Why the Pentagon Keeps Failing at Digital Transformation — And What Actually Works

In February 2026, the U.S. Government Accountability Office (GAO) published a damning assessment: of 10 critical Department of Defense legacy IT systems flagged for modernization, seven had not been modernized. The systems — many running on infrastructure from the 1990s — support core functions including personnel management, logistics, financial operations, and maintenance. The GAO found that the DoD had failed to establish milestones, assign clear ownership, or even define what "modernized" means for most of these systems.

This is not a new finding. The GAO has been issuing similar warnings for more than a decade. And every year, the response is the same: new strategy documents, new acronyms, new leadership initiatives — and the same legacy systems running the same outdated software.

NextGov summarized the situation bluntly: the U.S. defense sector is in a "diminished state of Defense IT acquisition." The Pentagon spends more on IT than any other organization on Earth, yet cannot reliably execute digital transformation.

The question is not whether defense organizations need digital transformation. The question is why it keeps failing — and what actually works.

The $100 Billion Legacy Problem

The scale of the challenge is staggering. The DoD operates an estimated 3,000+ information systems, many built on architectures designed before the internet era. The Pentagon spent $11.5 billion on IT modernization in FY2025, with a similar figure projected for FY2026. Legacy maintenance costs consume 70-80% of defense IT budgets, leaving only 20-30% for genuine modernization. Perhaps most tellingly, the Pentagon's travel system — Defense Travel System (DTS) — was recently cited as a case study in modernization failure: billions spent on a system that generates more complaints than any other DoD application.

The core problem is not technical. It is structural. Traditional defense procurement was designed for hardware: tanks, ships, aircraft — physical systems with 30-year lifecycles. Software follows a fundamentally different model: continuous delivery, rapid iteration, constant updates. Forcing software into hardware procurement processes is like forcing a fish to climb a tree.

The result is predictable: by the time a software system passes through the defense procurement process, it is already outdated. The requirements defined three years ago do not match the threats of today. The technology specified in the contract has been superseded by two or three generations of advancement. And the vendor, locked into a rigid contract, cannot adapt without triggering a modification process that takes months.

The 2026 Inflection Point: NDAA and Acquisition Reform

The National Defense Authorization Act (NDAA) for FY2026 contains what defense acquisition experts are calling the "most significant acquisition shift in a decade." The legislation mandates software-specific acquisition pathways that separate software procurement from hardware procurement, continuous authority to operate (cATO) provisions that replace the traditional one-time certification model, rapid prototyping authorities that allow software to be developed, tested, and deployed in months rather than years, and commercial technology integration provisions that make it easier to adopt commercial software for defense applications.

In January 2026, the Pentagon announced four separate defense innovation reform initiatives addressing accelerated acquisition timelines, commercial technology adoption, software-defined capabilities, and workforce modernization for digital skills.

The DoD also released a FY2026-2030 Digital Modernization Roadmap — a five-year plan covering cloud migration, data management, AI integration, cybersecurity modernization, and application rationalization.

On paper, these reforms address the exact problems the GAO identified. The question — as always — is execution.

Beyond Lift-and-Shift: What Digital Transformation Actually Requires

The most common failure pattern in defense digital transformation is "lift and shift" — taking legacy applications and moving them to new infrastructure (typically cloud) without fundamentally rethinking the architecture, workflows, or user experience.

Lift-and-shift delivers marginal benefits: slightly better availability, marginally lower infrastructure costs, someone else managing the servers. But it preserves every architectural limitation of the original system: monolithic design, tightly coupled components, batch processing workflows, outdated user interfaces, and rigid data models.

Genuine digital transformation requires a fundamentally different approach:

Architecture Modernization

Legacy defense systems are typically monolithic — single large applications where all functionality is tightly integrated. Changing one component requires testing and redeploying the entire system, which is why changes take months and cost millions.

Modern software architecture uses microservices — small, independent services that communicate through well-defined APIs. Each service can be developed, deployed, and updated independently. This enables continuous delivery with updates deployed in hours or days rather than months, fault isolation so that one component failing doesn't crash the entire system, scalability with individual components scaled independently based on demand, and technology flexibility allowing different services to use different technologies as appropriate.

The transition from monolithic to microservices architecture is the most important — and most difficult — technical challenge in defense digital transformation. It requires deep understanding of both the legacy system's business logic and modern architectural patterns.

Data Liberation

Legacy defense systems store data in proprietary formats, silos, and databases that cannot communicate with each other. A logistics system cannot share data with a maintenance system that cannot share data with a personnel system — even when all three need the same information.

Modern data architecture treats data as an organizational asset, not an application artifact. APIs serve as the primary data access mechanism, providing standardized interfaces that any authorized system can use. Data mesh architectures enable domain-specific data ownership with federated governance. Real-time data streaming propagates events across systems instantly, replacing batch processing. And common data standards — NATO STANAG and national equivalents — form the foundation for interoperability.

User Experience Modernization

The GAO report highlighted that many defense personnel actively resist using modernized systems because they are harder to use than the legacy systems they replace. This is a design failure, not a user failure.

