Operations Center apps on timelines of weeks rather than years. Lauded as a rare success story, Kessel Run became a blueprint for other rapid development software factories across the Air Force and Space Force . Its very name, a reference to a Star Wars smuggler’s route, signaled a culture of working around old rules to deliver results fast.
An Air Force officer presents at Kessel Run’s software factory in Boston, which pioneered fast, in-house software development using DevSecOps. Kessel Run’s success has inspired similar DoD “software factories” focused on agile, iterative delivery (U.S. Air Force photo).
Following Kessel Run’s lead, nearly every service branch now has its own software factory initiatives – the Army launched an Army Software Factory in Austin, the Navy has “Black Pearl” and other efforts, and the DoD as a whole set up Platform One, an enterprise DevSecOps environment. Platform One is the first DoD-wide DevSecOps service, providing a centrally managed cloud platform, development tools, and DevSecOps pipelines at scale . The goal is to let DoD teams “write code once, deploy everywhere” in a secure, approved environment, so they can focus on mission features rather than reinventing infrastructure. Through Platform One and similar efforts, the Pentagon is trying to cultivate a culture of continuous software improvement – one where updates roll out weekly or even daily, and security is baked into automated build processes (the “Sec” in DevSecOps).
Crucially, DoD leadership has institutionalized these practices via policy. In 2020 the department created a new Software Acquisition Pathway as part of its Adaptive Acquisition Framework, recognizing that software shouldn’t be bought the same way as tanks or planes . Under DoD Instruction 5000.87 (which governs the Software Pathway), programs “will demonstrate the viability and effectiveness” of new software for operational use within one year of funding and deliver updates to users at least annually thereafter . In other words, no more decade-long developments – if you’re writing DoD software, you need to show something working in the field in 12 months or less. The instruction also requires teams to use “modern iterative software development methods such as DevSecOps” . This mandate has accelerated the adoption of agile, secure pipelines across DoD programs. Commanders have set up “continuous ATO” (Authority to Operate) processes, automated testing, and cyber hardening practices so that small, frequent releases can be deployed to operational systems without lengthy re-certification each time.
The DevSecOps approach treats software as a living product that is never truly “finished” – it must continuously evolve. That philosophy is now visible across the DoD. For example, the U.S. Navy’s Project Overmatch (connecting sensors and weapons via AI) and the Air Force’s ABMS program are relying on iterative DevSecOps cycles. The payoff has been evident in certain cases: by embracing agile methods, some Air Force applications saw deployment cycles shrink from 5 years to 5 weeks, and security vulnerabilities are addressed in near real-time rather than lingering unpatched. While challenges remain in scaling these practices across the massive Defense bureaucracy, the rise of in-house software factories reflects a sea change: the DoD is training its uniformed and civilian personnel to be software developers and product managers, not just consumers of contractor-built code. In doing so, it aims to move at “the speed of relevance” – keeping U.S. military software capabilities on the cutting edge of what adversaries and the tech industry are doing.
Contracting and Partnering for Software Innovation
Even as it grows its internal coding talent, the Pentagon still relies heavily on external software vendors and commercial technology partners. DoD organizations procure everything from cloud services and business enterprise software to AI-enabled battle management tools from industry. The difference today is how the DoD acquires those capabilities. The department has been updating its acquisition playbook to make it easier, faster, and more attractive for commercial tech companies – including small and mid-size firms – to do business with the DoD.
A centerpiece of this effort is the aforementioned Software Acquisition Pathway (SWP), which provides a streamlined process for software-intensive programs. Programs using the SWP are exempt from some cumbersome oversight and documentation burdens that apply to big hardware programs . In essence, the SWP says: focus on delivering working software quickly and continuously, rather than on massive one-time requirements docs. This mindset shift was summarized in a 2025 directive by the Secretary of Defense, who urged “refram[ing] our acquisition process from a hardware-centric to a software-centric approach” . Concretely, the SecDef ordered that “Commercial Solutions Openings (CSOs) and Other Transactions (OTAs) [shall be] the default solicitation and award approaches” for all software pathway programs . This is a major change – it tells DoD offices to use flexible, fast-track contracting methods for software instead of the traditional Federal Acquisition Regulation (FAR) contracts, whenever possible.
