Point 4: Integrate and streamline T&E and C&A processes
The processes used for testing and for certifying the security of IT systems often becomes the “long pole” in getting needed IT capabilities in the hands of DoD users. Clearly, it is important to test capabilities before placing them in the field and the growing security threats necessitate a strong focus on cyber security. However, the testing and security certification processes typically employed for IT capabilities fails to recognize the realities summarized in Table 4.
Table 4: Realities of IT Test and Security Certification
Agile development methods recognize the importance of continuous user involvement in the testing and evaluation processes for IT capabilities. Unfortunately, DoD’s acquisition processes which were developed for weapon systems typically require professional testers to perform operational testing. If end users are effectively involved in the development and testing of IT capabilities, the marginal benefits of additional testing by independent professional testers is small and the time delay in getting capabilities to the users becomes unacceptable. A more prudent approach is to rapidly deploy capabilities that have been subjected to testing by actual end users (perhaps through virtual connectivity to the development team) in an incremental manner. This can be achieved by starting with a small subset of actual users and expanding the user community after confidence has been achieved through the smaller deployment. Testing by professional testers should be performed after substantial capabilities have been fielded and are in use. This professional testing effort would be to provide a formal assessment of the effectiveness of the fielded capabilities against the user requirements and to provide recommendations for future development efforts (i.e., modify, expand, or cancel).