Implementing the Third Offset Strategy

Executive Summary

This paper argues that victory in modern conflict won't be determined by superior hardware, but by superior software and the ability to learn and adapt faster than the opponent. It's a move from a strategy of industrial might to one of informational dominance.

The Department of Defense is stuck in the past, operating with an "industrial-age mindset," that is too slow—hindered by bureaucracy preventing us from keeping pace with near-peers like China or with agile non-state actors, and that we're not recognizing that a continuous multi-domain conflict is already underway.

The pillars of the proposed solution is to pivot the Department of War by building on the key principles of treating data, models and code as primary maneuver elements, just as critical as fuel and munitions; that the observe, orient, decide, act loop must be faster than any adversary at all levels of conflict—from skirmish through acquisitions—and that forging deep partnerships with the private sector is the key to modernizing the Department.

The Third Offset Strategy re-imagines the Department of Defense as a Department of War — a learning organization with kinetic consequences.
Its premise is simple: speed, evidence, and adaptability now decide victory. The Third Offset replaces bureaucracy with runtime governance—software-like feedback loops that link doctrine, dollars, and data into one adaptive operating system.

The paper unfolds across five arcs:

1. Structure Revolution — Budget and Authority as Weapons.
Two new Major Force Programs anchor agility: MFP-CYBER funds operational cyber forces directly, while MFP-INNOVATION powers the Defense Innovation Unit and the service innovation commands to field dual-use software at machine tempo. Money becomes portable, measurable, and aligned to learning velocity rather than platform lineage.

2. Cyber as Maneuver — Command of Code.
Cyber superiority is reframed as maneuver through data fabrics. The section introduces reciprocal software factories, dual-use governance, and data as a strategic asset—the infrastructure of decision-dominance.

3. Distributed Lethality — Cheap Mass, Smart Control.
Lethality becomes a flow, not an inventory. The doctrine scales from attritable fleets to swarm-on-swarm combat and “fractalized” training: every Airman or Sailor learns "the family business" as part of professional military education. Cultural re-engineering turns technical proficiency into warrior ethos. New constructs link human-machine teams to additive-manufacturing nodes, creating an elastic arsenal that can reconstitute itself in days, not years.

4. The Human Engine — People as Infrastructure.
The human offset is the Pathfinder: a joint patch community bridging operations, software, and acquisition. Three tiers—Tactical Integrators, Operational Catalysts, Strategic Architects—mirror Weapons School lineage but for digital war. Specialized billets institutionalize the interface between warfighter and code. Supporting reforms include:

• Software & Innovation WepTacs: regular exercises that produce executable artifacts.
• Adaptive Workforce: a gig-based labor mesh where reservists, civilians, and contractors share a unified credentialing and payment fabric, measured by runtime evidence and mission outcomes.

5. Governance — Evidence as Control.
All loops—Doctrine, Industrial, Human, Evidence—converge at the Joint Effects Board. Every contract, billet, and budget line emits runtime proof; every authority is machine-readable; every oversight body sees the ledger in real time. Mission Safety Cases and Rules of Engagement Cages code compliance into autonomy itself, ensuring lawful, auditable AI employment. Allies participate through reciprocity enclaves and a permanent Civilian Arsenal. Success is measured not by force size but by six metrics: time-to-field, learning latency, reciprocity index, evidence integrity, human liquidity, and replication velocity.

Together, these reforms create a defense institution that can think, fund, and fight at software speed. The third offset does not chase a technological silver bullet—it builds an immune system for surprise. When every process learns, every dollar teaches, and every soldier innovates, deterrence ceases to be a posture and becomes a property of the system itself.

---

BLUF: This is a long read.

This paper is long (~28k words). It's also a complete how-to for modernizing the Department of Defense into the Department of War, is backed by references, and is built atop experience as a Special Operations warfighter, a commercial startup innovator, a software engineer, venture capitalist, traditional & non-traditional Defense acquisition professional, and deeply proud American patriot.

Here's the TL;DR version: Stop waiting for new authorities — use the ones you already have.

1. Run one Software WepTac in the next 90 days: pick two kill-chains, one service factory, and one DIU team.
2. Stand up your first Pathfinder cell: one operator, one KO, one engineer, one contractor — give them 30 days and a patch.
3. Adopt the Bag-of-Lemons model for your next SBIR call: open evaluation first, Pathfinder adjudication second.
4. Issue one Outcome CLIN and one API FRAGO — both written, both funded, both measurable.
5. Document everything in your pipeline and make it visible: that’s your first cATO inheritance pack.
6. Compile lists for the four separate Letters of Marque 2.0 lists.
7. Follow the 90-day/1-year/2-3-year plan.

Now, if you want to actually know how and why to do these things, continue below...

---

In paper #2, I mentioned it would be the only paper to have a table of contents. That turned out to not be true. While this paper is meant to be read as a single narrative (unlike paper #2), it is still long and might be better enjoyed in separate chunks, thus a table of contents seems appropriate.

Table of Contents

• Introduction: From Deterrence to Design
• The Logic of Offsets and Institutional Inertia
• Operationalizing Information
• Structure Revolution: Realigning Money, Authority, and Learning
  • A Joint-First Innovation Spine
  • Money That Moves and Measures Learning
    • New Major Force Programs
  • Commander Owned Authorizations
  • JADC2 For Data, Not Micromanagement
  • Governance That Accelerates
• Cyber as Maneuver
  • Data as a Strategic Asset
  • Modernizing RMF
  • cATO Mechanics
  • Industrial Velocity
  • Letters of Marque 2.0
• Distributed Lethality
  • Culture: War is a Family Business
  • Doctrinal Shifts
  • A Million Plane Air Force: Swarm-on-Swarm
  • Human/Machine Teams at Scale
  • Winning Pair of Aces
  • Stigmergic Warfare
  • Electronic Warfare in the Swarm Era
  • The Nervous System of Distributed Lethality
  • Production Logistics
  • Electromagnetic Warfare
• The Human Engine
  • The Software WepTac
  • The Dual-Use/Innovation WepTac
  • Reforming SBIR
  • Bridging the Valley of Death
  • Pathfinder
    • Structure and Assignment Logic
    • Patch Community Model
    • Core Roles and Job Descriptions
    • Talent Sourcing and Rotation
  • Adaptive Workforce: Gig Economy for War
    • Unified Labor Taxonomy
    • Data Driven Workforce Governance
• Governance and the Future Department of War
  • Digital Congress, Digital War
  • Operationalizing Risk and Law
  • The Pathfinder Board and the Human Commons
  • The Role of Allies and the Civilian Arsenal
  • Measuring the Department of War
  • Future War: What Does Fight Tonight Look Like
• Implementation Roadmap
  • 90 Day Plan
  • 1 Year Plan
  • 2-3 Year Plan
• Epilogue: The Future of the Third Offset
• References/works cited and assorted footnotes

---

Introduction: From Deterrence to Design

Deterrence has always been a function of imagination. The first offset strategy (1OS) harnessed nuclear dominance to paralyze Soviet ambition. The second offset strategy (2OS) combined precision and computing power with professional volunteers to bring decentralized execution and agile decision making into maneuver warfare, which in turn made mass obsolete. The third offset strategy (3OS) will be defined not by a weapon, but by a workflow: how quickly a nation can observe, orient, decide, and act.^[1] The OODA loop is no longer just a fighter pilot’s maxim; it is the blueprint for a learning nation. Whoever closes that loop fastest wins strategically, economically, and morally.

Let’s state it plainly: the strategic advantage in modern warfare is no longer a single, exquisite platform. It is the institutional metabolism that turns data into decisions, code into combat power, and telemetry into learning faster than any adversary can match. For too long, the Department of Defense (DoD) has organized itself around an industrial-age economy, treating software as a mere “enablement” for a hardware core. That lens is backward. The United States’ true economic engine is information, software, and networks; victory will come only when we align our doctrine and dollars to what our economy actually produces at scale.

This paper argues for a fundamental shift: a 3OS that treats data, models, and code as primary maneuver elements. They are taskable, targetable, and must be protected with the same seriousness as fuel and munitions. Our adversaries in Russia and China already exploit hybrid tools—cyber, finance, information, and proxies—to grind us down in a continuous, total war in the cyber domain. The People's Republic of China (PRC), for instance, places state-sponsored operators inside U.S. critical infrastructure to pre-position effects for crisis or conflict. We still treat these as “incidents” rather than battles.

The thesis is simple: victory will not come from the most advanced single platform, but from the force that learns and adapts the fastest. The following sections outline a new doctrine built on this principle—a software-centric loop that reorganizes our money, people, and warfighting concepts around speed, software, and survivability.

We must rewire our system from the ground up, because if we do not, the fastest coder in the fight will write our future for us—and we will be left briefing PowerPoint to a war that has already moved on.

The United States has never lacked ideas—it has lacked the institutional machinery to turn ideas into momentum. Paper #1 established why offset strategies succeed when they convert innovation into deterrence rather than into reports. Paper #2 catalogued how our adversaries exploit every dimension of diplomatic, informational, military and economic (DIME) energy to sap that momentum. Paper #3 demonstrated that acquisition and oversight processes optimized for compliance become self-canceling when speed is the metric that matters.^[2] Paper #4 showed that doctrine and procurement must evolve together or both collapse into irrelevance.^[3] Paper #5 made the case that cyberspace is not a supporting domain but a maneuver space—an area where tempo and access are lethal weapons in their own right.^[4]

This paper is the execution blueprint. Our goal is to translate doctrine into structure, structure into policy, and policy into behavior that sustains speed. The 3OS is not a program to fund; it is a way of thinking. It requires that we treat information as both terrain and fuel—a strategic asset to maneuver through, not just a commodity to protect. Operationalizing Information will be our theme and our test: can we design institutions that learn as fast as they fight?

Learning as a Weapon

Every offset hinged on learning faster than the enemy. The 1OS turned the physics of fission into policy before others could understand its implications. The 2OS transformed silicon and software into precision guided munitions (PGM) and command & control (C2). The 3OS will translate data and decision science into institutional maneuver. Our grandfathers built arsenals of metal; we must build arsenals of code and trust.

But the modern bureaucracy is a gravity well. It preserves predictability at the cost of adaptability. Every new initiative must fight through a sediment of legacy authorities, overlapping oversight, and risk cultures that measure success by the absence of mistakes rather than the presence of learning. Our task is not to destroy this machinery but to re-gear it so feedback equals firepower. The doctrine of maneuver must extend from the battlefield to the budget.

From Reactive Procurement to Deliberate Design

We cannot out-spend our rivals, but we can out-iterate them. That requires merging the software logic of DevSecOps with the institutional logic of mission-type orders: push authority to the edge, link actions to intent, and trust feedback over forecasts. When compliance takes longer than combat, security becomes an illusion. Speed is security; learning is deterrence.

This is why continuous authorization to operate (cATO) is not a cyber niche—it is the governance model of the 3OS.^{[5],[6],[7],[8],[9]} The same logic that allows agile software to deploy daily updates must govern how we field hardware, fund innovation, and train people. Every cycle closed faster than an opponent’s decision loop is a victory without fire.

Power in Partnership

America’s arsenal is no longer just industrial—it is civilian. The private sector now commands the compute, talent, and infrastructure that once defined the arsenal of democracy. The 3OS therefore requires a modern Letter of Marque for the information age: legal and contractual mechanisms that allow trusted industry actors to defend national interests under clear authority and accountability. Organizations like the Defense Innovation Unit (DIU), AFWERX, NavalX, Army Applications Lab (AAL), and the Marine Innovation Unit (MIU) are already proving that dual-use collaboration can collapse the timeline between concept and capability.^{[10],[11],[12],[13],[14]} Our challenge is to treat those successes not as exceptions but as templates. If Paper #3 was about breaking things with hammers, this paper is about forging gears.

Purpose

This document will (1) define the organizational architecture necessary to realize the 3OS, (2) detail the cyber and kinetic doctrines that operationalize it (specifically Cyber as Maneuver and Distributed Lethality), and (3) prescribe the governance and funding reforms required for continuous learning. Each section is structured around the OODA loop, because the loop is the offset.

Ultimately, this is a moral argument. A democracy that cannot defend its digital commons cannot remain free. Our adversaries have erased the boundary between peace and war; our choice is to match their tempo or surpass it. The 3OS is not about hardware or software but about velocity of thought and action—about building institutions worthy of the Department of War’s (DoW) original mandate: to deter aggression by making it impossible for the enemy to succeed.

---

The Logic of Offsets and Institutional Inertia

Every offset is born from crisis. The 1OS turned the specter of Soviet armor into a nuclear deterrent. The 2OS replaced the draft with microchips. Both succeeded not because of their tools, but because America reorganized faster than its enemies could react. The 3OS is no different—except that this time, our own bureaucracy is the most dangerous adversary. Our processes have become the problem they were built to solve.

Offsets were never about technology alone. They were about tempo—how quickly an insight becomes an advantage. When nuclear monopoly faded, we turned to precision. When precision normalized, we turned to speed. But today, speed itself has become a policy liability. The Department’s machinery—the planning, programming, budgeting and execution (PPBE) cycle, the risk management framework (RMF), and the program objective memoranda (POM) process—moves at the pace of litigation, not conflict. Each review adds delay; each delay erodes deterrence. Inertia has become our unofficial strategy.^[2],[3]

This is where DIME belongs—not as an acronymic afterthought, but as the strategic scaffold for 3OS execution. Deterrence only “sticks” when the DIME instruments are designed as one loop:

Diplomatic: Pre-consented playbooks, coalition data-sharing clauses, and partner rules of engagement (ROE) alignment shorten political decision latency so operations can start at machine tempo rather than at the speed of a demarche.

Informational: Narrative, telemetry, and classification all become products with lifecycle owners. We don’t just secure information; we maneuver it (collection → fusion → release) to shape perception before shots are fired.^[1],[5]

Military: Force design and doctrine must assume continuous software change as a baseline characteristic.

If you can’t update it at operational tempo, you don’t own it—you rent it from yesterday.

Economic: Budget structures, incentives, and vendor models must reward time-to-fielded-learning, not slideware. The lever isn’t “more money,” it’s money that moves—authorities and payout mechanics that privilege effects over artifacts. The arsenal of democracy is our economic engine which can both benefit the Department directly, but also be wielded directly against our opponents.

Andrew Marshall warned that “a system designed to minimize mistakes will eventually minimize success.” The modern Department proves the point: risk management has drifted into risk paralysis.^[5] The fix isn’t rebellion—it’s re-architecture. Maneuver doctrine must apply to institutions: decentralize control, push decision rights to the edge, and treat adaptability as an operational imperative. Agile Combat Employment (ACE) is not just a basing scheme; it is organizational philosophy.

Three barriers sustain inertia:

1. Temporal mismatch (fielding outruns decisions)
2. Cultural aversion (failure punished more than stagnation)
3. Structural rigidity (no sunsets, risks accumulate).

The 3OS reframes offsets as governance, not gadgets: the 1OS weaponized physics; the 2OS weaponized computing; the 3OS weaponizes feedback. The nation that closes its institutional OODA loop first wins without fighting.^[1],[5]

Innovation isn’t invention; it’s iteration. DIU, AFWERX, NavalX, AAL, and MIU show the system can learn in pockets. But pockets aren’t posture. Without connection to doctrine, budget, and command, innovation becomes an exhibit instead of a capability. This is why most of these innovation organizations have not only failed to scale, but engage mostly in innovation theater.

We don’t need more cells—we need connective tissue that runs through DIME so policy, narrative, authorities, and money accelerate in one loop.

The goal is not just a faster bureaucracy—it’s a learning one. Decisions create data; data shapes doctrine; doctrine resets decisions. The 3OS should not be a program. It should be a reflex.

---

Operationalizing Information

War has always been about perception, but modern warfare is about perception at scale. Information is no longer a supporting domain—it is the domain. The adversary that shapes understanding wins long before it fires a shot. Our problem isn’t that we lack data; it’s that we treat data as something to be secured rather than something to be maneuvered. The 3OS demands that we treat information the same way we once treated terrain, fuel, and firepower.

The OODA loop remains our lens because it reveals the real contest: who learns faster. The loop isn’t just tactical; it’s institutional. Nations Observe through sensors and allies, Orient through data and doctrine, Decide through leadership and law, and Act through policy and lethality. Every offset in our history has been about closing that loop. The 1OS closed it with fission. The 2OS closed it with computation. The 3OS will close it with connection.

Observe

Observation has become omnidirectional. Satellites, sensors, and signatures flood the battlespace with constant input. But raw observation isn’t awareness. We drown in unprocessed telemetry because ownership is fragmented—intel owns some, operations own some, cyber owns most of the rest. To operationalize information, we must unify sensing architectures and authorities under a single mandate: collect once, use many times. The Joint All-Domain Command and Control (JADC2) vision failed not for lack of sensors, but for lack of trust. The data was there; the permissions weren’t.

The fix isn’t another architecture diagram—it’s zero trust architecture (ZTA) as doctrine. If access is based on identity and mission rather than network boundary, information can flow as fast as need demands.^[15] But ZTA alone isn’t enough; we also need encryption and identity schemes designed for open environments. The modern equivalent of Commercial National Security Algorithm (CNSA) 2.0 must allow impact level (IL)-6 level mission data to traverse contested networks, validating packets, not perimeters.^[16] Deterrence in the information age depends on the ability to observe securely at speed.

Orient

Orientation is judgment in motion. We already have exquisite sensors and analytic pipelines, but they’re trapped in classification silos and procurement stovepipes. The key to orientation is trust—not between machines, but between institutions. The current RMF and compliance regimes treat software as static; orientation requires continuous recalibration. We need decision systems that learn like pilots: perpetual, imperfect, self-correcting.