Modern military personnel — digital natives who grew up with smartphones and cloud applications — expect software that is intuitive, responsive, and accessible from any device. Defense software that requires three-day training courses, specialized hardware, or desktop-only access is not modern, regardless of what infrastructure it runs on.

User experience modernization means mobile-first design for field operations, intuitive interfaces that minimize training requirements, offline-capable applications for disconnected environments, and role-based views that show operators exactly what they need.

Security by Design, Not Security by Audit

Traditional defense IT security follows a "build then certify" model: develop the system, then subject it to a lengthy security assessment (Authority to Operate, or ATO) before deployment. This process typically takes 12-18 months and is one of the primary reasons defense IT modernization is so slow.

The modern alternative is DevSecOps — integrating security into every stage of development. This means automated security testing in CI/CD pipelines, infrastructure as code with security baselines, continuous monitoring instead of periodic assessments, and continuous ATO (cATO) instead of one-time certification.

As documented in NDAA 2026 and the DoD's own DevSecOps reference design, the military is embracing this model — but implementation varies dramatically across programs.

Zero Trust Architecture

The Pentagon's zero trust mandate — requiring all DoD systems to implement zero trust architecture by FY2027 — represents one of the most ambitious security modernization efforts in history.

Zero trust fundamentally changes the security model: instead of a fortified perimeter (castle-and-moat), every access request is verified regardless of where it originates. For military IT systems that must operate across classification levels, coalition networks, and tactical edge environments, zero trust is not optional — it is essential.

Implementing zero trust for military operational technology (OT) — the control systems embedded in weapons, vehicles, and infrastructure — is a particular challenge. These systems were never designed for continuous authentication, and retrofitting zero trust into legacy OT requires careful engineering to avoid disrupting operational capability.

The European Imperative

The Pentagon's digital transformation struggles are instructive for European defense organizations, which face the same challenges with smaller budgets and more fragmented procurement structures.

European defense digital transformation has additional factors:

Sovereignty: European defense systems must be developed with European-sovereign technology where possible. The EU's digital sovereignty agenda — reinforced by NIS2, the Data Act, and European cloud certification schemes — means that European defense cannot simply adopt US commercial cloud services without modification.

Interoperability: NATO interoperability requirements mean European defense systems must communicate with allied systems while maintaining national sovereignty. This requires open standards, standardized APIs, and architecture patterns that enable data sharing without creating dependencies.

Scale: Individual European defense budgets are a fraction of the Pentagon's. This makes efficient digital transformation even more critical — Europe cannot afford the Pentagon's pattern of spending billions on failed modernization programs.

Industrial base: Europe's defense industrial base is more fragmented than the US equivalent, with national champions in each country and limited cross-border integration. Digital transformation provides an opportunity to integrate through software — common platforms that connect different national systems.

The EU's €38 billion SAFE (Security Action For Europe) scheme, approved in February 2026, explicitly includes digital capabilities as a funding priority. For European software companies, this represents a significant market opportunity — but only for those who understand the specific requirements of defense digital transformation.

What Actually Works

After decades of defense digital transformation — successful and failed — clear patterns emerge about what actually works:

Start with outcomes, not technology. The most successful defense modernization programs begin with a specific operational problem — not with a technology solution looking for a problem. "We need cloud" is not a transformation goal. "Field maintenance teams need real-time access to parts inventory and repair data from any location" is.

Decompose incrementally. The Pentagon's biggest failures come from attempting to replace entire legacy systems at once. Successful programs modernize incrementally — extracting functionality from monolithic systems piece by piece, wrapping legacy components in modern APIs, and gradually shifting users to modern interfaces.

Measure by user adoption, not by technology deployment. A modernized system that nobody uses is not a success. The DoD travel system is a case study: technically "modern" infrastructure that is universally despised by users because the user experience was an afterthought.

Invest in the team, not just the contract. Defense organizations that build internal software competency — alongside external development partners — execute modernization more effectively than those who outsource entirely. The relationship between a defense organization and its software development partner should be long-term, iterative, and deeply collaborative.

This is precisely the model that companies like Lasting Dynamics follow: embedded teams working alongside defense organizations, building modern software while transferring knowledge and capability. Custom development — not one-size-fits-all products — designed for specific operational requirements, European sovereignty standards, and NATO interoperability.

The Pentagon's failures are not inevitable. They are the result of applying 1990s procurement to 2020s technology. Organizations that adopt modern software practices — agile development, DevSecOps, microservices architecture, continuous delivery, and user-centered design — can modernize effectively, even within the constraints of defense procurement.

The GAO report is not a reason for despair. It is a roadmap of what not to do — and, by inversion, a guide to what works.

Lasting Dynamics helps defense organizations modernize legacy systems through agile, custom software development. Our European-based teams specialize in the incremental, user-centered approach that defense digital transformation demands. Talk to our team about your modernization challenge.

Internal Links:
- Software Development for the Defense Industry: The Complete Guide
- Software at the Speed of War: How DevSecOps Is Becoming the Pentagon's Secret Weapon
- The Military Cloud Race: How SaaS Is Reshaping Defense Operations
- Defense Cybersecurity in 2026: AI Threats, CMMC 2.0, and the Race to Secure Military Systems