So what are these alternative contracting mechanisms? One is the Other Transaction Authority. Other Transaction Agreements (OTAs) are legally authorized contracts that are not subject to the usual federal procurement laws – they’re meant for prototyping new technology and allow more flexible terms and quicker awards. The DoD has had OTA authority for decades (under 10 U.S.C. § 4022) but only recently began using it widely to attract innovative companies. OTAs can be awarded faster than FAR-based contracts and often involve a “prototype” project with the option of a follow-on production contract if the prototype succeeds . Crucially, OTAs let the DoD work with “nontraditional defense contractors” – meaning firms that don’t typically do government business – with less red tape. In fact, DoD policy allows an OTA prototype to transition to a non-competitive procurement for production, avoiding a drawn-out rebidding process . This is a big incentive for companies: deliver a successful prototype and you could win the full production contract without another competition.
Another key tool is the Commercial Solutions Opening (CSO). A CSO is a type of solicitation designed specifically to obtain innovative commercial products or services without dictating a detailed government-unique specification. Under a CSO, the DoD issues a general problem statement or area of need, and companies are invited to propose creative solutions – much more like a commercial Request for Solutions than a typical government RFP. The Defense Innovation Unit (DIU), a DoD organization based in Silicon Valley, pioneered the CSO process starting in 2016 . Through DIU’s annual CSO, hundreds of nontraditional companies have secured prototype contracts. In DIU’s experience, 88% of its CSO-based awards have gone to nontraditional vendors and 68% to small businesses – a dramatic shift from the norm of contracts going to the same few large defense primes. CSOs “make it even easier for companies to understand the government’s problem sets”, as a DoD official explained . Instead of forcing a newcomer to navigate volumes of military requirements, a CSO presents the problem and lets the commercial innovator propose the solution in plain language. The actual contracts arising from CSOs are usually OTAs (often termed “CSO OTs”) for prototype projects .
The DIU model – combining OTAs and CSOs – has now been embraced department-wide. What began as a workaround to bring in Silicon Valley startups is now codified by policy as the “standard for acquiring software” across the DoD . According to DIU, using a CSO+OTA approach can cut the time to award a prototype contract down to about 90–120 days , versus the many months or years a traditional contract might take. And speed is not the only benefit. By lowering barriers to entry, the DoD can discover non-traditional suppliers with cutting-edge tech that might never have participated under normal FAR processes. As one defense official put it, “the reason this works better [is that] instead of spending years writing detailed requirements and going through a rigid… one-size-fits-all process, we can tap into the best tech available right now, prototype it fast and get it to the field quickly, if it works” . In other words, the Pentagon is willing to buy off-the-shelf or adapt commercial software if it meets the mission – it doesn’t always need to invent a bespoke solution from scratch.
This philosophy reflects a broader shift in mindset: the DoD is trying to act more like a tech customer and less like an overly prescriptive bureaucracy. In fact, U.S. law has long required the DoD to prefer commercial products where possible. (Under statutes now codified in Title 10, acquisition officials must conduct market research for commercial items and favor a non-developmental item if it meets the need.) In practice, that hasn’t always been followed – but there have been high-profile wake-up calls. In one notable case, Palantir Technologies, a Silicon Valley software firm, took the Army to court for ignoring the “statutory and regulatory preference for the acquisition of commercial items.” Palantir argued that the Army’s plan to develop a new intelligence system from scratch was flawed because Palantir’s off-the-shelf platform could fulfill a large portion of the requirements . The legal challenge ultimately forced the Army to seriously consider and later adopt commercial solutions in its Distributed Common Ground System. This precedent underscored that the DoD cannot overlook viable COTS (commercial off-the-shelf) options – and indeed Congress has pressed the Pentagon to “buy before build” when possible.