This is where feedback loops matter. The System-Theoretic Process Analysis (STPA) model allows us to define safety not by the absence of failure, but by the presence of control.^{[17],[18],[19]} Applied to cyber risk, STPA becomes the foundation for use of RMF when necessary for dual-use software acquisitions as supported by policy,^{[20],[21],[22]} or the use of the Defense Advanced Research Projects Agency's (DARPA's) Automated Rapid Certification of Software (ARCOS) for software development within a military software factory. Either way, we've created a continuous feedback engine that quantifies uncertainty in motion. RMF should not approve systems; it should train them. Authorization should be a byproduct of performance, not paperwork.

Decide

Decision speed is now the decisive variable of strategy. The 3OS redefines C2 as a competition of latency. The side that synchronizes human and machine cognition without waiting for permission wins. Artificial Intelligence (AI) will not replace commanders; it will become their co-combatant. The challenge is to integrate AI judgment into human accountability without reducing war to math. That means doctrine must evolve as fast as the models it governs. Authority must migrate from prediction to adaptation.

Here, information becomes both weapon and shield. The side that detects faster, correlates faster, and acts faster can out-decide any opponent. But speed without context is chaos. Our policies and architectures must deliver accelerated decision cycles without losing intent. That is what the OODA loop was always meant to teach: that orientation—not observation or action—is where victory lives.

Act

Action is the proof of understanding. To operationalize information is to weaponize learning. The cATO model, born in software, must expand across acquisition, policy, and training. Every feedback cycle completed faster than an adversary’s decision loop is an act of deterrence. The Department’s reflex should be iteration, not preservation.

This means treating every fielded capability as a living system, continuously updated and redeployed. Continuous integration, continuous authorization, continuous learning.^[5] It also means bridging the artificial divide between cyber and kinetic domains. A patch can be as strategic as a strike. A data pipeline can be as lethal as a missile. Information isn’t the fifth domain—it’s the bloodstream of all the others.

The Institutional Loop

Observation is sensors. Orientation is analysis. Decision is judgment. Action is adaptation. Together, they form the institutional OODA loop—the real offset. The 3OS succeeds when our bureaucracy learns faster than our adversaries do. That is the test of deterrence in the information age.

---

Structure Revolution: Realigning Money, Authority, and Learning

We keep telling ourselves the future fight is software-defined, data-fueled, and network-sustained—and then we budget and accredit like it’s still 1998, using a requirements system designed for an economy that hasn’t existed since 1966. This is not a technology problem; it’s a plumbing problem.

The entire acquisitions process, from the PPBE system to the legacy Joint Capabilities Integration and Development System (JCIDS) process, is a Byzantine masterpiece of “honorable waste,” designed for a Cold War that ended over three decades ago.^[3] It is a system perfectly designed to get the results it gets: multi-billion-dollar programs that deliver exquisite platforms ten years late, with incompatible data links^[3] and a cost-per-effect that represents a strategic victory for any adversary willing to throw cheap, smart drones at our flying gold bars.

To break this cycle, we must rewire the only things the system truly obeys: money and authority. If we are serious about a software-centric offset, we must fund and organize for it. Our current institutions were built to minimize mistakes; the 3OS demands we maximize learning. That requires a structural reset across four axes: (1) joint-first innovation governance, (2) money that moves, (3) commander-owned authorization, and (4) data contracts instead of dashboards.

1) A Joint-First Innovation Spine

Unify the “service arms” under a joint parent. Make DIU the joint backbone for dual-use acquisition, with AFWERX, NavalX, AAL, and MIU aligned as service nodes. The goal isn’t centralization of talent—it’s standardization of throughput: common solicitations, common data contracts, common payout mechanics, and common pathways to production. DIU sets the rails; services bring the missions.

One front door, many fast lanes. A single joint intake generates service-specific tracks but retains a common evidence model (software bill of materials (SBOMs), attestations, test artifacts) that cATO can consume without translation.^[23]

Portfolio leadership, not program orphanages. Shift from “innovation cells” to Program Executive Offices (PEOs) aligned to mission threads (e.g., Kill-Chain Resilience, Expeditionary C2, Base Defense), each with a joint board to prevent duplication and to scale wins across services.

Innovation as logistics. Treat commercial integration as a logistics function: repeatable, auditable, and boring. If productionizing takes bespoke heroics, we’re still doing demos.

2) Money That Moves (and Measures Learning)

New Major Force Programs — Funding the Metabolism
The lesson from Nunn-Cohen, born from the ashes of Operation EAGLE CLAW and the chaos of Achille Lauro, is clear: when a warfighting command controls its own Major Force Program (MFP), authority meets agility. When US Special Operations Command (SOCOM) gained MFP-11, it unlocked the freedom to acquire effects at the speed of mission instead of the speed of permission.^[24]

That line from cause → cash → effect is what makes SOCOM dangerous—and what US Cyber Command (CYBERCOM) still lacks. Despite being a Unified Combatant Command (UCC) with a global “defend-forward” mandate, CYBERCOM has no dedicated MFP. We declare cyberspace a warfighting domain and then fund it like a help-desk ticket queue, with its most critical resources trapped inside service-specific Program Elements (PEs) built for jets and hulls.

This structural contradiction is an operational debt we can no longer afford.

We therefore propose two new Major Force Programs to fund the 3OS metabolism directly:

MFP-CYBER (Operational Velocity)

Funds offense, defense, and maneuver in the cyber domain.

Scope: Offensive Cyber Operations (OCO), Defensive Cyber Operations (DCO), deployable toolchains, partner-network on-ramps, and the data / identity / telemetry fabric those teams ride on.

Measurement: Outcomes, not artifacts—reducing Common Vulnerability & Exposure (CVE)^[25] / Known Exploited Vulnerability (KEV)^[26] dwell time; cutting intrusion latency; increasing mean time to detect (MTTD) and mean time to recover (MTTR).

Structure: Mirrors the way cyber is actually fought—mission packages, not program stovepipes. Commanders control spend inside operational risk envelopes validated by cATO pipelines. Utilizes fluid budget, program and activity codes (BPACs) that commanders can dynamically move; software from a Contractor-Owned, Contractor-Operated (COCO) software factory misses a CVE remediation timeline? Commander can use BPAC dynamism to slide funds away to something else; new JADC2 effects minimizing bespoke dependencies from a dual-use vendor through the DIU pipeline?^[14] Commander can slide funds that way.

The 3OS rewards successful code, not PDF Quad Charts.

Doctrine link: Makes Continuous Authorization and ARCOS metrics visible in the PPBE cycle so feedback literally equals funding.

MFP-INNOVATION (Insertion and Scale)

Lives with DIU and funds the time to field (T2F) pipeline.

Purpose: Pay for the movement of technology—from lab or startup to line unit—without forking codebases or waiting for bespoke requirements.
What it buys:

• Reciprocal cATO inheritance packages at scale.
• Modular Open Systems Approach (MOSA) conformance testing suites.^[27]
• Middleware allowing commercial stacks to run on government platforms without bifurcating code.^[6],[23]

Accountability: Measures T2F, not contract award speed. Learning velocity becomes the key performance indicator (KPI).

Funding mechanics: Mirrors MFP-11’s cross-service reach—portable dollars that follow validated performance, not legacy ownership. Together, MFP-CYBER and MFP-INNOVATION form the metabolic pair that fuels the 3OS. One pays for fight-time iteration; the other pays for the on-ramp that keeps new code arriving through the front door.

Operational Mechanics — Making Money Move Like Code

The MFP construct only works if commanders can actually maneuver funds in contact time. That means encoding budget agility inside PPBE execution through BPACs that act like software variables.^[28] Each BPAC carries metadata—mission thread, effect type, risk tolerance, and cATO lineage—so commanders can redirect execution-year dollars inside validated envelopes without reopening POM approval. A re-targeted dollar triggers an automated Funds Change Record that updates the audit trail and evidence ledger in real time.

BPAC Dynamism replaces “colors of money” debates with outcome tagging. Operations, research, development, testing and evaluation (RDT&E), and procurement appropriations retain their statutory walls, but each action reports its loop velocity (time-to-fielded-learning) as a performance metric visible to the Office of the Undersecretary of Defense (Comptroller)/Chief Financial Officer (OUSD/C/CFO) and the Cost Assessment and Program Evaluation (CAPE) office. When feedback velocity exceeds baseline, next-cycle allocations bias toward that commander. In short: money earns trust by moving responsibly.

Feedback as Funding Law. ARCOS and cATO telemetry feed directly into this loop, allowing PPBE re-scoring to happen quarterly instead of every five years.^[27] If a program’s evidence trail shows reduced exploit dwell time or patch half-life, the automation moves a slice of unobligated authority forward. Funding becomes a living control surface—budget as maneuver.

Give Teeth to New Concepts. Fund ACE experiments out of MFP-CYBER and MFP-INNOVATION: portable operations and maintenance (O&M) for expeditionary airfields, containerized Replicator nodes, and temporary surge BPACs that authorize local commanders to buy-by-effect. ACE is a posture as much as a tactic; it dies without money that can follow intent in hours, not quarters.

The Civilian Arsenal and the Contractor Paradox

In kinetic war, uniformed bodies hold ground and absorb risk that only fit, trained humans can survive. We also need teams who can shave 300 milleseconds off an inference path at 0200, refactor a data pipeline before the next sortie wave, and collapse a CVE/KEV patch window from days to hours.^[25],[26] Those are both forms of combat power—one kinetic, one cognitive. In cyber, the decisive arsenal is civilian.^[18] The U.S. private sector owns the compute, the talent, and the tooling that out-scale any government enclave.^[23],[29]

• Fitness is for the objective; shipping is for the effect. Uniform standards exist to ensure people can fight and survive under physical duress. Software effects are delivered through keyboards, continuous integration/continuous delivery (CI/CD), model ops, and telemetry. A coder who lives on Pringles + Mountain Dew and ships a risk-reducing patch faster than the adversary can pivot is performing warfighting labor in the only currency that counts—reduced mission risk.^[30],[31] Optimize them for getting code into production, not dress-right-dress.
• The market is our arsenal. The best developers earn more on the open market than E- or O-grade pay can match. Inventing a one-size-fits-none Military Occupational Specialty (MOS)/Naval Rate/Air Force Specialty Code (AFSC) for “software developer” (with temporary duty trips (TDYs), physical training (PT) tests, promotion boards, and non-coding collateral duties) is a great way to recruit mediocre coders and lose excellent ones. Contract for outcomes instead: service level objectives (SLOs) for T2F (via Middle Tier Acquisition (MTA)^[32] & Software Acquisition Pathway (SWP)),^[20],[21] time to decide (T2D) (via JADC2),^[33] and time to patch (T2P) (via CVE/KEV metrics).^[25],[26]

You can’t order talent to appear; you can pay for measurable effects.

• Health economics are not a side plot. Hire coders as contractors at competitive market rates and the DoD + Veteran's Affairs (VA) doesn’t inherit their 30-year care curve. That’s not callous; it’s clarity. We’re buying short-cycle learning and delivery, not lifetime wellness. Keep uniform billets where they must deploy and fight. Keep contractor billets where they must sprint and ship. That division lowers long-run federal health liabilities and increases near-term operational speed.

Second-order effects:

• Uniformed talent concentrates on command, integration, weapons/tactics, security, expeditionary ops, and mission ownership. Contractor talent concentrates on algorithm engineering, distributed systems, dev tooling, user experience (UX), and data plumbing. The handoff is governed by application programming interface (API) fragmentary orders (FRAGOs) and data contracts, not “good vibes” and hallway agreements.
• Retention flips: coders stay because contracts reward delivery; officers stay because their decision loops finally have software that keeps up.
• Security posture improves: the fastest way to patch CVEs/KEVs is to let people who patch them for a living do it, on shared platforms, with reciprocity.^{[23],[25],[26]}

DIU as Portfolio Command — the “Two Dads” Model

To make innovation more than a thousand science projects, elevate DIU to Portfolio Command, giving it oversight of AFWERX, NavalX, MIU, and AAL. The analogy is deliberate: it mirrors the relationship between SOCOM and its service components such as Air Force Special Operations Command (AFSOC).

• DIU (“Dad #1”)
  • Owns joint standards, cATO inheritance packages, MOSA conformance suites, and workforce credentialing.
  • Steers MFP-INNOVATION to create joint leverage and kill redundant efforts.
• The Services (“Dad #2”)
  • Retain Small Business Innovation & Research (SBIR) / Small Business Technology Transfer (STTR) equities (RDT&E tax from Department of the Air Force (DAF) → AFWERX; Department of the Navy (DoN)'s RDT&E tax → NavalX & MIU, etc.) within their service.
  • Optimize for mission maturation and service-unique prototypes.

This dual-parent model balances central control of chokepoints (standards, safety, money) with freedom and speed at the edge. Like any modular franchise—from SOCOM's task-force architecture to the Sinaloa cartel’s logistics network—it aligns incentives without central bureaucracy.

It builds a sane on-ramp for small business and mobilizes the entire civilian tech base. No longer will a promising technology die in the Valley of Death because a PEO five echelons removed lacks a requirement.

Money and authority flow directly to effects validated by the warfighters who need them.

3) Commander-Owned Authorization (cATO as Command Responsibility)

Authorization is a warfighting function. Move the authority to operate (ATO) beneath the commander of the mission thread, not a distant Authorizing Official (AO). Commanders already own risk. We'll trust them to own pipelines and rollback, with the AO their staff advisor, not a disconnected gate keeper.

• Controls as code; evidence as exhaust. National Institute of Standards & Technology (NIST) 800-53, Security Technical Implementation Guides (STIGs), mission ROE—expressed as policy code executed by pipelines. Every deploy emits machine-verifiable evidence for auditors (both human and agentic) to review proofs, not screenshots.^[34]
• Maneuver in trust. Replace static RMF cycles with STPA→ARCOS guardrails that recompute trust at runtime. Authorization becomes a byproduct of performance, enabling maneuver in software at operational tempo.^{[17],[18],[19],[35]}
• “ATO on Rails.” DIU's joint spine provides reference pipelines (signing, attestation, supply-chain levels for software artifacts (SLSA), software package data exchange (SPDX)) any portfolio can inherit—lowering risk, accelerating audits, and standardizing velocity.
• ACE demands ATO at the commander’s lane: reference cATO pipelines that inherit DIU validation packages so a deployed squadron can spin up new software/payload stacks without a centralized AO. Authorization becomes maneuver — commanders own the risk envelopes and the rollback knobs.

4) JADC2 as a Data Contract (Not a Joystick)

Bottom line up front: JADC2 is not a single pane of glass for senior-leader micromanagement; it’s a federated data contract: schemas, identity, lineage, and service level agreements (SLAs) that let units fight as one without waiting on headquarters.^[33] JADC2 isn't a system for flag officers/general officers (FOGOs) to re-live their company-grade officer time. Micromanagement of C2 is the center of gravity (COG) we ruthlessly exploit to destroy our enemy, and is unnecessary in a modern professional military of highly educated junior officers and senior non-commissioned officers (NCOs) utilizing centralized command and decentralized execution tenets and flexible doctrine. It's been the centerpiece of American martial superiority for generations, so using JADC2 as an excuse for senior leaders to think they are still tactically relevant while in a swivel chair on another continent is self-aggrandizement.

Technologically, JADC2 data pipes need to utilize modern commercial capabilities to drive up innovation and drive down costs.^[33]

• Access-by-identity and posture. ZTA ties data use to mission role, device health, and policy—not geography or subnet. Data moves at the speed of authority, not the speed of a virtual private network (VPN).^[15]
• Operate over dirty pipes. With a modern crypto posture (CNSA 2.0) and IL-6 class data protection, we can maneuver mission data over contested/commercial links—validating packets, not perimeters.^[16]
  • The primary, alternate, contingency & emergency (PACE) plan for JADC2 (in fact, for the entire Department of Defense Information Network (DoDIN)) should be optimized for time, learning, and adaptation, not legacy communications standards from a bygone era. Using CNSA 2.0 and ZTA atop them allows us to protect packets, not copper, which in turn allows us to use anyone's copper, driving down costs. By using modern post-quantum cryptography (PQC), even tactics like harvest now, decrypt later (HNDL) can be avoided.^[36]
    • Primary: Commercial internet from the best performing and lowest total cost of ownership internet service provider (ISP).
    • Alternate: Utilize commercial satellite internet.
      • Yes, Starlink. The idea that military satellite communications (SATCOM) is more secure is itself delusional. Even worse, the military constellation is horribly non-survivable in a true war. The idea that the 28 satellites (five MILSTAR, six advanced extremely high frequency (AEHF) satellites plus their two enhanced polar system cousins, the four Mobile User Objective System (MUOS) satellites (plus the spare), and the ten wideband global SATCOM systems) will survive a contest against a space-capable enemy is laughable. Even the 126 planned "Proliferated Warfighter Space Architecture" vehicles added into that becomes an easily targetable and denied 154 systems. By comparison, Starlink has more than 8000 satellites in orbit,^[37] constantly adding more, and immensely more available bandwidth for use.
    • Contingency: Tactical radio communications (like high frequency (HF) connections).
    • Emergency: Couriers with signed media.
  • This works for not mere JADC2, but for everything, including email on base.
• Schema registry > slide deck. JADC2's beating heart is a registry (ontologies, versioning, test suites) that makes interoperability provable. If a unit can’t publish and subscribe at machine tempo, it’s not in the fight.

