Crafting Excellence in Software
Let’s build something extraordinary together.
Rely on Lasting Dynamics for unparalleled software quality.
Michele Cimmino
Feb 27, 2026 • 7 min read
In February 2026, the Defense Information Systems Agency (DISA) unveiled a new cloud environment designed to speed the delivery of services to warfighters. The architecture features three on-ramps — classic, private, and commercial — creating a multi-pathway approach that enables faster deployment of cloud applications to military users across classification levels.
The same month, Defense Unicorns and the Army's C5ISR Center announced a breakthrough: a SaaS hosting capability within cARMY Cloud that compresses Authority to Operate (ATO) timelines from months to weeks. The approach — called UDS Army — enables SaaS-native vendors to deliver applications directly into the Army's secure cloud environment without the traditional 12–18 month authorization gauntlet.
Meanwhile, the Pentagon is preparing JWCC-Next — the follow-on to the $9 billion Joint Warfighting Cloud Capability contract, with over $3 billion in task orders already awarded. Pentagon tech leadership confirmed that JWCC-Next will "open the door" to more vendors, expanding beyond the original four awardees (AWS, Microsoft Azure, Google Cloud, Oracle).
The message is explicit: the military is moving to cloud-native, SaaS-delivered capabilities at scale. The question for software companies is whether they're building for this reality.
To understand the opportunity, you need to understand the infrastructure being built.
The Joint Warfighting Cloud Capability (JWCC) contract, awarded in December 2022, established the cloud infrastructure backbone for the Department of Defense. At $9 billion across four hyperscalers, it provides multi-cloud access from enterprise data centers to the tactical edge.
The numbers demonstrate the demand. The contract ceiling stands at $9 billion, with $3+ billion in task orders awarded to date across four providers: AWS, Microsoft Azure, Google Cloud, and Oracle. Separately, HPE won a $931 million, 10-year DoD private cloud contract.
JWCC-Next, expected in Q1 2026, will expand this foundation. The Pentagon has signaled it will include more vendors — a significant shift that opens the defense cloud market beyond the hyperscaler oligopoly.
DISA's new cloud environment creates three distinct pathways. The classic on-ramp provides traditional, managed cloud environments. The private on-ramp offers dedicated infrastructure for sensitive workloads. And the commercial on-ramp enables commercial cloud services for defense use.
This multi-pathway architecture is designed for flexibility — different workloads, different sensitivity levels, different deployment models, all under a unified management framework. For SaaS vendors, the commercial on-ramp is particularly significant: it provides a standardized path to deliver commercial software capabilities directly to military users.
Let’s build something extraordinary together.
Rely on Lasting Dynamics for unparalleled software quality.
Defense cloud deployments must meet specific impact levels, each with increasing security requirements:
| Impact Level | Data Type | Key Requirements |
|---|---|---|
| IL2 | Publicly releasable | Basic cloud security controls |
| IL4 | Controlled Unclassified Information (CUI) | Enhanced controls, US-based data centers |
| IL5 | CUI + National Security Systems | More stringent access controls, dedicated infrastructure |
| IL6 | Classified (SECRET) | Air-gapped environments, specialized clearances |
Most defense SaaS applications operate at IL4 or IL5. The ability to deploy and operate at these levels is a prerequisite for serving defense — and a significant differentiator for SaaS companies that achieve it.
For years, the Authority to Operate (ATO) process has been the single greatest barrier to deploying software in defense environments. Traditional ATOs involve 12–18 months of assessment and authorization, extensive documentation of security controls often running to hundreds of pages, and a point-in-time evaluation that becomes outdated the moment it's granted. The cost is significant — often hundreds of thousands of dollars per application — and re-assessment is required for every update, creating a perverse incentive to avoid deploying improvements.
Defense Unicorns' collaboration with the Army C5ISR Center demonstrates a fundamentally different approach.
The UDS Army model enables SaaS-native vendors to deploy applications within the Army's secure cloud environment with dramatically compressed authorization timelines. Instead of each vendor independently navigating the ATO process, the platform provides a pre-authorized hosting environment — vendors deploy their applications into a container that is already authorized.
This echoes the Pentagon's broader SWFT (Software Fast Track) initiative, which pushes for Continuous Authorization to Operate (cATO) — real-time compliance monitoring replacing periodic audits. SWFT envisions data-driven trust models where automated security evidence replaces checklist compliance, real-time compliance artifacts are continuously generated and validated, and SBOM mandates ensure full software supply chain transparency.
The shift from point-in-time ATO to continuous authorization is the most significant change in defense software acquisition in the last decade. It transforms the economics of defense SaaS from prohibitively expensive to commercially viable.
Here is where the analysis gets strategically critical for European defense.
DefenseOne reported in February 2026 what defense analysts have been saying privately for years: "The biggest hole in Europe's plans for technological independence may be the cloud."
From idea to launch, we craft scalable software tailored to your business needs.
Partner with us to accelerate your growth.
The reality is stark. European defense cloud infrastructure is overwhelmingly dependent on US hyperscalers like AWS, Azure, and Google Cloud. Distributed large-scale data storage and processing — the foundation of modern defense operations — remains concentrated in platforms controlled by US corporations subject to US law. The CEPA (Centre for European Policy Analysis) assessment is direct: "Cloud systems, satellite networks, AI platforms, and cybersecurity architecture shape sovereignty." Stanford Law's analysis of Europe's "Third Way" to digital sovereignty describes a pragmatic strategy, but implementation in defense remains far behind aspiration.