Today, examples of commercial software vendors succeeding in defense are multiplying. Palantir, once an outsider, is now a major DoD partner; in May 2024 the Army awarded Palantir a $480 million contract to deploy its AI-driven Maven Smart System to users across multiple combatant commands . This contract expands the Army’s use of Palantir’s platform for analyzing battlefield data and was a direct outgrowth of the company’s prototype work on Project Maven (the Pentagon’s flagship AI project) . Another headline example is Anduril Industries, a defense tech startup founded in 2017.
Anduril’s Long-Range Sentry Tower, part of an AI-enabled counter-drone system that the U.S. Marine Corps is acquiring from the company. In 2025, Anduril was awarded a $642 million IDIQ contract to deliver, install, and sustain a family of systems to protect Marine Corps bases from small drones .
Anduril’s rise from newcomer to prime contractor shows the DoD’s new openness to nontraditional players: the Marine Corps selected Anduril’s commercially developed counter-UAS network over nine other offerors, citing the maturity and field-proven status of the system . These successes illustrate that the DoD is indeed willing to buy commercial tech – whether it’s data analytics software or autonomous defense systems – when it offers a leap in capability. Other firms like Shield AI (which provides AI pilots for drones), Rebellion Defense (AI software for targeting and cyber defense), and even big cloud providers like Microsoft and Amazon (through the DoD’s JWCC cloud contract) have secured significant defense contracts by leveraging their commercial innovations.
From a budget perspective, the DoD is backing up this strategy with funding. The Pentagon’s unclassified IT and cyber budget for FY2024 was about $58.5 billion (approximately 7% of the total defense budget) , continuing a steady increase in digital tech investment. Within that, cloud and software modernization initiatives were highlighted (around $2.3 billion allocated) . The DoD has also poured money into OTA-based prototype projects – not only for IT, but across domains. In recent years, prototyping via OTAs has exploded, covering everything from AI algorithms to network communications. For example, multiple consortia of companies now execute OTA prototype agreements for the Army’s network modernization and the Air Force’s Advanced Battle Management System. The trend is clear: more DoD dollars are flowing through streamlined channels to software and tech vendors, in hopes of rapidly fielding new capabilities.
Still, traditional procurement isn’t going away. Many large programs (e.g. an aircraft platform that includes millions of lines of embedded software) are still handled by the big defense contractors under conventional contracts. But even those programs are increasingly compartmentalizing their software components to use the new approach. The Software Acquisition Pathway can be nested within a larger project, allowing, say, an F-35 jet’s software updates to be acquired on a faster iterative rhythm than the jet itself. And importantly, the DoD is encouraging partnerships between traditional primes and smaller software firms. Often a small tech company may team with a larger systems integrator who can navigate DoD processes, combining innovation with experience. The watchword for DoD is “agility” – whichever acquisition route delivers usable software faster and better, the department is willing to try. By combining internal coding efforts, direct commercial buys, and hybrid public-private teams, the DoD is attempting to transform itself into a 21st-century software-savvy organization.
How Tech Companies Can Work with DoD
For small to mid-size tech companies interested in doing business with the Pentagon, the landscape can be daunting but is more navigable than it once was. Practical steps can increase a company’s chances of getting noticed and winning contracts with the DoD:
1. Get registered and fluent in the basics. Any company that wants to bid on U.S. defense contracts must register in the government’s central contractor database, the System for Award Management (SAM). SAM.gov is “a government-wide registry for doing business with the Federal government” . Registration is free, but requires obtaining a DUNS/UEI number, a NATO CAGE code, and listing details like the company’s industry codes (NAICS) and capabilities. A SAM profile is not only required for bidding; it also acts as a marketing brochure in a database that DoD officials search. (Contracting officers and small business offices can and do look up companies in SAM by keywords or NAICS code when market research for a need.) Pro tip: ensure your SAM profile’s keywords and descriptions are clear about what problems your software solves. Additionally, take time to understand the Federal Acquisition Regulation (FAR) basics – while you may target OTA or SBIR opportunities that aren’t FAR-heavy, any interaction with DoD will go more smoothly if you know the general rules and vocabulary of government contracting .