5) Governance That Accelerates

• Doctrine + budget + code = same loop. Portfolio boards include ops, comptrollers, lawyers, and science & technology (S&T) in the same sprint cadence, so policy shifts at the speed of commits.
• Sunset clauses. Authorities, pilots, and controls carry expiration dates—renew on demonstrated effect, not inertia.
• Metrics that deter. Time to Authorize Change (TTAC), exploit dwell, patch half-life, evidence completeness, and effect-per-dollar become the scorecard—not “number of pilots” or "quantity of tanks."
• No more museum pieces. If a capability can’t update at operational tempo, we don’t field it.

Bottom line: The Structure Revolution makes learning the product. DIU provides the rails, portfolios provide mission pull, money pays for iteration, and commanders own authorization. JADC2 becomes a contract that lets warfighters self-synchronize. This is how the 3OS becomes a reflex—not a program.

---

Cyber as Maneuver

War Is Movement.

In the twenty-first century, that movement is digital—executed in microseconds, measured in packets, and fought across code, data, and identity. The network is the new terrain; the packet is the new round. Yet our institutions still treat cyberspace as a service to “real” warfare rather than a maneuver domain in its own right.

The 3OS reframes cyber not as an auxiliary but as a principal arena of maneuver: persistence, tempo, and learning velocity now determine initiative. Whoever can move, adapt, and recover faster inside the digital battlespace will dominate every other domain. If we do this, our airpower becomes fractal, our decision cycles compress, and our learning outruns adversaries who still believe victory is a line item of steel.

The Doctrinal Imperative

If maneuver in the physical world is about position, cyber maneuver is about presence—maintaining trusted access and denying the same to an adversary. cATO is therefore not a compliance loophole but a doctrinal expression of digital mobility. As mission-type orders empower field commanders to act on intent, continuous authorization empowers systems to act on validated trust.

A modern cyber maneuver doctrine fuses DevSecOps with the OODA loop: observe through telemetry, orient through analytics, decide through AI, act through automation, learn through feedback. Each loop closed faster than an adversary’s compresses their options. Speed is not just a metric; it is the moral high ground of the information age.

Data as a Strategic Asset — Terrain and Fuel

Data is no longer a commodity; it is both terrain and fuel. Maneuvering in cyberspace means maneuvering through data.

• Terrain: Every dataset defines where we can stand and how far we can see.
• Fuel: Every labeled record, merged change set, and updated tactics, techniques and procedures (TTP) powers the engines of adaptation.

The 3OS treats data as a warfighting resource with the same rigor we once applied to ammunition.^[38] Ownership is defined by ontology and accountability: every dataset has a custodian, a drift budget, and a test harness.

Today, “data” shows up as an unfunded annex or a science project attached to a platform. Flip it: Mission Data JADC2 becomes where the deliverables are ingestion pipelines, cleaning/labeling capacity, lineage, quality scores, and access pathways—not a pile of comma-separated values (CSV) on a share drive.

Scope (clear and bounded): by mission family (intelligence, surveillance & reconnaissance (ISR), strike, mobility, C2, ACE), not by platform. That ensures F-35 imagery and MQ-9 full-motion video (FMV) flow through the same ISR data thread with shared contracts and tooling.

• As an example, ACE depends on data fabrics that respect mission identity and latency. Edge cATO packages, ZTA identity tokens, and ARCOS trust metrics let local nodes operate autonomously while preserving centralized auditability. AI augmentation—airborne or ground—makes decisions faster, but only within machine-verifiable predicates and human escalation rails.^[39]

Budget shape: sustain the data like you sustain fuel—base O&M for pipelines and catalogs; RDT&E to evolve labels/ontologies and add new sources; procurement for commercial feeds/services when it beats building. The National Cybersecurity Strategy backs this posture; the Chief, Data and AI Office (CDAO) is chartered to do exactly this alignment job.^[40]

Outputs you can grade: freshness (P95 age), completeness (coverage vs target set), label fidelity (inter-rater κ/F1), lineage depth (provenance hops), and T2D for the supported thread. Bonuses (literally, Outcome contract line item numbers (CLINs)) pay when the metric moves.

From RMF to STPA→ARCOS — Risk as Control in Motion

Static compliance frameworks like the RMF assume static systems. In a maneuver domain, static equals dead.

STPA redefines safety as control, not absence of failure. Applied to cyber risk, STPA becomes the foundation for ARCOS—a living feedback engine that quantifies uncertainty in motion.

How the loop works:

1. Observe: Continuous telemetry from pipelines—SBOM diffs, runtime exploits, behavioral drift.
2. Orient: STPA maps hazards to controls; ARCOS calculates trust confidence and uncertainty.
3. Decide: Policy engines apply mission predicates—allow, degrade, quarantine, deny.
4. Act: Deploy controls, reconfigure networks, update code—automatically and reversibly.

Authorization becomes a byproduct of performance, not paperwork. Commanders maneuver trust the way they maneuver fires.

cATO Mechanics — Commanders Own the Loop

Continuous Authorization to Operate is the operationalization of that control loop.

• Pipelines as doctrine: Immutable, replayable pipelines—from source to deploy—form the backbone of every maneuver.
• Controls as code: STIGs, NIST 800-53 families, and mission ROE expressed as policy code, executed continuously.^[34]
• Evidence exhaust: Each deploy emits machine-readable proofs for auditors to verify—audits become science, not theater.
• Authority alignment: ATOs move under commanders. Risk belongs with those who fight it, and those who can accurately judge the mission risk of NOT implementing new code, a skill AOs lack.

But the alternative is to keep losing calendar while we win PowerPoint.

Industrial Velocity — Dual-Use and COCO Factories

Software factories are the arsenals of the 3OS. Yet our industrial base remains bifurcated between dual-use and COCO models. The first speaks “commercial velocity,” the second “government compliance.” The result: two codebases, two pipelines, and no shared learning.

The fix: a single inheritance model. Commercial pipelines enter through the front door—pre-cleared via DIU standards,^[23] cATO packages, and facility clearances (FCL) as-a-Service enclaves. Dual-use and COCO factories become peers on the same rails: signed artifacts, common attestation layers, unified SBOM lineage.

Practical Integration Pathways. In practice, dual-use and COCO pipelines converge through three repeatable interfaces:

• Front-Door FCL Enclaves (Facility Clearance as a Service): DIU-vetted cloud environments host commercial pipelines with temporary facility clearance wrappers so unclassified code can inherit classified runtime trust without duplicating infrastructure.^[41]
• Reciprocal cATO Inheritance Packages: Each vendor receives a machine-readable cATO bundle—controls, test artifacts, and signing chains—that plug into government pipelines. No re-accreditation, just attestation updates.
• Ordering Guides and BPAC Playbooks: Every modernized PEO maintains a live Ordering Guide defining interface contracts, payment trigger conditions, and escrow attestation flows. When a COCO factory fails to hit its SLO (window-to-patch or mission effect), funds will naturally migrate to a dual-use provider inside the same mission thread BPAC.

This eliminates the two-codebase problem: civilian onboarding partners operate at commercial velocity, government factories retain sovereign control, and both produce verifiable artifacts on a common ledger. Learning and compliance run on the same rails.

If a civilian vendor produces code at machine tempo, we import that speed lawfully through continuous attestation and escrowed oversight. The private sector’s velocity becomes a public-sector weapon. Civilian software speed equals national maneuver speed.

Letters of Marque 2.0: Bounties, Guardrails, and Continuous Cost-Imposition

If the private sector owns the majority of compute, code, and connectivity, deterrence must extend to it lawfully. Letters of Marque 2.0 update 18th century authorities (Article I, Section 8, Clause 11 of the US Constitution) for the digital era, turning private speed into state capability without sacrificing control. The construct operates under a national charter, four transparent mission lists, and rigorous oversight.^[42]

Management and Oversight

A Letters-of-Marque Office — National Security Council (NSC)-chaired, with Department of State (DoS), Department of Justice (DoJ), Treasury, Department of Homeland Security (DHS) — especially the Cybersecurity and Infrastructure Security Agency (CISA), and DoD — particularly CYBERCOM and CDAO — publishes charters, adjudicates nominations, and manages escrowed, auditable payouts. All actions occur under Law of Armed Conflict (LOAC)/Tallinn Law compliance.^[43]

Metrics: dwell-time reduction, open source software (OSS) coverage, and cost-per-verified effect. Collisions with active CYBERCOM ops pause payment and trigger review.

The Four Lists

White List — Secure the Commons

Purpose: fund continuous OSS supply-chain hygiene.
Deliverables: monitored package sets, upstream fixes, and signed attestations consumable by cATO pipelines. Success is measured by MTTD and coverage, not per-find bounties.

Red List — Find and Fix Ourselves

Purpose: pay bounties for vulnerabilities and rapid patch deployment across DoD enclaves and critical defense industrial base (DIB) services.
Deliverables: deployable fixes, forensic playbooks, and configurations validated for immediate cATO consumption. Compensation scales with blast-radius avoided.

Blue List — Build the Tools

Purpose: develop and maintain government-directed capability modules — exploit scaffolds, emulation kits, and lawful-use wrappers.
Deliverables: reproducible modules with SBOMs and usage predicates; each expires upon patch release or CVE closure.^[25]

Black List — Authorized Cost-Imposition

Purpose: identify foreign entities eligible for lawful disruption effects executed by licensed vendors under strict authority.
Process to publication:

1. Nomination → NSC Cyber Directorate.
2. Validation → DoS + DoD + DoJ + DHS.
3. Legal Review → Foreign Intelligence Surveillance Act (FISA) Court (scope + legal legitimacy).
4. Authorization → Congress (Senate Select Committee on Intelligence).
5. Publication → open target list for licensed actors.

Operations occur in defined bands only; payouts are escrowed and fully auditable by Treasury and DoJ. Steps 1-4 are classified; no one knows who is nominated on the list until it's published. Black actions include that human-safety and critical-infrastructure carve-outs are non-negotiable; for actions that will impact human safety, DoD will engage in those directly.

Avoiding the tragedy of the commons

• Deconfliction with CYBERCOM and allies is real-time. If a Blue/Black action collides with an in-progress operation or intel source, the stoplight turns red and the chartering authority pauses payment until conflict resolves.
• No “stockpile and pray.” Blue List modules have expiration and review cycles; if a CVE/KEV fix lands and defenders patch, we retire or repurpose.
• Civilian protections and human safety are non-negotiable. Effects that risk physical harm, medical systems, or public safety are out of scope unless explicitly authorized with additional safeguards (rare, and under direct military command).
• Allies first. If a listed entity has infrastructure in a partner state, we use consent-based playbooks; Black List isn’t a hall pass to create diplomatic incidents.
• Metrics or it didn’t happen. We score: vulnerability dwell-time, time-to-patch on Red finds, OSS coverage on White, effect-per-dollar on Black (with collateral-risk score at zero), and collision rate with ongoing ops (should be vanishingly small).
• We're making the commercial world our arsenal, and that includes using commercial solutions for middleware to make bilateral access between vendors and government program managers (PMs) transparent.

AI as a Co-Combatant

Artificial Intelligence is no longer a tool; it is a teammate.^[39],[44] Properly bounded, it observes, orients, decides, and acts inside human intent.

Roles:

• Advisor: Fuses multi-domain data for commanders; humans retain veto.
• Agent: Executes routine tasks—patching, drift correction—within ROE-coded cages.
• Actor: Conducts time-critical missions (counter-jamming, micro-segmentation) under positive human control.
• Auditor: Logs every decision path—model, data, outcome—for accountability.

Governance:

Every AI mission thread carries an Operational Safety Case describing hazards, mitigations, and fallback states. Policy cages encode ROE, no-strike lists, and geography. Continuous red-team and deception testing detect model drift.

Governance lives at three levels:

1. Engineering: Verification, provenance, retraining cadence.
2. Operational: Confidence thresholds, escalation procedures, human-in/on-the-loop triggers.
3. Strategic: Ethical and legal audits ensuring alignment with LOAC and democratic oversight.

AI's reliability is not faith; it is measured trust.

Measures That Matter

• TTAC at the edge.
• MTTD and MTTR.
• Exploit dwell-time (down), patch propagation half-life (down).
• Evidence completeness (up).
• Learning velocity: labeled datasets, merged change sets, updated TTPs. If a trial doesn’t produce those, we ran a pageant, not a practice.

Cyber as Maneuver is where doctrine meets engineering. It binds data, pipelines, industry, and AI into a single reflex of adaptation.^[44] It is how we make institutions move at the speed of code—and why, in the 3OS, learning itself is lethality.

---

Distributed Lethality — Focus on the Department of War

The Department of War’s core mission is simple: produce and preserve lethal advantage. If the 3OS is about learning, Distributed Lethality is its muscle—the organizational and material posture that converts speed and information into decisive effects. Distributed Lethality is not a platform fetish; it is a generative design principle. It asks: how do we make lethality cheap, ubiquitous, resilient, and rapidly replaceable so that tempo and adaptation—not single-system superiority—decide contests of force?^[45]

Doctrine: Lethality as a Flow

Traditional force design treats lethality as a set of scarce, expensively maintained capital items. Distributed Lethality treats lethality like supply and maneuver: it must be producible, distributable, and continuously improvable. The Department of War holds three doctrinal commitments:

• Lethality must be cheap enough to be mass-produced and cheap enough to lose the end items.^[46],[47]
• Lethality must be composable—small modules that combine into large effects under mission intent.
• Lethality must be updatable in the field—software, tactics, and payloads evolve as adversaries adapt.^[48]

Viewed through the OODA loop, Distributed Lethality compresses the “Act” and accelerates the “Observe–Orient–Decide–Act” turnover: the faster you can replenish, reconfigure, and redeploy effects, the less value an adversary gets from any single kill.^[45]

Fractalized Lethality — Culture, Training, and Scale

Fractalized Lethality reframes force design so that lethality is both composable and cultural. The technical architecture—modular payloads, open standards, and cheap attritable platforms—matters. But doctrine and industrial posture alone will not produce scale unless the force itself thinks in fractals. That requires embedding the practice and pride of being part of the fight across the entire force, not just in a handful of specialist units.

Culture: make war a family business

The Army and Marine Corps bake warrior-ness into their institutional DNA. To make fractal lethality real across services, the Air Force and Navy must build similar cultural habit—one where every airman and sailor understands they are part of lethality delivery, even if their day job is logistics, maintenance, or comms. That doesn’t mean turning everyone into combat pilots; it means giving everyone an operational touchpoint with the weapons and data economies that win fights.

Treat small unmanned systems training (small unmanned aerial systems (sUAS) for Air Force, and the Navy's small unmanned surface vehicles (sUSV) and small unmanned underwater vehicles (sUUV), collectively all part of the "sUxS" family) as a core Professional Military Education (PME) thread—from recruit/basic training through mid- and senior-career schools. The goal is fourfold:^[49],[50]

1. Normalize competence: every service member learns to operate, supervise, or evaluate small unmanned systems and swarm behaviors as a baseline skill.
2. Build ownership: if everyone participates in generating capability (piloting, data-labeling, simulation), they feel the mission as theirs—not a distant program office’s responsibility. Lethality is the family business, and they feel like they are part of it.
3. Create a continuum of talent: basic exposure produces pathways (manned-unmanned teaming, collaborative combat aircraft (CCA) supervision, replicator ops) without forcing every person into one narrow MOS/AFSC/Rate.
4. Embed armed sUAS training alongside first person view (FPV) and sUxS curricula: trainees learn not only the nuts and bolts to generate data & tactics, and to operate low-cost escort and defensive counter-air (DCA) platforms that protect ACE basing and escort one-way attack (OWA) nodes, but they also are deeply involved in the violence of war in an expeditionary fight with training throughout their career. While FPV use of sUAS is essentially the "Sopwith Camel" level of TTP relative to what swarm autonomy is capable of, it is both a valuable tactic at the skirmish level of ground combat (so very applicable for a Joint Terminal Attack Controller (JTAC) with a ground combat unit), and also an excellent training resource for AI agents.

Training that scales — data and recruitment spillovers

Training people to fly FPV or run sUxS in benign environments is not merely a convenience for wartime scale; it is a force-multiplier in peace. Three downstream effects matter:^[49],[51]

• Data generation: mass training produces labeled, timestamped behavior datasets that directly feed modeling, behavior cloning, and adversarial testing for CCAs. Those datasets are the fuel that accelerates model maturity and shortens the cycle between prototype and operational agent.^[51],[52]
• Simulation fidelity: trainees and commanders who run tactics in the same simulated environments that the models see create ontological alignment—human judgments and agent policies speak the same language. That reduces friction when handing authority to CCAs in theater.^[53]
• Recruiting & outreach: consumer-grade training/game apps on commercial stores (Google Play / Apple App Store) create a talent funnel and public goodwill. Gamified FPV experiences, properly calibrated, give recruiters realistic signals about aptitude and interest without costly selection pipelines. The Air Force can do even more with a sUAS simulator on a phone—letting people simulate killing Russian forces in Ukraine—than the Army did with ARMA. Because while ARMA was an effective recruiting tool, it wasn't a training and modeling tool that could directly benefit lethality on the battlefield. The Air Force has an opportunity to gamify training and modeling.

Put simply: when millions of training flights produce hundreds of thousands of labeled episodes, your Replicator and CCA pipelines have a living laboratory of behaviors to train on.^[47]

Joint reach — sUxS for sea and undersea

Fractalized Lethality is not just air-centric. For the Navy, the same ethos and PME thread apply to sUSVs and sUUVs—that distribute sensing, decoying, and strike to the fleet’s margins. Embedding proficiency into sailor career tracks creates a Navy that can think in distributed presence:^[45],[49]

• Surface nodes host sensor packages and loitering effectors that can be rapidly recomposed into task-tailored swarms.^[45],[54]
• Undersea buoyant/propulsive small systems provide distributed anti-submarine warfare (ASW) sensing, deception, and expendable local effects.^[49]
• Equip select sUSV/sUUV nodes with lightweight effectors so they can perform escort, interdiction, and local defensive duties in support of distributed naval taskings.