For European defense organizations, this dependency creates multiple risk vectors. There is legal jurisdiction risk — US law (CLOUD Act, FISA) may compel US cloud providers to disclose European defense data to US authorities. There is political risk — as the Anthropic-Pentagon situation demonstrated, US companies operate within a US political framework that may not align with European interests. Supply chain risk means that US export controls or sanctions could restrict European access to US cloud infrastructure. And strategic autonomy risk is fundamental: Europe cannot credibly claim defense independence while its cloud infrastructure is controlled by non-European companies.
The path forward requires European-built, European-controlled cloud-native defense applications. This doesn't necessarily mean building European hyperscalers (a prohibitively expensive proposition). It means building SaaS applications that can deploy on sovereign infrastructure — applications designed from the ground up for multi-cloud, multi-region, multi-classification deployment, including on European-controlled infrastructure.
Defense SaaS is not Salesforce with a government login. It is a fundamentally different category of software, designed for constraints that commercial SaaS never faces.
Containerized and portable. Defense SaaS must deploy across multiple cloud environments, classification levels, and potentially air-gapped networks. Container orchestration (Kubernetes) with hardened base images (like Platform One's Iron Bank) is the standard.
Zero-trust native. Every request authenticated, every action authorized, every session verified. No perimeter-based security assumptions.
Edge-capable. Military operations frequently occur in Disconnected, Intermittent, or Limited-bandwidth (DIL) environments. SaaS applications must function — at least partially — when the cloud connection is unreliable or absent. Edge computing architectures that sync when connectivity is available are essential.
Multi-classification. A single application may need to serve users at different classification levels simultaneously, with strict separation of data and access. Cross-domain solutions that enable information sharing while maintaining classification boundaries are architecturally complex.
Observability-first. Continuous ATO requires continuous visibility. Applications must generate comprehensive security telemetry — logs, metrics, traces, compliance artifacts — as a built-in capability, not a monitoring afterthought.
We design and build high-quality digital products that stand out.
Reliability, performance, and innovation at every step.
Defense SaaS spans a wide range of operational domains, from logistics and supply chain management — tracking equipment, supplies, and materiel across global operations — to command and control platforms providing real-time situational awareness and decision support. Intelligence fusion applications aggregate and analyze data from multiple sources. Training and simulation through cloud-delivered environments reduce the need for physical infrastructure. Personnel management systems track force readiness, deployments, and certifications. And maintenance and sustainment platforms provide predictive maintenance, parts tracking, and lifecycle management.
Axon's experience validates the model from the commercial side. The company — originally known for Taser hardware — achieved 39% revenue growth in 2025 by transforming into an AI-driven SaaS ecosystem for public safety. The transition from hardware manufacturer to SaaS platform provider demonstrates that defense-adjacent organizations can build massive subscription businesses while serving mission-critical users.
For software companies considering the defense SaaS market, the requirements are clear:
Cloud-native architecture from day one. Applications built as monoliths cannot be retrofitted for defense cloud environments. Microservices, containers, API-first design, and infrastructure as code must be in the original architecture, not bolted on later.
Security by design, not bolt-on. Defense SaaS security cannot be a layer added after the application works. Authentication, authorization, encryption (in transit and at rest), audit logging, and security event generation must be built into every component from the start.
Multi-classification deployment capability. The ability to deploy the same application at different impact levels — with appropriate data separation and access controls — is a key differentiator. This requires thoughtful architecture that separates concerns and enables per-deployment configuration of security controls.
European sovereign cloud compatibility. For European defense markets, applications must be deployable on European-controlled infrastructure without dependencies on US cloud services. This means avoiding proprietary cloud-provider services where possible, using open standards, and designing for infrastructure portability.
Continuous compliance infrastructure. Automated compliance checking, real-time security posture monitoring, SBOM generation, and continuous authorization artifact production should be built into the deployment pipeline — enabling cATO rather than traditional point-in-time ATO.
Companies like Lasting Dynamics, with deep expertise in cloud-native SaaS platform development and European roots, are positioned to build exactly this category of application — defense-ready SaaS platforms designed for sovereign deployment, continuous authorization, and multi-classification environments. The gap between what European defense needs and what the current SaaS landscape offers is where the opportunity lies.
The defense cloud race is real, the infrastructure is being built, and the doors are opening for SaaS vendors who build for this environment. The question is which companies will be ready.
Lasting Dynamics builds cloud-native SaaS platforms with security-first architecture designed for mission-critical environments. To discuss how we can help build defense-grade cloud applications, contact our team.
Internal Links:
- Software Development for the Defense Industry: The Complete Guide
- Defense Cybersecurity in 2026: AI Threats, CMMC 2.0, and the Race to Secure Military Systems
- Software at the Speed of War: How DevSecOps Is Becoming Defense's Secret Weapon
- Europe's €800 Billion Defense Rearmament: Why Software Is the New Battleground
Transform bold ideas into powerful applications.
Let’s create software that makes an impact together.
Michele Cimmino
I believe in hard work and daily commitment as the only way to get results. I feel an inexplicable attraction for the quality and when it comes to the software this is the motivation that makes me and my team have a strong grip on Agile practices and continuous process evaluations. I have a strong competitive attitude to whatever I approach - in the way that I don't stop working, until I reach the TOP of it, and once I'm there, I start to work to keep the position.