2. Leverage small business support programs. The DoD wants smaller tech firms in the mix and offers resources to help. One great resource is the network of APEX Accelerators (formerly known as Procurement Technical Assistance Centers). These are DoD-funded centers across the country that provide free counseling and training to businesses on how to compete for defense contracts . An APEX counselor can assist with registrations, interpreting solicitations, and even proposal writing tips. There are also Small Business Development Centers and SCORE mentors (often through the SBA) that can help you polish your business for government work . Each military branch and major defense agency has an Office of Small Business Programs (OSBP) with specialists whose job is to connect small businesses with contracting opportunities. Engaging with these officials – through industry days, matchmaking events, or one-on-one meetings – can provide insight into upcoming needs and how to pitch your product. The DoD OSBP even publishes a “Guide to Marketing to DoD” with tips like “find your niche” and “target your customer’s mission” . The effort is worth it: the DoD awarded over $154 billion in prime contracts to small businesses in FY2021 alone . That figure shows that small firms (many in tech) are winning significant work, not just tiny subcontracts.
3. Start small (e.g. SBIR, DIU, or pilot contracts) to prove your worth. One of the best entry points for a tech SME is the Small Business Innovation Research (SBIR) program. DoD SBIR solicitations are competitive grants/contracts for R&D, where the government publishes topics (problems) and invites proposals from small businesses (under 500 employees). If your software product or technology aligns with a published topic (or you find a way to spin it to align), SBIR can fund a Phase I feasibility study (typically ~$50–$150k) and then a Phase II prototype development (up to $1M or more). Successful SBIR Phase II projects can often transition to Phase III, which are non-competitive follow-on contracts to deploy the solution – essentially giving you a foot in the door to a program of record. Many defense-focused startups (and even non-defense startups) have used SBIR as a vehicle to adapt their commercial tech to military needs with early funding. In recent years, the Air Force’s AFWERX program created an “Open Topic” SBIR that’s even more flexible, allowing companies to propose any defense-use adaptation of their product. The SBIR route isn’t the only path – the Defense Innovation Unit (DIU), as discussed, solicits commercial solutions on a rolling basis in areas like AI, autonomy, and cybersecurity. Responding to a DIU CSO posting or other service innovation challenge (e.g. Army’s xTech competitions or SOCOM’s ThunderDrone challenge) could lead to a pilot contract where you get to deploy your tech in a military context as a trial. These pilot and prototype engagements are incredibly valuable; even if the dollar value is modest, they give you past performance credentials and a case study within DoD.
4. Find the right problem and customer. The most important advice for any company is to identify a real DoD problem that your software can solve, and identify who “owns” that problem inside the military. This often means doing some homework: which office or program manager is responsible for the function or mission area your product addresses? For example, if you have a supply chain optimization software, look for Army logistics commands or the Defense Logistics Agency initiatives in that area. Read their strategy documents or prior contract awards to gauge what they need. Then, when you approach them (via an intro at a conference, an email, or an OSBP referral), speak their language. Defense officials complain about vendors coming in with generic pitches that don’t demonstrate understanding of military needs. As the DoD’s own small business guidance says: “When you meet with Program Managers and Contracting Officers, be prepared to discuss a real requirement, not your generic capabilities.” Tailor your capability statement to say, “Here’s how our product can help you accomplish X mission or save Y amount of time/money in your process.” If possible, use unclassified data or case studies to quantify the benefit. Essentially, you need to make a compelling case that your shiny new software isn’t just a gadget in search of a problem – it’s the solution they’ve been looking for (even if they didn’t realize it).
5. Be patient, persistent, and compliant. Even with all the new fast-track authorities, selling to the DoD still takes time and persistence. The sales cycle can be long – often 12–18 months from initial contact to contract, especially if budget timing is a factor. Don’t be discouraged by initial rejections or silence; follow up (professionally) and continue to refine your value proposition. Attend defense industry days, tech demonstrations, and submit whitepapers or RFIs (Requests for Information) when opportunities arise – these can get you on the radar. Meanwhile, ensure you comply with necessary regulations that could be gating factors. For example, the DoD is increasingly serious about cybersecurity for contractors’ systems. Companies need to implement baseline security controls (following standards like NIST SP 800-171) and soon may need to be certified under the Cybersecurity Maturity Model Certification (CMMC) program . If you’re handling any sensitive defense data in your software or cloud, you’ll need at least a plan for IT security. Additionally, be mindful of export control laws (ITAR/EAR) if your software has encryption or military applications – this can come up if you demo to foreign partners. While these compliance areas can seem onerous, help is available (APEX Accelerators can guide you on compliance too). The bottom line is that a company that proves it can meet DoD standards – technically and administratively – while offering something uniquely valuable will have an edge.