Because the document is joint by design, training and credentialing pipelines should be interoperable: a reservist or contractor who learned sUAS tactics in the Air Force can credibly contribute to a Navy sUAS surge, and vice versa, because the ontologies, rules-of-engagement cages, and evidence exhaust are shared.^{[48],[50],[55]}

Doctrine & PME implementation (practical moves)

• Curriculum insertion: sUxS fundamentals in initial entry training; tactical employment and swarm management in intermediate PME; operational design and Replicator oversight in senior PME.^[47],[49]
• Badge and credentialing: create modular, time-limited credentials that authorize individuals to supervise X-class CCAs or run Y-level Replicator production nodes; credentials are portable and tied to evidence of practice (flight hours, simulation scores, labeling contributions).^{[47],[52],[53]}
• Career incentives: promotion boards and accession pipelines that value measurable contributions to learning velocity (datasets produced, modules fielded, replication throughput) for roles where it applies.^[47]
• ACE is doctrine taught from day one: PME modules that train squadron commanders on mission-thread design, local risk acceptance, and replicator logistics so agile basing is not an ad-hoc idea or an attempt to rehash MacArthur-era tactics, but a certified capability.
• Civilian bridge programs: short-term mission clearances and joint training exchanges (such as the DoD Chief Information Officer's (CIO's) Cyber & Information Technology Exchange Program (CITEP)) to draw industry talent into tactical centers for surge periods without full-service commitments.^{[27],[56],[57]}

Operational payoffs

• Manufactured resilience: a force with many small nodes recovers faster from losses because people across the force can reconstitute capability in theater.^{[45],[47],[56],[58]}
• Democratized initiative: when local crews know how to call, configure, or deploy a swarm, the operational OODA loop shortens at every level.
• Talent pipeline: consumer-grade entry points and clear credentialing turn training into recruitment, lowering cost-per-hire for key coding, machine learning operations (MLOps), and systems roles.^[59]

Risks & safeguards

Training thousands to fly and manage unmanned assets increases surface risk vectors (misuse, accidents, leaks). Guardrails: credential gating, data-provenance policies, Operational Security (OPSEC) training baked into PME, and continuous attestation for tooling used in public-facing training apps. No trainee dataset is a production input without passing cATO inheritance packages and SLSA-style attestations.^[48],[60]

Armed sUAS: legal, safety, and arming predicates

Transitioning sUAS and CCAs into armed effectors multiplies capacity but demands stricter guardrails. The operating model should be:

1. Policy-coded arming: arming tokens are cryptographically bound artifacts that include mission predicate, time window, evidence stack (sensor fusion result hashes), and authorizing signatory; hardware will refuse to arm without a valid token.
2. Graduated escalation: low-lethality interdiction effects (e.g., nets, non-kinetic interdiction) may be authorized at lower confidence thresholds; lethal effects require multi-sensor corroboration plus human-in/on-loop confirmation at pre-defined confidence thresholds unless a previously authorized "surge predicate" is active.
3. Auditable after-action: every arming event, sensor trace, and decision chain is preserved in tamper-evident provenance logs and subject to legal/joint review. Funding must underwrite the sensor redundancy and attestation fabric needed to make lawful arming credible.

Why: if we cannot show a trustworthy, auditable chain that lethal sUAS were authorized and executed inside agreed rules, the political and legal cost of errors will swamp operational advantage.

Swarm-on-Swarm and the Million-Plane Concept

Swarm-on-Swarm is not a toy; it is a tactical ecology. In large-scale conflict the decisive fights will be distributed skirmishes of autonomous systems, human-machine teams, and electronic effects.^[61] To win those fights we need both volume and coordination.^[54]

The Million-Plane thought experiment reframes force sizing for the information age: what happens if the baseline design assumes orders-of-magnitude more air nodes—a mix of micro unmanned aerial systems (UAS), attritable loiterers, and larger manned/unmanned teaming nodes—connected by JADC2-like data contracts, not a single monolithic command bus?^[33]

Design consequences:

• Heterogeneous swarms: Mix low-cost, high-density swarms (sensors, decoys, cheap strike) with higher-end command nodes to enable mission-level intent, targeting, and escalation control.^[52],[54]
• Distributed C2: Instead of a central brain, swarm control uses distributed intent layers: mission intent, behavioral primitives, and adjudication nodes (humans-in/on-the-loop only when needed).^{[33],[55],[62],[63]}
• Resilience by redundancy: Survivability comes from distributed presence and fast regeneration rather than armor alone.^{[45],[47],[58]}

Winning swarm fights requires highly tuned sensing/labeling pipelines, latency-minimized decision fabrics, and rules-of-engagement architectures that let local agents make destructive decisions only inside validated mission predicates.^[53],[55]

Swarm-on-Swarm Tactics: dogfighting, spoofing, deception, and adjudication

A swarm fight is more than numbers; it is an information contest where deception and spoofing are primary weapons. Doctrine must prepare for adversary efforts to (a) inject false pheromones (fake death markers or global positioning system (GPS) offsets), (b) mimic friendly attestation tokens to sow confusion, and (c) create electromagnetic mirror clouds to distort sensing. Countermeasures include multi-modal corroboration (cross-referencing radio frequency (RF) emissions, optical, acoustic, and chemical cues), moving-window trust windows (time-limited confidence weights for recent signals), and adjudication nodes that vote on contested perceptions. Adjudication should be multi-axis: local fast adjudicators (latency prioritized) execute immediate safety actions, while higher-confidence theater adjudicators (bandwidth-tolerant) re-score global trust and can revoke or adjust local priorities. Rules for adjudication and revocation are policy code objects delivered in mission packets and visible to auditors.

Ultimately, the lowest total cost of destruction of sUAS is by expendable ordnance on sUAS. A commercial off the shelf (COTS) bullet for small arms is a tiny expenditure, and when fired by a sUAS, it becomes an incredibly low-cost method to "punch through" swarms. This is scalable for swarm-on-swarm effects; the same low-cost sUAS that may be more expensive than their OWA brethren are still mission expendable for swarm-on-swarm fights. They are effective when employed for base defense, especially in an ACE construct, where they can recover, re-arm, and re-establish DCA, for a significantly lower total cost of ownership. Unlike expensive sUAS defense systems,^[64],[65] tactical sUAS fighters performing a DCA role over ACE basing has numerous advantages: autonomous defense, extreme low cost, and modularity with both identical software bill of tactics (SBOT) dependencies and cATO deliverables as OWA counterparts and integration with diverse RF and electronic warfare (EW) defense mechanisms for swarm-defense at scale.

Tactical consequence: these mechanisms make spoofing expensive and detectable; they turn baiting and deception into resource drains for an attacker. And "fighter sUAS" can both pave holes in enemy swarms during swarm-on-swarm actions and provide effective defense for our forward operating locations for lower total cost than niche effectors.

Sustaining a Million-Plane Force: airspace and spectrum management at scale

A force designed for orders-of-magnitude node counts requires rethinking airspace management, spectrum allocation, and deconfliction. Three technical and regulatory elements are essential:

1. Dynamic airspace micro-cells — temporary, localized airspace blocks that are allocated and de-allocated by mission intent and signed into the JADC2 registry so agents can self-coordinate inside known microcells
2. Spectrum zoning — mission-thread allocation of frequency bands with pre-negotiated fallback bands and collision policies
3. Automated deconfliction horizons — low-latency predict-and-notify services driven by shared intent vectors that reduce kinetic fratricide and mid-air collisions.

The DoD must work with Federal Aviation Administration (FAA) and allies to pre-authorize tactical microcells and to harden the governance for transcontinental movement of attritable nodes. The sustainment model must also include distributed refuel/repair nodes and rapid-swap payload bays so lost nodes can be replaced without centralized long-haul lift.

CCA / Replicator — Human-Machine Teams at Scale

CCA and Replicator economies are the operational lever that converts fractalized lethality from concept to inexorable practice. CCAs are attritable, mission-scoped air nodes—designed for scale, relatively inexpensive compared to manned systems with similar capabilities, and optimized for cooperative teaming. Replicator, originally a concept borne from a US Indian-Pacific Command (INDOPACOM) concept of operations (CONOP), needs to change into the industrial, software, and logistics playbooks that let the Department produce sUxS and CCA nodes quickly, repeatedly, and with evidence trails that make rapid fielding lawful and auditable. What Replicator became between August of 2023 and September of 2025 was nothing short of a disaster. As it is, we must reimagine Replicator into an effective merger of industry and Defense for various collaborative advantages across the surface of DIME.

What CCAs actually are

• Attritable combat nodes: low-cost airframes or loiterers optimized for specific mission threads (e.g., massed ISR, decoys, short-range strike, electronic attack). They are built to be plentiful and replaceable, not invulnerable.
• Collaborative: CCAs operate as elements within heterogeneous formations — from micro-sUAS swarms to mid-tier replications — executing mission intent through coordinated primitives (sense, nominate, prosecute, exfil). Human supervision is retained for escalation and intent; autonomy fills the time-critical gaps.
• Composable: CCAs expose standardized mission interfaces and SBOM-backed payload slots so planners and Replicator pipelines can recompose effects on demand. They are nodes in a larger fractal effect, not standalone decision agents.

How Replicators work (operational mechanics)

• Digital twin → rapid proof → production: Design artifacts move from simulation to a validated digital twin, through automated policy checks (cATO inheritance), and into containerized production nodes (additive + modular assembly) that can spin up local batches near theater.^[66]
• CI/CD for hardware: Replicator pipelines mirror software CI/CD — iterative design revisions, automated acceptance tests, and machine-readable evidence exhaust for each batch so authorization and audit can be continuous, not episodic.^[48]
• Evidence exhaust & provenance: Every reproduced effect emits SBOMs, attestation tokens, telemetry baselines, and lineage metadata that feeds cATO/ARCOS metrics and commanders’ BPAC decision dashboards. Replication equals observable trust.^[60]
• ACE battlefield nodes are tiny factories: Together, CCA and Replicators are the operational primitives of ACE: containerized production nodes that churn replacements and expendables while CCA provide scalable layers. This economy-of-effects flips the calculus: losses can be remade; decisions are about replenishment and adaptation at the forward edge of the battle area (FEBA), not about a 'silver bullet' platform requiring heroic lift (and lots of Personnel Recovery (PR) teams.)

Operational construct — teaming and intent

• Mission intent as the adjudicator: High-level objectives and prohibitions flow down as mission-level predicates. CCAs resolve tactical choices locally within those predicates; humans step in for escalation or ambiguous contexts. This preserves tempo while keeping legal and ethical gates intact.
• Fractal teaming: A theater mosaic could include single-pilot manned nodes commanding a lattice of CCAs, subordinate sUAS swarms for localized effects, and mid-tier CCAs for distributed C2 and adjudication. The human role shifts to orchestration and supervision rather than micromanaged control.^[51]
• No single point of failure: Because CCAs are cheap and composable, adversaries must suppress a distributed network, not a single prized platform. The enemy’s cost of denial rises nonlinearly with our replication throughput.
• Low cost fighters at every scale: Make armed escort/DCA payloads first-class Replicator modules so CCAs and sUAS fleets can be recomposed on demand into protection packages for high-value assets or ACE lodgments.

Winning Pair of ACEs

Agile Combat Employment (ACE) and DARPA's Air Combat Evolution (ACE) aren’t just confusing re-use of the same acronym — they are complementary concepts converging at the battlefield edge. ACE-enabled CCAs exploit dispersal advantage by deploying through agile basing constructs, then leverage that posture through acceptance of higher structural risk and execution of maneuvers impossible for human survival.^[51] The idea of a computer out-thinking a pilot in combat is no longer speculative science fiction.

The developmental trajectory of AI flight control mirrors the growth of chess engines — from Deep Blue’s narrow triumph over Kasparov to today’s open-source systems that routinely defeat Carlsen-level opponents.^[67] The scaling curve is geometric, not linear, tracking both Moore’s Law and the acceleration of applied learning systems.

ACE-enabled CCAs integrate that progress: they solve off-axis firing geometries across multiple weapons systems simultaneously while calculating radar cross-sectional (RCS) physics and instantaneous angle-of-attack limits in sustained high-G regimes. These are not pilot-assist features; they are post-human capabilities. The result is a form of aerial maneuver that redefines the limits of air combat — agility without anatomy.^[68],[69]

ACE-enabled CCAs aren't merely more cognitively functional than our best fighter pilots, they can exploit physical limits that a squishy bag of water in the cockpit cannot.

Exercises should integrate both ACEs: deploy sUAS containers to austere fields, spin up CCAs with theater SBOMs, run contested EW injections, and measure reconstitution time. Without explicitly linking posture and AI/capability maturation, neither ACE will scale in combat.

Stigmergic Warfare: Doctrine for the Swarm Era

The next revolution in distributed lethality is not mechanical—it is behavioral.
Stigmergic Warfare is the doctrine of emergent coordination: systems that fight, scout, repair, and replicate through environmental cues rather than centralized control. In biological systems, stigmergy describes how ants build colonies and termites form towers—each individual reacts to local conditions, leaving signals that guide others. We see this as flocks of birds adjust their formation as a single body, but executed autonomously at the individual node, not through a centralized command apparatus. In warfare, stigmergy becomes the logic of survival in degraded networks: when denied, disrupted, intermittent and limited (DDIL) conditions mean loss of command links are inevitable, forces must self-organize through local state awareness and shared context rather than awaiting top-down orders.^[62],[63]

The End of the Command Tree

Traditional command-and-control assumes communications and hierarchy survive contact. Stigmergic doctrine rejects that premise. Instead of passing detailed tasking down a chain, stigmergic systems rely on Command by Constraint—a set of policy-coded boundaries that define what must never happen rather than what must always happen. Within those boundaries, autonomous agents and human-machine teams act on local perception, updating shared “pheromone maps” of electronic, spatial, or cyber terrain.^[70]

This architecture has precedent: DARPA's Offensive Swarm Enabled Tactics (OFFSET) program pioneered decentralized task allocation for small-unit swarms, while Ukraine’s front-line drone units now employ “signal tagging”—marking radio and GPS conditions in real time to cue other operators without central control.

Coordination by Environment

In stigmergic networks, the environment is the message. Each agent leaves data—RF noise, light pulses, packet headers, acoustic returns—that others can interpret as cues for movement or behavior. A lost drone that burns in place still emits a final “pheromone” burst: position, sensor context, threat markers. Surviving drones read those signals and adapt, either by re-routing, attacking, or switching to decoy behavior. The swarm thus learns without a leader, guided by feedback encoded in its own operational residue.^[71]

This coordination mechanism aligns with ARCOS and cATO pipelines: agents continuously publish certification/evidence state (e.g., SBOM hash, signing chain, attestation timestamp, test suite pass/fail). Peers treat those broadcasts as trust cues to adjust teaming, roles, or proximity—no central adjudicator required.

Electronic Warfare and RF Continuity in the Swarm Age

Winning swarm-on-swarm fights is inseparable from winning the electromagnetic battlespace. EW is not a side-effect; it is the primary arbiter of who can communicate, sense, and stigmergically coordinate. Doctrine must therefore define (a) distributed spectrum agility—local agents must be able to hop, modulate, and opportunistically use multiple waveforms/bands, including acoustic and optical cues; (b) RF provenance tokens—short, signed bursts that encapsulate identity/attestation metadata so peers can treat messages as trustable even when central public key infrastructure (PKI) is unavailable; and (c) degraded-mode behaviors—behavioral primitives that specify what agents do when RF is jammed (e.g., play dead, emit decoy pheromones, switch to sensor-based rendezvous). EW must be a funded line item inside MFP-CYBER and MFP-INNOVATION: test ranges, adversarial RF injection, and hardened comms kits are not optional.

Operational note: the ability to exploit incidental reflectors, controlled interference, or deliberate out-of-band optical signaling converts an enemy's EW advantage into brittle complexity; we must be able to operate both in the RF and the non-RF stacks of the OODA loop.

The Nervous System of Distributed Lethality

If Replicator builds the body and CCA provides the mind, stigmergy is the nervous system that connects them. Each component in a distributed fight—UAS, unmanned ground vehicles (UGVs), unmanned maritime systems (UMS), even cyber agents—communicates not through explicit tasking but through behavioral gradients: attack here, defend there, disperse when density is high. These gradients are machine-readable intent maps, maintained in real time through JADC2 data contracts and ARCOS-enabled evidence exchanges. The result is a battlespace that self-heals and self-directs.

When one node dies, its data persists. When the link breaks, local rules fill the gap. The fight continues at machine tempo even when headquarters has gone silent.^[33]

Human over the Swarm

Critics conflate stigmergic autonomy with unaccountable autonomy. The opposite is true.

Stigmergic Warfare depends on programmable ethics: ROE and LOAC constraints are pre-loaded as policy cages into each swarm agent. Instead of a single human pilot watching one drone, humans command behavior classes through policy gradients—adjusting aggression, proximity, or deception tolerance across the swarm as a whole. After action, the swarm’s evidence exhaust—SBOMs, telemetry logs, decision chains—is audited like a digital flight recorder. Human accountability shifts from moment-to-moment joystick control to pre-mission encoding and post-mission verification.^[53],[72]

Operational Case: Learning Through Marks

Imagine a coastal defense swarm operating after losing satellite links. Each unit tracks others’ optical flashes and residual infrared (IR) signatures to infer enemy air-defense locations. As drones fall, their death positions form a live “danger map” for the survivors. Replicator nodes at the edge 3D-print new replacements pre-loaded with that map, closing the loop between attrition and adaptation. This is stigmergy in combat form: destruction produces data; data drives reproduction^[62],[73] The doctrine rewards rapid iteration—each fight becomes a live-fire A/B test.

Lethality is no longer manufactured; it is grown.

The Industrial Feedback Loop

Stigmergic warfare also reshapes industry. Factories and software pipelines become active participants in the swarm’s feedback ecosystem. Replicator nodes consume telemetry and automatically adjust designs—new winglets, power configurations, or firmware updates—within hours of field use. This turns the industrial base into an adaptive organism, not a supplier. The civil-military boundary blurs: manufacturers, coders, and operators share the same operational data mesh, each learning from the same stigmergic cues.

Risks and Guardrails

Stigmergic autonomy is powerful but perilous. Improperly bounded reinforcement loops can amplify error—friendly units misclassified as “targets,” or adversaries spoofing pheromone signals to mislead swarms. Mitigation demands continuous model validation, encryption of environmental cues, and ARCOS-triggered rapid recertification (evidence-driven gating) between agents. LOAC-compliant guardrails and multi-sensor redundancy keep autonomy lawful and explainable. The point of Stigmergic Warfare is not to remove humans but to let them command at the speed of emergence.^[19]

Bridge to the Industrial Posture

To teach a swarm, you must be able to replicate it. Stigmergy makes the fight adaptive; Replicator makes adaptation manufacturable. Together, they fuse the moral logic of command with the biological logic of growth—and define the tempo of deterrence for the 3OS.

Production & logistics: turning design into capacity

• Distributed production nodes: Deployable Replicator factories (containerized additive manufacturing (AM), modular payload lines) can be pre-authorized to produce within BPAC limits; national industrial partners swivel to surge production under DIU-managed agreements.^[58]
• Performance-based logistics & surge contracts: Industry guarantees time-to-replicate and verified throughput; DoD pays on verified effect and provenance rather than on parts shipped alone.^[56]
• Supply-as-data: SBOMs and provenance are first-class logistics artifacts. If a replacement part or payload fails provenance checks, it is quarantined automatically — minimizing risk in field production loops.

Command, risk, and law in a replicating world

• Commanders own immediate risk: Within agreed BPAC lanes, mission-thread commanders can authorize local replication and launch. Higher level authorities retain veto and escalation channels for effects with broader risk.
• Operational Safety Cases: Each CCA class and Replicator process ships with an Operational Safety Case that documents hazards, mitigations, rollback procedures, and the human escalation triggers required before certain kinetic effects can be executed.^[72]
• Legal and ethical constraints encoded: ROE and LOAC constraints are policy-code gates within Replicator pipelines — if an effect would violate encoded predicates, the pipeline refuses to produce or release the capability.

Why this matters — doctrinal and campaign effects

• Tempo via abundance: Replicators convert industrial speed into operational tempo. When replacement and reconfiguration beats attrition, tactical setbacks no longer cascade into campaign failure.
• Learning at scale: Each replication cycle produces labeled behavior traces and performance telemetry that feed model improvements and doctrine refinement — the same OODA loop writ industrial.
• Operational friction to the adversary: Attritable mass forces adversaries to expend disproportional resources to achieve local advantage, raising the political and material cost of aggression.
• Filling all the magazines: In any war of attrition, the magazine depth is relative to both the scale of combat and the logistics chain. A nation may be able to build a near-infinite amount of ball ammo, but an inability to resupply tactical operators at the skirmish level is one type of attrition failure, just as magazine depth of surface-to-air missiles (SAMs) in a theater supply depot is another. The composability of an AM supported infrastructure neatly tied to a commercial dual-use manufacturing pipeline (itself supported by modern software attestations and commercial just-in-time (JIT) logistics) prevents magazine capacity failures in sustained combat.

Risks and mitigations (practical guardrails)

• Supply chain manipulation: Use SLSA/SBOM attestations, DIU-managed enclaves, and continuous cATO checks to prevent malicious inputs into Replicator pipelines.^[74]
• Human-in/-on/-the-loop correctness: Define precise handoff boundaries and measurable confidence thresholds so that automated launches occur only when the evidence stack is sufficient.

Metrics that prove it works (examples)

• Effect-Replication Time: hours from mission need to fielded effect (target X hours).
• Replication Throughput: number of launchable nodes produced per surge window.
• Provenance Integrity: fraction of replicated batches that pass full SBOM/attestation checks on first test.
• Local Decision Latency: time from local detection to authorized action inside mission predicates.

Logistics, Industrial Posture, and the Civilian Arsenal

Distributed Lethality depends on industrial agility. That means two things: first, the civilian industrial base must be treated as the primary magazine for many lethality classes; second, logistics must be reimagined as a software-enabled supply fabric (data-first logistics).^{[27],[29],[56],[60],[75]}

Policy levers:

• Expand MFP-INNOVATION to underwrite deployable Replicator capacity (containerized AM, low-observability (LO) production nodes, and JIT payload stacks).^[27],[56]
• Use DIU-managed commercial partnerships to access surge manufacturing, cloud compute, and payload supply chains.^{[47],[56],[74]}
• Treat supply chains as mission data: SBOMs, provenance, and attestations are the unit of trust for fielded effects.^[60]
• Procurement for ACE prioritizes modularity and replaceability — COTS-friendly airframes, modular payload bays, and open bus electronics so local repair and 3D-printed parts keep the tempo. MFP-INNOVATION underwrites these supply contracts with outcome payments (time-to-replicate, time-to-deploy).

Electromagnetic Pulse (EMP), Physical Hardening, and Replicator Resilience

Distributed production and cheap lethality depend on Replicator and edge nodes surviving not only attrition but deliberate hardening attacks such as EMP events and targeted kinetic strikes on supply infrastructure. Policy and funding must therefore treat physical hardening as a mission requirement. That means tiering Replicator nodes: (1) expeditionary, fast-surge containers optimized for throughput but on a short survivability horizon; (2) hardened theater nodes with EMP-tolerant power and limited shielding to survive transient transients and enable continuity of production; (3) national strategic surge stocks with deep hardening and isolated control planes. Hardening is not binary—design choices trade mass, cost, and latency. The mix must be explicitly funded in MFP-INNOVATION so commanders can choose production posture by risk lane. Commercial partners must be contractually bound to provide hardened enclaves (where required) or to escrow pre-built modules that can be emplaced quickly and made resilient to common EMP/electromagnetic interference (EMI) profiles.

Why it matters: if Replicator throughput collapses under an EMP or strike, the whole abundance model fails. Hardened, pre-authorized fallback nodes preserve the tempo advantage that replication is supposed to deliver.

In practice, that means creating Performance-Based Logistics (PBL) contracts where industry guarantees time-to-replicate and T2F, and the DoD pays on verified effect and verified evidence trails.^[56]

Command, Control, and Authorities

Distributed Lethality requires doctrinal adjustments to command and fiscal authority.^{[27],[45],[55],[72]}

• Mission-Thread Commanders: give commanders control over effect pools and BPAC-tagged funding inside operational risk lanes. Commanders should be able to authorize replication and launch inside defined policy constraints.^[27]
• Authorization-as-a-Service: cATO pipelines must extend to Replicator outputs—launchable effects are pre-authorized under testable, bounded conditions with real-time evidence exhaust to audit.^[48]
• Escalation and Legal Guardrails: ROE, LOAC, and civilian-safety constraints encode into policy-code so that automated effects cannot escalate outside agreed predicates.^[55],[72]

This is the commander-owned-authorization model applied to a generation-and-deploy weapon economy: it shifts risk and speed together.^{[27],[48],[72]}

Measures That Matter

Distributed Lethality changes what we measure: Effect-Replication Time (design → produced → launched); Effect-Per-Dollar (normalized for attrition); Reconstitution Rate (fraction of lost effects restorable within X hours); Local Decision Latency (time between local detection and local authorized action); Evidence Completeness (fraction of replications with full SBOM/attestation/provenance).^{[47],[48],[58],[60]} If these measures move favorably, doctrine and funding follow. If they don’t, capabilities are culled.^{[27],[56],[60]}

Risks and Mitigations

Distributed Lethality is powerful, but dangerous if ungoverned.

• Supply chain risk: mass production increases attack surfaces. Use SBOM lineage, SLSA/attestation, and cATO-backed enclaves to assure provenance.^{[48],[60],[74]}

Where this Links to Other Sections

• Structure Revolution: MFP-CYBER and MFP-INNOVATION fund Replicators and BPACs. Budget fluidity is the sinew that enables replication.^[27],[56]
• Cyber as Maneuver: the data contracts, ARCOS metrics, and cATO mechanics are the operational plumbing that lets CCAs decide and Replicators act at speed.^[48],[53]
• AI as Co-Combatant: CCAs are a direct instantiation of the AI roles we already defined—actor, agent, advisor, auditor—with Operational Safety Cases and evidence exhaust baked in.^{[44],[52],[53]}
• Letters of Marque 2.0: industry-authorized actors (on White/Blue/Black lists where appropriate) can be a surge lever for distributed effects under strict, auditable constraints.^[72]

Closing Thought
Distributed Lethality is not a program; it is an architecture for democratized force. It turns lethality into a logistical and informational problem we can measure and accelerate. Paired with the 3OS's obsession with learning velocity, it flips the calculus of deterrence: the enemy no longer needs to break our single prize—they must break our capacity to learn, replicate, and adapt faster than we lose. If our doctrine, budgets, and industry partnerships align behind that capacity, we will seldom need to win single fights; we will out-speed and out-learn entire campaigns.^{[45],[47],[58]}

---

The Human Engine — Manning, Mobility, and the Warfighter Economy

Doctrine: The Human Engine of the 3OS

Every offset has relied on people before platforms. The 1OS created nuclear deterrence, but it was maintained by operators who mastered the procedures of impossibly complex systems. The 2OS gave us precision guidance and stealth, but its engine — and the only reason we're still superior at maneuver warfare — is the cognitive elasticity of professional warfighters using adaptive doctrine and decentralized execution tenets to extend strategic effects at the skirmish level of warfare. The Third Offset — this offset — is a human offset before it is a technical one. It asks us to treat manning as a living algorithm: a system of feedback, learning, and recomposition.

Our adversaries now iterate faster not because they are more talented, but because their human systems are simpler. We built one optimized for stability; they built one optimized for change. 3OS reverses that asymmetry by linking human adaptability to digital infrastructure — making the warfighter a dynamic node in a learning network. Just as software now deploys continuously, the human system must recompile continuously. That means replacing static billets with modular competencies, turning evaluation into experimentation, and replacing time-in-grade with evidence-of-impact.

This is the Human Engine: a manning construct that treats people, learning, and evidence as the throughput variables of national defense. Our people are the runtime environment. When we can patch doctrine at the same rate we patch code, we win the loop — not just the fight.

The Software WepTac — OODA in Code

In the 20th century, we held Weapons and Tactics Conferences (WepTacs) to codify lessons about bombs, radars, and flight plans.^[76] In the 21st, our weapons are software-defined. Every patch, model update, or container deployment is a doctrinal change.

The Software WepTac, chaired by CYBERCOM J-3, and held quarterly in cadence with the civilian tech calendar — Black Hat, DEFCON, RSA, Armed Forces Communications & Electronics Association (AFCEA), and DoD AI Symposia — becomes the proving ground for digital maneuver.^[77],[78]

It is not a conference but an operational exercise for software-defined effects, with the discipline of the Combat Air Forces (CAF) WepTac at Nellis — tasking, injects, red teams, vignettes — focused on the muscles the Pentagon keeps skipping: interfaces, data contracts, cATO inheritance, SLOs, and contracting lanes.

Cadence and Composition

Participants include Pathfinders, DIU, CDAO, service software factories (Kessel Run, Platform One, Business and Enterprise Systems Product Innovation (BESPIN), Space CAMP, and the Army/Navy/Marine factories), their selected contractor performers, and selected operational units. Together, they iteratively produce outputs in five major categories:

1. API FRAGOs for two or three joint kill-chain threads (e.g., ISR→Target→Shooter; Mobility→Fuel→C2): versioned schemas, error budgets, and decision authority timing.
2. Data SLAs, owned by CDAO, defining latency, completeness, and accuracy, with test vectors and synthetic datasets executable across cloud service provider (CSP) Platform as a Service (PaaS), edge kits, and coalition enclaves.
3. cATO-by-design playbooks — inheritance packages, CI/CD-attested controls, evidence formats, and reciprocity rules — that vendors and factories can actually use once, everywhere.^[31]
4. Contracting Ordering Guides, templating the rapid acquisition of proven capabilities using BPACs, SBIR Phase III task orders, and Other Transactional Agreements (OTAs).^{[22],[56],[79],[80],[81],[82],[83]}
5. Manning & Rotation Plans for Pathfinders and Software Design & Development Supervisor (SDDS) billets at the Wing, Numbered Air Force (NAF), Major Command (MAJCOM), and joint equivalents.^[84]

Structure (Five-Day Cycle, Rinse and Repeat Quarterly)

• Day 0 (Admin + Unfreeze):
  Publish vignettes, injects, interface expectations, and SLO targets two weeks prior. All participants arrive with deployable code and adapters — no “mock-ups by lunch.”
• Day 1 (Observe → Orient):
  Red teams brief current CVE/KEV and opposition forces (OPFOR) injects.^{[21],[25],[26]}
  CDAO posts target metrics; DIU releases the inheritance pack and MOSA conformance test suite.^[27],[32]
• Day 2 (Decide):
  Pathfinder cells run interface spikes, capture breakage, and draft API FRAGOs.
  Contracting cells map which lanes can fund fixes in real time (BPACs within MFPs, SBIR task orders, rapid OTAs).
• Day 3 (Act):
  Teams ship live patches to the development fabric (CSP PaaS and edge kits) with cATO evidence emitted by the pipeline.
  SLO dashboards are automatically generated and published.
• Day 4 (Debrief → Publish):
  Output three tangible artifacts:
  (1) updated API FRAGOs and data SLAs;
  (2) a Contracting Ordering Guide (templates, CLIN types, evaluation factors);
  (3) Manning and rotation requests for follow-on Pathfinders.
• Day 5 (Tiger Team Carryover):
  A pre-designated Tiger Team remains on target (back at home station) for two weeks to push the artifacts into programs — justifications & approvals (J&As), indefinite delivery/indefinite quantity (IDIQ) mods, SBIR pivots, or MTA memos.

No artifacts → it didn’t happen.

Why It Will Stick

Past “innovation weeks” died on the runway because their outputs never changed interfaces or money flows. The Software WepTac changes both. Every successful iteration produces a new API FRAGO, a new funding lane, and an auditable record of change velocity. Its deliverables are runtime evidence and contracting templates, not talking points. It turns CYBERCOM, DIU, and the service factories into a joint software maneuver force with OODA discipline and budget agility. Each quarter, the United States holds a new kind of exercise — one that fights in code and wins in tempo.

The Dual-Use & Innovation WepTac — Aligning the Front Doors

If the Software WepTac synchronizes the code, the Dual-Use & Innovation WepTac synchronizes the humans. Once a quarter, DIU, AFWERX, AAL, NavalX, MIU, Office of Strategic Capital (OSC), CDAO, selected PEOs/requirements leads, and UCC innovation arms run a multi-day doctrinal exercise to harmonize defense “front doors” with warfighter demand, budget reality, and industry incentives—not a trade show, a tactics conference for acquisition. Its outputs are signed artifacts that change interfaces, rights, money, and billets the following quarter.

Tracks (four lanes, one playbook)

1. Manning & Talent.
   Pathfinder pipeline governance (tiers/rotations), reservist augmentation, and billets (SDDS, Data Strategy & Governance Manager (DSGM), Integration & Interoperability Manager (IIM) and Contractor & Vendor Relations (CVR)). PME alignment so NCOs/officers are fluent in technology, policy, and mission; skill mobility mapped across DIU, CDAO, and service innovation organizations.
2. Contracting & Finance.
   BPAC agility rules, MFP-INNOVATION management, and service-level MFP-INNOVATION templates. Outcome-based models tied to cATO runtime evidence (SBOM/attestation/SLOs). Clear dual-use on-ramp for commercial firms with transparent, SBOM-verified codebases.
3. Acquisition & Policy.
   Update MOSA, RMF, ARCOS doctrine from operational lessons; reuse Operational Safety Cases; reconcile DIU's Commercial Solutions Opening (CSO) lane with AFWERX/NavalX/MIU/AAL SBIR pipelines—interface-first topics, not platform wish lists.^[27],[85]
4. Industry & Investment.
   Brief Venture Capitalists (VCs) and suppliers on DoD's risk appetite and demand by interface. Enable shared investment via limited declassification, JADC2 test ranges, and cATO reciprocity across clouds. Surface early-stage tech that aligns with active operational threads.

Bottom line: this is the DIME sync for innovation—diplomatic, informational, military, and economic levers tuned to one rhythm. Warfighters meet investors as partners, and leadership updates doctrine on runtime evidence, not on fiscal-year slide decks.

Who’s in the room (and why)

• DIU, AFWERX, NavalX, MIU, AAL: own dual-use intake, scale-up lanes, and service equities.
• Pathfinders (your patch community): the glue—own API FRAGOs, data SLAs, cATO inheritance in ops threads.^[86]
• Contracting & Pricing: turns artifacts into Ordering Guides (Outcome CLINs, SBIR Phase IIIs/OTAs, decentralized IDIQs).^{[81],[82],[83]}
• CDAO & DoD CIO: data SLAs, ZTA reciprocity, and pipeline evidence rules.
• OSC: aligns DIME policy with VC realities and foreign investment posture.
• Selected PEOs/requirements leads: bind artifacts to vehicles that can obligate next week.
• Industry (small/large) & VC observers: not to pitch—to red-team the artifacts before publication.^[87]
• Veterans with dual-perspective (former gov + industry): institutional memory and pattern recognition on what works. Arguably the most important thought leaders in the room.