At the end of the day, engaging with the DoD as a tech company is like entering a large, complex market with its own rules and culture. It’s not always easy, but the opportunities are substantial – the U.S. defense arena is a multi-billion-dollar software market in need of modern solutions. And unlike the fast-turnover consumer tech space, military programs, once you’re in, can become steady, long-term customers (with projects often extending for years or decades of upgrades and support). The DoD is actively trying to court innovative firms because it knows it must harness commercial technology cycles. This means the door is open wider than before, but companies still have to make the effort to step through it and demonstrate impact.
The U.S. Department of Defense has embarked on a considerable transformation in how it approaches software, recognizing that superiority on the battlefield now often hinges on lines of code as much as on platforms and munitions. Internally, the DoD is fostering a new generation of tech-savvy soldiers and civilians organized into software factories practicing DevSecOps – a far cry from the old paradigm of handing requirements to a contractor and waiting years for delivery. At the same time, the Pentagon has come to appreciate the value of leveraging private-sector innovation. By adapting commercial contracting tools like OTAs and CSOs, the DoD is lowering barriers for nontraditional vendors and signaling that it is open to off-the-shelf solutions whenever they can meet mission needs. This shift from a specify-and-build mentality to a “buy, try, and adapt” mentality is evident in the big contract wins of companies like Palantir and Anduril, and in countless smaller prototype awards to startups with promising tech.
For small and mid-size tech companies, these changes are encouraging. They mean the DoD is not only a source of enormous budget opportunities but is also actively seeking fresh ideas and better ways of doing things. However, navigating the defense market still requires effort – understanding the unique needs of defense users, complying with security requirements, and being persistent through the sales cycle. Companies that succeed are usually those that combine the strength of their commercial product with a genuine engagement in the DoD’s problem space. In other words, they don’t just offer a product, they offer a solution to a colonel or program manager’s pain point, and they back it up with action – whether by rapidly prototyping through an OTA or by iterating on feedback from military testers.
Will the DoD truly embrace commercial software at scale, or will the old preference for bespoke, specified systems reassert itself? The momentum today is firmly toward embracing commercial tech. Pentagon leaders have made it policy to “leverage the entire commercial ecosystem for defense systems” and to deliver software updates faster than adversaries can respond. That imperative, driven by strategic competition, means the U.S. military can no longer afford the traditional, slow approach. In practical terms, we can expect to see more hybrid models – e.g. open architectures where government and contractors co-develop, continuous competitions for software modules, and apps delivered via secure marketplaces (the DoD’s Iron Bank repository of pre-approved containers hints at this future).
Ultimately, the DoD’s software development and procurement strategy is evolving into a blend of in-house agility and external innovation. The Pentagon is building up its own coding muscle and digital culture, while also tapping the ingenuity of America’s dynamic tech industry. For those companies ready to engage, there is a willingness on the DoD side to collaborate in new ways – whether by co-creating in a software factory environment or rapidly fielding a commercial solution to the front lines. The cliché “the military is not a software company” is fading; in the 2020s, the U.S. Department of Defense is well on its way to being both a developer and an acquirer of advanced software. That bodes well for a future where U.S. warfighters have access to the best technology that public and private talent can offer, developed with the speed and adaptability that the modern battlefield demands.
Sources: Official Department of Defense and U.S. government publications and statements were used in the preparation of this article, including defense procurement policy guidance and transcripts , DoD CIO reports , Defense Innovation Unit releases , and DoD Office of Small Business Programs materials . Several specific program examples and budget figures are drawn from authoritative defense news outlets and DoD announcements , as cited throughout the text. These sources collectively illustrate the current state of DoD software development and procurement and the department’s increasing collaboration with commercial technology firms.