Day 0 (virtual, 90 min) — Warm start

Inputs assembled: current headcounts (military/civilian/contractor), billet authorizations, vacancy rates, contractor rosters, burn rates, SBIR evaluator capacity, Pathfinder patch inventory (tiers, special experience identifiers (SEIs), Defense Ventures Program (DVP)/Experience With Industry (EWI)/CITEP alumni, and gig experience).
Output: Manning Baseline v0.9, so Day 1 starts with facts, not vibes.

Day 1 — Pin the lane (Interfaces, Rights, Money)

Morning — Dual-use intake, by interface (not platform).
DIU/AFWERX/NavalX/MIU/AAL present a single intake rubric: every proposal ties to an API FRAGO published from Software WepTac (e.g., ISR→Target→Shooter; Mobility→Fuel→C2). If you can pub/sub to Thread X schema at SLO Y, you’re in scope. No interface, no topic. CDAO posts data SLAs (fields, freshness, lineage). Everyone leaves knowing what “done” means.

Manning Track.

Publish the Pathfinder Charter (DoD-wide)—mission, authorities, and interfaces to DIU/AFWERX/NavalX/MIU/AAL; API FRAGO ownership model.
Standard team template per API thread (size flexes by mission):

• 1 Gov Pathfinder Lead (selection priority: SDDS from same AFSC/MOS/Rate → SDDS adjacent (similar weapons system) → CVR with same AFSC/MOS/Rate → any qualified Pathfinder as temporary backfill).
• 1 Product Manager (contractor), 1 Delivery Lead (contractor).
• 2 Applications/Model Engingeers (contractors), 1 Data/Telemetry Engineer (contractor), 1 Security Engineer (contractor), 1 UX/Designer (contractor).
• Pizza rule: 1 government Pathfinder effectively leads 5–7 contractors.
• Major Command (MAJCOM/Army Command/Navy Fleet) rule: 1 Pathfinder thread per priority ops thread; DIU headquarters (HQ) holds a 5-person Standards Cell (API/data SLAs/reciprocity).

Afternoon — Rights & Risk.

• Data Rights Menu: Government Purpose Rights (GPR) default; Limited/Restricted allowed only with export/portability clauses; tool-agnostic, data-first.^{[88],[89],[90]}
• License Rights Menu: software-factory outputs → unlimited GPR; dual-use tech → commercial licenses + government owns generated data.
• Reciprocity Memo (draft): inherit controls from an accredited factory/CSP PaaS + present pipeline evidence (SBOM, attestation, tests) = automatic reciprocity across DIU/AFWERX/AAL/NavalX/MIU task orders.
• Contracting Officer (KO)/Agreements Officer (AO) outline Outcome CLIN patterns, decentralized IDIQs, and the one-page call-order recipe.

Day-1 Deliverables:

• Intake Rubric v0.9 (interface-first).
• Data Rights Menu v0.5 (exportability language).
• Reciprocity Memo v0.7 (inheritance + evidence = reuse).
• Ordering Guide skeleton v0.4 (vehicles, CLIN templates, evaluation factors).
• Pathfinder Charter v1.0 (ready for endorsement).
• Team/Billet Templates v1.0; Patch Pipeline & Re-cert Standard Operating Procedures (SOP) v1.0 (includes DVP/industry embed).

Day 2 — Break it, then fix it (Injects + Red Team)

Morning — Injects (real, uncomfortable).

• Data-ownership inject: a Maven-style clause collides with coalition export; fix it and prove tool-agnostic export in 4 hours.
• Cloud portability inject: region/provider shift; show interface contract preserves SLOs.
• Security inject: new CVE/KEV hits a shared library; run cATO inheritance (no bespoke paper), hit T2P SLO.^[25],[26]

Manning Track.

• Scenario A (two-Area of Responsibility (AOR) surge): scale six new API threads in 60 days. Output: Surge Staffing Play (contractor sources, overtime approvals, gig board borrowing, DIU cross-decking rules).
• Scenario B (budget dip): 8% mid-fiscal year (FY) cut. Output: Graceful Degradation Plan (which threads pause, contactor ramp-downs with intellectual property (IP) protections, core Pathfinder retention).^[91]

Afternoon — Markets & Money.

• VC panel (no slides) red-teams the Intake Rubric & Ordering Guide: “What toggles (contract duration, payment terms, SBIR bridge timing) unlock capital?”
• Comptroller + KO/AO convert toggles into BPAC move rules and obligation timing (so a wing commander (or joint equivalent) can actually fund a thread the same week it goes green).
• Pathfinders align the gig-board to the Ordering Guide (tasks → Outcome CLINs → test harness → payment on pass).

Authorities & Roles.

• DIU–Service Memorandum of Agreement (MOA): DIU owns standards & oversight; services own Small Business Administration (SBA)/service-innovation dollars and billets (the two-dads model).
• BPAC ties to headcount: SLO deltas trigger staffing (green → unlock +2 contactor full-time employees (FTEs); red → hold backfills).
• Gig board SOP: eligibility, conflicts, timeboxes (2–12 weeks), acceptance by shared harness, payment on pass; Pathfinders curate.

Day-2 Deliverables:

• Ordering Guide v0.8 (adds portability + CVE/KEV/cATO lanes).
• BPAC Playbook v0.6 (how/when dollars shift by SLO).
• Gig Board SOP v0.5; Surge Staffing Play v1.0; Graceful Degradation Plan v1.0.
• DIU–Service MOA v1.0 (roles, oversight, funds).
• Contractor Workforce Note v1.0 (to accompany Ordering Guide).^[90],[92]

Day 3 — Publish and wire in (no paper trophies)

Morning — Program wiring.
PEOs/MAJCOMs map artifacts to live vehicles: which IDIQs take dual-use call orders next week; which SBIR topics convert to interface-anchored competitions; which OTAs gain Outcome CLIN language. AFWERX/NavalX/MIU/AAL publish quarterly buy lists by interface thread (“12 months of demand”); DIU validates cross-service overlaps; OSC validates DIME alignment. This is the market signal memo VCs actually read.^[87]

Manning Track.

• Billet Kit: cross-service paragraph pack (US Air Force (USAF) Unit Type Code (UTC)/Designed Operational Capability (DOC)/Manpower Force Element (MFE) → equivalent US Army (USA) Table of Organization & Equipment (TOE)/Table of Distribution & Allowances (TDA)/Position Descriptions (PDs); US Space Force (USSF)/US Navy (USN)/US Marine Corps (USMC) equivalents) to stand up Pathfinder Dets at MAJCOMs/Army Commands/Marine Expeditionary Forces (MEFs)/Numbered Fleets.
• Promotion/Awards Guide: Pathfinder patch + PME stratification guidance; SBIR Phase III deployments and deprecation wins count as major bullets.

Afternoon — Ratify & hand-off.

Legal signs Data Rights Menu; CIO/CDAO sign Reciprocity Memo; KOs/AOs sign Ordering Guide. A Tiger Team (named on the slide) owns pushing artifacts into SAM.gov mods, KO/AO deskbooks, and front-door websites within 10 business days. If nobody’s named, it didn’t happen.

Day-3 Deliverables:

• Dual-Use Ordering Guide v1.0 (signed)
• Data Rights Menu v1.0 (signed)
• Reciprocity Memo v1.0 (signed)
• BPAC Playbook v0.9 (comptroller-vetted)
• Market Signal Memo (4Q horizon) — interface threads, SLO targets, expected award cadence
• Tiger-Team tasking order (dates, systems to touch)
• Billet Kit v1.0, Promotion/Awards Guide v1.0, Manning Tiger-Team Order (names + 60-day actions: stand up 3 x cross-service Pathfinder Dets; push billet kit through human resources (HR); seed the first 100-person contractor bench by thread).

What this WepTac explicitly optimizes (and what it kills)

Optimizes:

• Interface-first intake → vendors compete without bespoke rewrites.
• Rights/portability → government freedom to maneuver; vendors keep sane economics.
• Reciprocity by evidence → SBOM + attestation + tests = reuse (no Kafka run).
• Outcome CLINs + decentralized IDIQs → operational units buy effects, not artifacts.
• BPAC agility → commanders move dollars the same week a thread goes green.
• Market signaling → VCs see 4-quarter demand and keep the dual-use pipeline funded.^[14],[87]

Kills:

• Pitch theater: if it doesn’t map to interface + SLO + contract vehicle, it’s a talk.
• Forked codebases as the price of entry: bring your code once, inherit cATO.
• Paper security: CVE/KEV/cATO evidence decides, not a binder.
• Accidental data lock-in: clause set forces tool-agnostic export + portability.^[93]

Cells & checklists (so three days don’t wander)

• Commercial Tech On-Ramp Cell: interface conformance + 30-min synthetic-vector fit test.^[85]
• Contracting & Pricing Cell: owns Ordering Guide text, CLIN exemplars, Federal Acquisitions Regulation (FAR)-sound pricing logic, and small-business protections.
• Risk/ATO/Reciprocity Cell: tight cATO inheritance pack; translates CVE/KEV + SBOM into pass/fail language.
• Portfolio & PE/BPAC Cell: maps interface threads to funding lines and writes BPAC triggers (what moves, who signs).
• Industry/VC Cell: red-teams artifacts for viability/incentives.
• Data & API Cell (Pathfinders + CDAO): publishes API FRAGO & data SLA deltas nightly.

Pre-reads (mandatory): latest API FRAGOs/data SLAs from Software WepTac; draft Reciprocity Memo and Data Rights Menu; live SBIR topics and vehicles; active BPAC pools and execution targets.^{[88],[89],[90]}

Lessons dragged into the sunlight

Lightning didn’t scale because it was person-bound (heroics), not interface-bound (reusable lanes). The Innovation WepTac converts “we hacked it” into:

1. reusable schemas
2. CI/CD-attested controls (cATO)
3. ordering patterns any KO can use
4. a Pathfinder rotation that preserves continuity.

When the pipeline narrows to pitch theater, you get outputs without outcomes. When the pipeline is yoked to joint interfaces, service factories, and production SLOs, you get effects. Expect an Ordering Guide resembling Autonomy-Prime-at-its-best—decentralized IDIQ, clean ordering, objective intake criteria, outcomes tied to SLO telemetry. Contrast that with Maven-style data gravity mistakes (optimizing for a platform over a data contract). This WepTac fixes it at the source: data SLAs first, tool selection second.

Expected signals (the “what next” list)

• A joint ordering guide (DIU/AFWERX/AAL/NavalX/MIU-blessed) that a squadron/battalion can use next week.
• Rights & reciprocity templates that prevent vendor lock-in and kill code forking.
• Portfolio → PE/BPAC maps so commanders pay for outcomes without re-wiring the POM.
• Market signal memo (to VC and primes): what the next four quarters will buy and how (by interface, not brand).
• Contracting patterns that match real delivery: SBIR P3/OTAs, decentralized IDIQs with clean ordering guides, and Outcome CLINs tied to mission SLOs (T2F via MTA/SWP usage; T2D via JADC2; T2P via CVE/KEV metrics).
• Manning templates (the #1 failure mode): billet management for Pathfinders, rotation patterns, and two-dads alignment with DIU and the Services.

Notes on SBIR reform

SBIR evaluation shifts to a two-stage model:

• Stage 1 (service-wide) uses an inverse-tokenization “Bag of Lemons” pass that filters hype and lock-in.
• Stage 2 (Pathfinders) run mission-thread A/B tests against SLOs and cATO evidence, awarding Phase I and Phase II awards on SLOs, and Phase IIIs on test-harness pass rates, not slides.

Cross-walk to Software WepTac artifacts

• Consumes: API FRAGOs & data SLAs, cATO inheritance packs, and SLO dashboards.
• Produces: Reciprocity Memo, Data Rights Menu, Dual-Use Ordering Guide, BPAC Playbook, Billet Kit, and Market Signal Memo.^{[88],[89],[90]}
• Wires into: PEO vehicles, SBIR topics, OTA language, and Pathfinder billets.^[82],[94]

Reforming SBIR — The Bag of Lemons Model

The SBIR program remains one of the Republic’s most powerful yet under-optimized levers.^[95] It funds thousands of technologies each year, but its evaluation model and service fragmentation ensure that mediocrity often rises faster than excellence. The current model rewards marketing polish and proposal writing, not demonstrable performance or risk literacy. The 3OS framework reengineers SBIR for learning velocity, transparency, and adaptation.^[96]

Background: Funding mechanics and the AFWERX shift

Every Federal organization with an RDT&E budget pays a “tax” (of 3.65%) to the SBA which it reclaims only by funding small businesses. Historically, this created a perverse incentive: services sought to spend the money fast rather than spend it well. Prior to AFWERX, the Air Force’s SBIR execution bordered on farcical—often channeling funds into one-person limited liability companies (LLCs) clustered around PEO hubs like Dayton or Destin, rather than genuine centers of innovation.^[97]

AFWERX flipped the script. By giving its Ventures Division a single mission—open the front door of DoD acquisition to new entrants—it redefined what “compliance with SBA” meant. The result: SBIR participation from non-traditional firms grew by orders of magnitude, injecting real competition and diversity into the defense industrial base.^[98]

The evaluator crisis

In early AFWERX cycles, SBIR evaluation was handled by a small cadre of internal reviewers—less than a dozen evaluators reading thousands of proposals. SBA rules required that each submission receive three evaluations, so many were skimmed in seconds while firms invested dozens of hours per proposal. The model was unsustainable.

AFWERX’s reaction—opening evaluations to the entire Air Force—solved scale but killed rigor. With thousands of volunteers of uneven skillsets, objectivity evaporated. Proposals were graded by enthusiasm and time-of-day more than merit. The silver lining: with the process fully anonymized and distributed, “protest-proofing” became almost automatic. No favoritism could be alleged when no one knew who reviewed anything.

The Valley of Death (still unbridged)

Even with AFWERX’s success in outreach, Phase I and II transitions to Phase III remain abysmal. Ventures rightly saw its purpose as opening doors to industry—not shepherding programs to operational adoption. The gap is structural: no one owns transition.^[85],[99]

PEOs face no incentive to absorb small-business prototypes. Aligning Exhibit R-4/P-5 funding documents, Joint Capability Areas (JCAs), and even legacy JCIDS requirements to Phase II work is a bureaucratic nightmare. Even when Phase III IDIQs exist—like AFWERX’s excellent Autonomy Prime ordering guides—most award activity occurs outside the DoD, where execution friction is lower. SBIR remains a bridge without an on-ramp.^[85],[99]

To fix this, we need not new slogans, but a new model.

Stage I — “The Bag of Lemons” and the Open Evaluation

The Bag of Lemons technique—also known as the Inverse Token Allocation Model of Preference Elicitation—reverses how evaluations are scored. Traditional systems fail because most reviewers disagree on what “excellent” looks like, but nearly everyone agrees on what “terrible” looks like. The Bag of Lemons model harnesses that.^[100]

Mechanics:

• Evaluators commit to a fixed number of reviews (say, 20) and receive the same number of digital “tokens.” Every reviewer is allowed to do as many (or as few) evaluations as they like, and their token allocation is based on this number of reviews.
• They can allocate those tokens however they choose—placing all 20 on one bad proposal, or spreading them thin across many.
• Tokens represent disapproval, not preference.
• Each proposal still receives the required three independent assessments per SBA policy; only those with low total token counts advance to Stage II.

The result is a crowdsourced adversarial filter that naturally highlights consensus bad ideas, letting experts focus on the promising few.

Advantages:

• Scale: Thousands of personnel can evaluate in parallel, compressing decision cycles.
• Transparency: Every downvote is justified and auditable, discouraging “old-boy” bias.
• Protest immunity: Distributed, logged evaluation datasets are self-defending; the math is the rationale.
• Outcome: Stage I becomes a hypothesis filter targeting a more objective reality agreed upon by a diverse evaluation population.

Stage II — Pathfinder Evaluation and the Operational Downselect

Stage II transitions the surviving proposals to Pathfinder evaluators—across all tiers—drawn from the operational, acquisition, and contracting communities. These are not generalists. They evaluate runtime evidence, not narrative promises:

• T2F and MTA readiness
• cATO inheritance compliance
• SBOM provenance and test harness pass/fail rates
• Operational feedback loops and mission-thread fit

These evaluators know where the money lives—in MFP-CYBER and MFP-INNOVATION—and how to tie it to real requirements. Many will have written the API FRAGOs or served as Technical Points of Contact (TPOCs) for the proposals under review (Pathfinders must recuse themselves from evaluating a package they are the TPOC, End User, or Customer on; a different Pathfinder will instead perform those un-biased evaluations in accordance with SBA policy).

Their task is not just to pick winners, but to map who learns fastest.^[38]

Evaluations populate an “innovation kill chain” —a dataset showing learning velocity, cATO evidence, and replication throughput across performers. It’s not a leaderboard—it’s a feedback loop.

The learning system that SBIR becomes

Under this two-stage model, SBIR transforms from a compliance machine into a learning machine. Stage I measures potential energy (breadth and novelty); Stage II measures kinetic learning (velocity and survivability). The entire pipeline becomes a machine-learning dataset for the DoD itself—training not an AI model, but a system of governance.

Each project, success or failure, emits metadata on:

• How it performed relative to SLOs and test harnesses
• How long it took to reach deployment readiness
• Why it stalled or died

That evidence is logged, searchable, and reusable—allowing the next generation of innovators to start where the last one left off.

Pathfinders and Governance — Building the Human Engine

Concept and Rationale

The Third Offset’s human vector is the Pathfinder: a new kind of warfighter-technologist who fuses operational experience with software, contracting, and data fluency. Just as the Weapons Instructor Course (WIC) patch defined tactical excellence for kinetic warfare, the Pathfinder patch defines excellence in digital, dual-use, and acquisition warfare. The purpose is simple: ensure the Department’s modernization doesn’t hinge on charismatic founders or PowerPoint-born “innovation cells,” but on a reproducible career field-agnostic doctrine of adaptive integration.

The Pathfinder construct grew out of lessons from DIU, AFWERX, AAL, NavalX, MIU, and the rise (and fall) of countless “innovation organizations.” These teams delivered remarkable prototypes, but their success was personality-driven and perishable. Often, the service's HR machines assigned the best innovators in a given service only by their base AFSC/MOS/Rate and incentivized them to leave the Department or to require heroics at the 4-star level to overrule said HR organizations. Even worse, the same HR systems replaced those heroes with personnel not equipped to work in innovation, and those were often the death sentence to those innovation units, spreading legacy culture that killed innovation like a cancer from within.

The 3OS framework instead formalizes their DNA into a durable ecosystem governed by doctrine, metrics, and rotation — not heroics.

Tier Structure and Assignment Logic

Pathfinder billets are tiered, not graded.
Each tier reflects both scope and locus of control, not rank.

Tier 1 – Tactical Integrators

These personnel sit inside operational units (squadrons, battalions, ships, etc.).
Their duties remain anchored in their AFSC/MOS/Rate, but they also serve as the innovation belly-button for that mission set — exactly as Weapons Officers do for tactics. They lead API FRAGOs, manage interface adherence, and are the local voice for data SLAs and cATO inheritance.

Examples:

• A Joint Terminal Attack Controller (JTAC) with a Pathfinder SEI overseeing automated close air support (CAS)-link testing at the 17th Special Tactics Squadron (STS) aligned with a Ranger battalion.
• A maintenance NCO ensuring predictive analytics feeds are contractually aligned with MOSA standards.
• Spark Cell action officers (AO) (all but the Director) are Tier 1 billets and are AFSC/MOS/Rate independent (they are Duty Position driven, not SEI associated).^[101]

Tier 2 – Operational Catalysts

Tier 2 Pathfinders sit at the Wing / Group / MAJCOM / Fleet / MEF / Theater levels, or within innovation units (DIU, AFWERX, AAL, NavalX, MIU, OSC, CDAO). They are typically duty-position assigned, leading multi-unit integration, writing the cross-thread API FRAGOs, and managing gig-board staffing.

Examples:

• Spark Cell Directors, AFWERX AOs, AAL PMs.
• SDDS attached to operational units.
• KOs/AOs/PMs assigned to BPAC or Outcome CLIN pilot programs.

Tier 3 – Strategic Architects

Tier 3 Pathfinders serve as instructors, senior advisors, and commanders of service innovation organizations, PME chairs at Blue Horizons, Naval Post-Graduate School (NPS), School of Advanced Air & Space Studies (SAASS), or Defense Acquisition University (DAU) and integration leads at CDAO or DIU HQ. They shape doctrine, run the certification boards, and evaluate national-level interoperability outcomes. They are the connective tissue between modernization, PME, and service/Department policy and DIME intentions.

This tiered design mirrors the Weapons School progression: tactical mastery → integration leadership → doctrinal authority.

The Patch Community Model

Pathfinders are a joint patch community, managed through a Joint Pathfinder Board (JPB) chaired by DIU with representation from each service’s innovation command. Patches are earned, not assigned, through a formal course and demonstrated operational wins. The badge signals fluency in integration, not simply attendance at an innovation course.

Selection and Certification:

• Initial selection requires unit nomination, command endorsement, and portfolio of deliverables.
• Candidates complete an Innovator Qualification Course (IQC) — an 8-week blended program at Nellis, Monterey, and Austin, combining agile contracting, API design, data ops, and mission-thread simulation.
• Certification is maintained through continuous shipping: if a Pathfinder fails to deliver a deployed artifact or validated outcome for 12 months, the patch expires.^[102]

Cultural Ethos:
Weapons Officers say “humble, approachable, credible.”
Pathfinders add “auditable, interoperable, repeatable.”
Pathfinders are less about inspiration and more about institutional memory — how to not re-invent the wheel every two years.

Core Roles and Job Descriptions

At various levels of organizations, more than just one Pathfinder specialty will be required. Examples are UCC assignments, or Major Commands (MAJCOM/Fleet/Army Command). These positions can be held by uniformed, civilian, or contractor personnel, but must include at least one uniformed lead per Department of Defense Instruction (DoDI) 5000.87 governance rule.

1. Software Design & Development Supervisor (SDDS)
   The SDDS balances contractor velocity and doctrinal integrity. They translate mission needs into runtime requirements and curate the SBOT for each mission set.^[6] Unlike the other three roles on this list, this role should always be a uniformed (Active Duty, Guard or Reserve) Pathfinder position instead of a General Schedule (GS) role. The reason is that the SDDS has to be creative and innovative, using design thinking principles,^[103] while also having extensive experience as a weapons operator (and in close proximity to the WIC patch as a TTP partner), to become the tactical glue that holds weapons system development together as the PEOs are too disconnected from the fight to operate at tempo to manage software weapons systems.
   
   "If I'd asked my customers what they wanted, they'd have said a faster horse." - Henry Ford (possibly)
   
   The SDDS is ultimately the Henry Ford of any given weapons system at the unit level: combining design thinking and innovation with understanding the arsenal of democracy is our commercial economic advantages, and being able to leverage them both in concert with domain TTP expertise. This corpus of knowledge, combined with agile thinking but adjacent domain comprehension such as classical "big R" requirements adjudication and the POM process creates a truly powerful game changer. Most importantly, this saves taxpayer money while drastically improving warfighter lethality.
   Typical background: Operational AFSC/MOS/Rate member trained in DevSecOps and API schema management.^[6]
   Outputs: SLO dashboards, FRAGO updates, validated inheritance packs, managing contracted software designers.
2. Data Strategy & Governance Manager (DSGM)
   Ensures data fidelity, traceability, and policy compliance across mission threads. Manages contracted data scientists, field data dictionaries, lineage tracking, and cross-domain synchronization in accordance with the DoD Data Strategy. Bridges CDAO policy and field execution. In Major Commands and at UCCs will typically be uniformed Pathfinder, but as the majority of these roles are at PEOs, for continuity and domain expertise those positions should be GS billets.
3. Integration & Interoperability Manager (IIM)
   Owns interface conformance and MOSA alignment. Runs automated interface testing suites, JADC2 thread validation, and interoperability reviews across services and coalition partners. Manages contracted software engineering teams. Like the DSGMs, the IIMs at Major Commands and at UCCs will typically be uniformed Pathfinders, but as the majority of these roles are at PEOs, for continuity and domain expertise those positions should be GS billets.
4. Contractor & Vendor Relations (CVR) Officer
   The connective tissue between operators and the vendor ecosystem.
   Ensures that delivery aligns with Outcome CLINs, verifies SBOM artifacts, and keeps contractors inside the cATO inheritance lane.^[92] While this role is usually at a PEO, whether there, at a Major Command, the Pentagon, or at a UCC, this should ideally be a graduated SDDS now in a Tier 2 billet, or a former SDDS who later served in a Tier 2 billet, then left service and is now hired into a GS billet. Prior SDDS experience for GS hires may be waiverable, but prior Pathfinder experience cannot. The reason is the thread back to the warfighter that a GS often will not have, or even some veterans have but do not understand design warfare or design thinking. As an example, a retired cavalry company commander could easily justify a primitive contracting structure because the contracting methodology supported the acquisition of horseshoes. But horseshoes are now combat irrelevant, and so is that type of thinking.

These roles together at the Major Command and at UCCs form a micro-program office capable of end-to-end modernization — but built to live inside an operational chain of command, while their cousins in similar roles at PEOs are now organized, trained, and equipped to manage innovation instead of working from a collection of CSVs on a Sharepoint.

Talent Sourcing and Rotation

Pipeline:

• Entry begins via nomination or completion of Spark Cell rotations (for junior NCOs and company grade officers).^[101]
• Candidates complete the IQC, Blue Horizons, or an approved PME elective at NPS, SAASS, or DAU.
• Each Pathfinder must serve at least one tactical tour (Tier 1) prior to graduating to a Tier 2 assignment and at least one operational tour (Tier 2) prior to an instructional/strategic tour (Tier 3).

Cross-pollination:

• DVP 2.0 and/or CITEP and/or EWI are required rotation options for patch renewal and to graduate from Tier 1 to Tier 2. Pathfinders must complete a "commercial tour" to graduate to Tier 2.
• Civilians and reservists are encouraged to join via term-limited billets; industry personnel can embed under Exchange Authorities (like CITEP).^[57]
• A digital gig board lists open Pathfinder tasks, allowing reservists and retirees to surge as short-term subject matter experts (SMEs).

Retention incentives:

Pathfinders receive promotion stratification equivalence to Weapons School graduates and performance bullets tied to successful transition metrics (Phase III adoption, FRAGO publication, test-harness performance).^[104]

Governance and Oversight

The JPB governs doctrine, certification, and evaluation. DIU maintains digital dashboards for:

• active patch holders by tier/service,
• interface conformance rates,
• T2F metrics,
• and SBIR transition percentages.

An annual Pathfinder Summit coincides with one of the quarterly Dual-Use & Innovation WepTacs, ensuring the human governance loop closes with the industrial one. Each Service maintains its own Pathfinder Detachment Command (PathDet Command) with manning authority delegated to USAF/A1, ASN RDA, DCS G-1, or equivalent.

PathDet Commands report quarterly readiness via an Interface Readiness Report (IRR) to the Office of Undersecretary of Defense for Acquisition & Sustainment (OUSD/AS) and Office of Undersecretary of Defense for Research & Engineering (OUSD/RE). Failing PathDet units are “re-patched” under successful commands until retrained — mirroring the standardization model of AFSOC or Air Combat Command (ACC) Weapons & Tactics.

Manning Interfaces and External Ecosystem

Pathfinders are cross-wired into:

• Software Factories: Kessel Run, BESPIN, Platform One, Space CAMP, Kobayashi Maru, Corsair Ranch, Hangar 18, LevelUp, Conjure, Black Label, Army Software Factory, Marine Software Factory, Overmatch and any others.
• Innovation Hubs: DIU, AFWERX, AAL, NavalX, MIU, CDAO and OSC.
• Operational Units: via mission threads.
• PEOs: at various positions, via temporary task orders, and supporting MTA acquisitions.^[32]
• Academia and Industry: through DVP, CITEP, and Cooperative Research and Development Agreements (CRADAs).^[105],[57]

Each integration maintains reciprocity through digital credentialing (verified SBOM, API schema, and test-harness score).

Institutional Safeguards & Long-Term Continuity

To survive the bureaucratic entropy that killed so many predecessors, the Pathfinder construct embeds several guardrails:

• Codified billet authorities in service manning documents (DOC/TOE/TDA/MFE/etc.).
• Dual funding (MFP-INNOVATION + host MFP) to prevent billet starvation.
• Digital artifact repositories (Git-based, mirrored across GovCloud and Secret Internet Protocol Network (SIPRNet)) so no knowledge dies on rotation.
• Annual re-certification via live-fire exercise at the Software WepTac.
• Statutory protection under Title 10 § 4022 (OTA authority) for rapid prototype integration.^[82]

In short: Pathfinders make innovation a career reality, not a volunteer hobby.
They translate policy into practice, software into lethality, and people into continuity — the human engine that keeps 3OS running when the slogans fade. Furthermore, we now have a method to keep our best and brightest innovators instead of incentivizing them to leave service as we enthusiastically shove them out the door with our current manning structures.

The Adaptive Workforce — Gig Economy, Talent Liquidity, and the New Defense Labor Model

The Problem with Fixed Manning

For a century, the Department of Defense has treated people like aircraft—assigned to a single unit, purpose, and base, with only annual updates to its manning documents (TOE/TDA/DOC/MFE). That structure made sense when warfighting meant steel and geography. In a digital battlespace where effectors are code and cloud pipelines, that rigidity has become the single largest brake on operational agility.^[106]

Modern mission threads demand elastic skill: a data scientist this quarter, a contract officer next quarter, a DevSecOps mentor for two sprints, then an adjunct instructor for PME. The 3OS framework doesn’t replace military hierarchy—it overlays it with labor liquidity, giving commanders a second lever: not just how many people they have, but how fast they can re-task them.

The Gig Model for Warfighters and Civilians

The Pathfinder Gig Board is the foundation of the Adaptive Workforce.
It functions like an internal GitHub meets Upwork—curated by DIU, secured by CDAO, and federated across service networks. Each task, whether a code review, contracting analysis, or operational simulation, carries:

• A Mission Thread Tag (e.g., ISR-Target-Shooter, Mobility-Fuel-C2)
• Required Credentials (e.g., Pathfinder patch tier, SEI, PME level, clearance)
• Timebox (e.g., 2–12 weeks)
• Acceptance Criteria (e.g., automated test harness or deliverable metric)
• Payment Model (e.g., active-duty allocation, reserve points, contractor CLIN, or outcome bonus)

Tasks are bid, approved, and recorded in a zero-trust labor ledger—a shared blockchain-like registry where completion and payment are event-driven by evidence, not paperwork. Pathfinders and certified contractors operate as interchangeable micro-teams inside an API-governed ecosystem.^[107]

Incentives are immediate: finish a gig, get points (for reserves), bullets (for active duty), or funds (for contractors) within days. No more “wait until the next static closeout date (SCOD) cycle” to recognize innovation. And because all outputs are tied to test harnesses, success is provable and repeatable.^[66],[106]

A Unified Labor Taxonomy

Traditional DoD labor categories are siloed: GS-series codes, AFSCs, MOSs, Rates, and contractor labor categories (LCATs) all describe different worlds. The 3OS construct merges these under a Unified Labor Ontology (ULO)—a Javascript Object Notation (JSON) schema that tags every billet, job, and gig by:

• Skill domain (e.g., data, acquisition, ops, software)
• Clearance and authority level
• Funding lineage (e.g., MFP, BPAC, color of money (and even applicable category (6.1 through 6.7) for RDT&E as pseudo-aligned to given technology readiness level (TRL))
• Recertification clock (e.g., patch, PME, credential)
• Reciprocity eligibility (can this role accept external evidence?)

The ULO allows the gig board to dynamically match funds + skills + authorities, turning personnel assignment into a search problem, not a staffing problem.^[59],[104]

As an example, when a commander at the 363d ISR Wing needs a DevSecOps specialist for a 60-day deployment to supervise a currently unknown group of civilian software engineers to re-write a telemetry adapter, the system doesn’t ask the A1 “who’s available”—it queries the gig ledger for qualified Pathfinders, across services, who can take the task under reciprocity. That Pathfinder either works with a KO/AO at the 363rd, or a supporting CVR to find the right outcome CLINs to support the effort, slides the 363rd's (or their parent PEOs) BPACs, and supports execution with violent efficiency.

Commanders as Labor Portfolio Managers

Under 3OS, commanders manage people as portfolios, not inventories. Each wing, fleet, or MEF receives a labor allocation pool (expressed in both billets and gig credits). They can convert 10% of their annual budget into on-demand labor through pre-approved Outcome CLINs. A PathDet Command provides oversight: ensuring compliance with labor law, fair-pay statutes, and small-business equity.

This model brings private-sector elasticity into the uniformed world without collapsing it into contractor chaos. In practice, it mirrors the Reserve model of surge capacity—except every contributor, uniformed or not, works from the same digital playbook and evidence chain.^[27]

Integrating Reservists, Veterans, and Civilians

Reservists become the backbone of surge operations: they can join sprints during drill weekends or execute short-term gigs during annual training. Veterans gain the ability to re-enter service temporarily for targeted tasks, not re-enlistments. Civilians join via term appointments or exchange programs (CITEP, DVP, EWI), tied to gig cycles instead of arbitrary 3-year rotations.^{[57],[105],[108]} Contractors, in turn, are absorbed through reciprocity-compliant labor pools—pre-cleared and pre-priced by BPAC playbooks.^[59] Everyone touches the same automation fabric, SBOM attestation tools, and payment rails.

Data-Driven Workforce Governance

Governance is automated, not anecdotal. The Labor Operating Picture (LOP)—a real-time dashboard managed by CDAO—shows:

• open vs. filled gigs,
• mean time to task (MTTT),
• task failure rates,
• skill density by mission thread,
• and transition velocity (from prototype to fielded system).

These metrics feed both PPBE reform (via BPAC playbooks) and personnel reform (via stratification equivalence to outcomes, not tenure).^[27] In short: promotion equals impact, not time served.^[30]

Legal and Policy Mechanisms

The Adaptive Workforce rides existing authorities:

• 10 U.S.C. § 4022 (Other Transactions for Prototype Projects) for flexible gig contracts.
• 10 U.S.C. § 1580–1586 for expert/consultant appointments.
• DoDI 1400.25, Subchapter 920 for digital talent exchange and hybrid telework.
• CITEP, DVP, and EWI for bilateral exchanges and credential reciprocity.

These authorities allow DIU and the Services to operate a digital marketplace legally without rewriting Title 10 or Title 5.^[29],[80]

Social Contract and Ethos

The Adaptive Workforce redefines service: You don’t “belong” to a unit; you belong to the mission. The culture shifts from “I am assigned” to “I am allocated.” That means:

• Fewer idle geniuses suffocating in the wrong billet.
• More consistent knowledge transfer between government and industry.
• Constant refresh of operational insight feeding back into software, tactics, and acquisition.

This is not gigification for its own sake. It’s the formal recognition that the battlefield now runs at software velocity, and the force must too. If the 20th century was about industrial mobilization, the 21st is about cognitive mobilization—turning skill liquidity into deterrence.

Institutional Safeguards and Ethics

The gig system is not a free market; it’s a regulated meritocracy. Every task, performer, and deliverable is logged; conflicts of interest are screened automatically. No task can be self-awarded. Labor transparency is enforced through immutable records, auditable evidence, and runtime analytics. The system can even simulate task redistribution under funding cuts—showing how to degrade gracefully without breaking a mission thread. Governance is algorithmic but accountable—a blend of automation and chain of command.^[60],[75]

Future of Manning and PME

Pathfinders are the operators of this system, but PME reforms make it sustainable. By 2030, all officer and enlisted PME include data-ops, contracting literacy, and software fluency modules. Every Airman, Sailor, Marine, Soldier, and Guardian learns how to interpret an API FRAGO and participate in gig-driven innovation. Warrior ethos and technical literacy finally merge. Doctrine, talent, and technology move in lockstep—an adaptive mesh, not a brittle pyramid.^[109]

Governance and the Future Department of War — Closing the 3OS Loop

From Bureaucracy to Operating System

The Department of Defense is misnamed. It doesn’t defend; it learns — or fails to. The 3OS reframes DoD as a learning organization with kinetic consequences. Its success depends on governance that treats doctrine, dollars, and data as interoperable APIs, not separate silos. The Department of War — the notional evolution of DoD under 3OS into the DoW — is not a cabinet rebrand; it is an architectural rewrite.

Governance under 3OS centers on four loops that must be synchronized, evidenced, and transparent:

1. Doctrine Loop: codified through API FRAGOs, data SLAs, and mission-thread playbooks.
2. Industrial Loop: aligned through Dual-Use WepTacs, BPAC playbooks, and SBIR transition data.
3. Human Loop: powered by Pathfinders, the Gig Economy, and the adaptive labor mesh.
4. Evidence Loop: the runtime telemetry of the other three, stored as immutable artifacts for audit, learning, and re-use.

These loops converge at the Joint Effects Board (JEB) — a standing inter-service body chaired by the Deputy Secretary of Defense (DSD) and co-chaired by the CDAO and OUSD/AS. The JEB's role is not policy arbitration; it is runtime orchestration — deciding where evidence proves velocity and where friction must be killed.

Command by Contract, Evidence by Default

Every contract, billet, and budget line under 3OS is machine-readable.
Funding (BPAC, MFP-INNOVATION, SBIR Phase III), authorities (10 U.S.C. 4022), and security inheritance (cATO) all use a shared schema:

• who_owns,
• who_executes,
• evidence_format,
• reciprocity_scope,
• renewal_condition.

This schema allows automation to do what the bureaucracy cannot — verify trust at the speed of relevance. When a factory, contractor, or Pathfinder claims an effect, their pipelines post proof: test harness results, SBOM attestations, telemetry hashes. The JEB's governance dashboard is a single pane of truth: every effect, every dollar, every lesson, every thread.^[60]

Digital Congress, Digital War

The 3OS doctrine requires that governance be visible to Congress in near-real time — not quarterly PDFs. Budget reprogramming (BPAC moves, cross-MFP agility) is logged in the Evidence Ledger, a permissioned data fabric accessible to the Office of the Secretary of Defense (OSD), Congress, and the Government Accountability Office (GAO). It doesn’t erode oversight; it renders oversight legible.^[27]

In practice, this means each appropriation carries an evidence clause — the right of oversight bodies to query runtime data, not rely on end-of-year narratives. Auditors don’t ask, “did you comply with the FAR?”; they query, “show me the attestation trail that this code was tested under its cATO boundary.” Governance evolves from trust but verify to trust because verified.^[74]

Operationalizing Risk and Law

For autonomy and AI-enabled lethality, governance is both legal and moral.
Every autonomous system under 3OS operates within a Mission Safety Case (MSC) and a Rules-of-Engagement Cage (ROEC). These are policy-code objects signed by commanders and stored in the Evidence Ledger. Any agent’s decision is traceable to the ROEC and MSC in force at that timestamp.^[43],[55]

This structure implements the 2023 Department of Defense Directive (DoDD) 3000.09 and the 2024 Law of War Manual updates automatically — compliance is code, not opinion.^[55] It creates the first provable link between AI ethics and mission command, ensuring human accountability survives machine speed.^[62],[72]

The Pathfinder Board and the Human Commons

The JPB evolves into the Human Commons — a federated body managing the adaptive workforce as a living system. Its members include service chiefs, the CDAO, Office of the Undersecretary of Defense for Personnel & Readiness (OUSD/PR), and external advisors from academia and industry. Its charter is simple: maintain talent liquidity without eroding unit cohesion. To do so, it publishes:

• quarterly Skill Density Maps (by mission thread, clearance, and tier),
• annual Billet Saturation Reports (open vs. filled roles),
• and live Gig Utilization Metrics.^[106]

This data feeds both manpower policy (A1/G1/N1) and budget execution (BPAC dashboards). Each Pathfinder, reservist, or gig contractor becomes a node in a human mesh network governed by reputation, certification, and runtime proof of work.

This is what “manning as maneuver” looks like.

Strategic Continuity — From Election to Conflict

Every administration change risks erasing reform. 3OS governance anticipates this with two tools:

1. Runtime Lawfare Ledger: embeds the legal basis for programs (Title 10 authorities, OTAs, MOAs) into their evidence schema, ensuring a future administration cannot claim ignorance or delete lineage without creating an audit gap visible to Congress.^[82]
2. Institutional Memory Automation: every WepTac artifact (API FRAGO, Data SLA, Rights Menu, Ordering Guide) is versioned and archived in perpetuity in a digital doctrine registry. Doctrine updates are merged like software commits, preserving authorship, lineage, and rationale. The next Feinberg or Hicks doesn’t start from zero — they start from a diff.

The Role of Allies and the Civilian Arsenal

3OS governance also externalizes itself. Allies access validated evidence packages through reciprocity enclaves, governed by Five Eyes (especially the four members covered between the Australia, the United Kingdom & the United States (AUKUS) treaty and Canada & the United States through the North American Aerospace Defense Command (NORAD)) and North Atlantic Treaty Organization (NATO) Special Access Program (SAP) entitlements. Each shared artifact (code, model, dataset) carries its own LOAC compliance hash, ensuring interoperability doesn’t compromise sovereignty.

The Civilian Arsenal, managed under the Dual-Use WepTac framework, operates as a standing reserve: a network of pre-cleared manufacturers, data providers, and AI labs on continuous retainer. When war comes, they don’t bid—they scale. Industrial base mobilization becomes a function call, not a memo.^[29]

Measuring the Department of War

The Department of War is measured not by force size, but by learning velocity. Key performance metrics are tracked quarterly:

Metric	Definition	Target
Time-to-Field (T2F)	Idea → operational effect	≤ 90 days
Learning Latency	Hypothesis → validated lesson	≤ 30 days
Reciprocity Index	% of controls reused without re-audit	≥ 70%
Evidence Integrity	% of records verified end-to-end	≥ 95%
Human Liquidity	% of billets cross-filled via gig board	≥ 25%
Replication Velocity	Design → produced effect (Replicator)	≤ 14 days

When these metrics trend up, lethality follows automatically. No new slogan or directive is needed.

Future War: What Does Fight Tonight Look Like?

When combining Letters of Marque 2.0 with CYBERCOM's OCO responsibility through the lens of DIME, a lot of new targets open themselves up, and they must because WE ARE ALREADY AT WAR. Our enemies have a laundry list of vulnerabilities we currently hesitate to attack due to capacity, even though our enemies don't hesitate to inject themselves into our infrastructure.

Target their load-bearing beams

Russia: energy leverage. Their power projection rides on hydrocarbons and the ability to coerce via supply. The European Union's (EU's) REPowerEU moves and the wider European energy diversification agenda showed how to turn that lever back on Moscow—re-route flows, blunt pricing power, and shrink the coercion window.^[110],[111] Make this structural: treat liquefied natural gas (LNG) contracts, pipeline chokepoints, and grid interconnects as operational terrain; bake energy stress tests into wargames and diplomacy so Moscow’s best play carries political risk every time.

The final paragraph in the Russian section of paper #2, published in August of 2023 read the following:

The US DoD cannot afford to wait until Russia potentially collapses demographically or economically as Russia is already well aware of these shortfalls and has pivoted to exploit US philosophies, doctrines and policies as a weakness in hybrid war. Russia cannot wait for the turmoil caused by the 2024 election season to come fast enough and use their hybrid tools to potentially alleviate the DIME pressures. Quite to the contrary, the US must continue to ratchet up the pressure until Russia doesn't just capitulate in Ukraine, but is deterred from destabilizing western interests in perpetuity. Russia's aims don't seek to make the world a better place, but rather just to make a select group of Russians even richer than they already are through the use of deceit and death. Until that model is destroyed, Russia's nationalistic demise must remain a priority.

None of that has changed.

PRC: manufacturing + capital pipelines. Their advantage is scale (manufacturing) and reach (capital/tech acquisition). We don’t beat scale with rhetoric—we beat it with guardrails and alternatives. Tighten advanced computing export controls to slow military-use tech transfer;^[112] use Committee on Foreign Investment in the United States (CFIUS) authorities to shape the inbound/outbound capital that packages IP for re-export.^[113] Pair the stick with a carrot: onshore/ally-shore where it matters and standardize data contracts so coalition industry can plug in without bespoke integration costs. The goal isn’t autarky; it’s selective friction in the parts of the stack that convert to military advantage fast. China has a massive number of internal problems that will eventually force positive changes. These acts will keep China from leveraging their current advantages because imposition costs will always be higher than the outcome of rational actions.

There are several low cost ways to make Taiwan a porcupine that is impossible to grab and many of them are natural results of Distributed Lethality.

Iran & North Korea: sanctions evasion and cyber financing. Both regimes use cyber to raise funds and bypass controls; our lever is financial plumbing discipline plus consequences that stick. Treat Office of Foreign Asset Control's (OFAC's) ransomware guidance as a standing order: push compliance and transparency through exchanges, insurers, investor relations (IR) firms, and managed service providers (MSPs) so the easy off-ramps close.^[114] Combine that with public attributions and hunt-forward finds as well as Black List Letters of Marque 2.0 activities to keep their cost of doing business rising.

Non-State Actors. Near-peers gained valuable data from our farcical use of a Cold War military to fight the Global War on Terror (GWOT). We brought the wrong weapons, the wrong acquisition system, and the wrong strategy to a necessary war, and the results were disasters. We destroyed our coffers, indebted future generations of Americans, and crippled our warfighting capacity tremendously. When all you have is a hammer, everything looks like a nail. Using Distributed Lethality capabilities not only increases risk to near-peers that cannot keep up with American ingenuity at operational tempo, it lowers our cost of warfighting to make their use of proxies inefficient. Terror cells, narcotics cartels, and other transnational criminal organizations (TCOs) are not only easily defeated tactically, they become easily defeated from a fiscal and strategic perspective as well.

Keep “hack the voter” on the board

We learned the hard way that targeting the voter and the attention algorithms is cheaper than targeting the ballot box.^{[115],[116],[117],[118],[119],[120],[121]} In Part 2, we walked through how Russia and others pair narratives with cyber theft/leaks to generate cycles of outrage on platform rails; in Part 5, we argued for moving from ticket-clearing to campaigning with allies. Keep that energy: make defend forward the default posture—shape the environment before the news cycle starts.^[122] That means:

• Pre-bunk, not just debunk. Build content libraries and media partnerships that explain the playbook before it runs.
• Authenticity infrastructure. Verify provenance at machine speed for high-risk narratives (e.g., deepfakes tied to election timing).
• Information Operations (IO) + cyber pairing. When theft plus leak is the pattern, our counter is resilience ops (reduce the leak’s half-life) plus counter-exposure (burn the adversary’s TTPs in public to degrade future effect).

---

Implementation Roadmap

Phase I — 90 Days: Stand Up the Pipes, Prove the Loop

Commander’s intent: Pick two AORs and show that data, code, and models behave like maneuver elements (they can be tasked, protected, logged, and retired). No pilots that die in PowerPoint; two real threads from ops → telemetry → code change → redeploy in days.

1) Mission Data Contracts (AOR-1 & AOR-2).

• Artifacts: Joint data contracts that name the producers/consumers, schemas, latency/SLOs, decision rights, tear lines. They live in a repo—not a PDF—and changes are versioned like code.
• Owner: CDAO (contract template + metrics) with the component J-staffs and service commands owning fielding.
• Deliverable in 30 days: v0.1 contracts covering ISR → C2 → shooters for one priority mission per AOR (e.g., maritime fires in INDO-PACOM; C-UAS in US Central Command (CENTCOM)).
• Security posture: ZTA controls around “crown-jewel” datasets and model weights; inherit platform security where possible.

2) cATO Lanes and Pre-approved Pipelines.

• Artifacts: Two cATO lanes per AOR (one unclassified, one classified) with signed patterns, SBOM capture, CVE/KEV watch, and runtime guardrails; RMF risk as runtime policy, not a gate.
• Owner: Component AO + an authorized software factory stand up the CI/CD lane with cATO inheritance.
• Deliverable: Pipelines issuing signed deployables (container images + policies) to an edge cluster in-theater. The AO publishes the reusable “ATO playbook” to the repo (not a SharePoint graveyard).

3) Pathfinder Teams on-station.

• Artifacts: Two Pathfinder detachments (small, mixed teams: ops, telemetry engineer, model wrangler, API lead) attached to the AOR commander.
• Owner: USAF Pathfinder program provides the initial nucleus; each service mirrors with a small cadre; DIU brokered industry augmentation.
• Deliverable: A weekly effects review where the detachment briefs “diff to last week” (what code shipped, what tactics changed, what risk dropped). No slide decks—dashboards + logs.

4) SBOT v0.1.

• Artifacts: For the two priority missions, publish behavior libraries (formation behaviors, autonomy failsafes, C2 handoffs) as versioned packages with tests.
• Owner: AOR lead wings/divisions/equivalents + software factory liaison.
• Deliverable: Five behaviors per mission thread, each with safety invariants and telemetry hooks.

5) Metrics (begin day 1).

• T2P (CVE/KEV): measured from CISA KEV entry/MITRE CVE entry to the last relevant host updated in the AOR lane (target ≤ 72 hours by Day 90).
• T2F (MTA/Urgent Operational Need (UON)/Joint Urgent Operational Need (JUON)): signed artifact to operational use (target ≤ 30 days for changes; ≤ 120 days for a new capability using MTA/UON/JUON pathways).^[123]
• T2D (JADC2): sensor event to human decision with audit trail (baseline now; improvement target −30% by Day 90).
• Cost-per-effect (CCA/sUAS): dollars per validated effect delivered in exercise/ops (baseline now; method locked).
• Model SLOs: accuracy bands per use-case (with drift dwell alarms), and rollback SLO (minutes to safe behavior).

6) Anti-pilot discipline.

• Exit criteria for Phase I are not “demo complete.” They’re two closed loops where telemetry from the field generated code changes that changed tactics that improved a metric. If either loop stalls, we kill the lane or fix it within the 90 days.

7) Letters of Marque 2.0.

• Publish draft bounty schedules (Blue/Red) and coverage SLAs (White). Stand up the Letters-of-Marque Program Office (NSC-chaired; State/DoD/DoJ/Treasury/DHS/CISA/CYBERCOM/CDAO).
• Launch a pilot White List covering the top 200 OSS packages in our stacks; start reporting OSS risk dwell and dependency exposure.
• Build escrow/payment rails that are auditable to U.S. oversight and compliant with OFAC/anti-money laundering (AML), with privacy for vendors where lawful.

Phase II — 1 Year: Field Cheap Mass, Institutionalize the Scrimmage

Commander’s intent: Prove we can scale beyond a petri dish. Two million-plane pilot wings (read: CCAs plus thousands of sUAS and decoys across two bases), quarterly swarm/counter-swarm exercises, and a DIU-brokered insertion pipeline that moves dual-use tools from commercial stacks to the edge in weeks, not fiscal-years.

1) Two Million-Plane Pilot Wings.

• Structure: Each wing/division/equivalent owns a MOSA-compliant interface plan; runs an SBOT; treats sUAS procurement as consumables with pre-approved firmware agility; has a counter-C-UAS TTP cell.
• Owner: Major Commands (MAJCOMs/Army Command/Fleet/MEFs) designate wings/divisions/equivalents (one in the continental United States (CONUS), one outside CONUS (OCONUS)), with joint observers.
• Deliverables by Month 12:
  • Inventory: 3,000–5,000 sUAS + decoys, 50–100 attritable platforms/CCA surrogates, and a small fleet of autonomous ground vehicles for logistics.
• Ops: Four quarterly swarm/counter-swarm scrimmages that produce new behaviors and firmware counter-updates each time.
• Safety: Directed-energy and EW de-confliction playbooks tied to range control (our SpaceX-style runtime interlocks for ground/air safety).
• Interoperability: API FRAGOs for at least three mission-to-mission handoffs (e.g., ISR→fires, C-UAS→base defense, logistics→ACE).

2) DIU-led Insertion Pipeline.

• What changes: DIU becomes the single-front-door for dual-use capability drops into the two wings/divisions/equivalents. We pay on outcome CLINs (effects with telemetry), not level-of-effort, and we refuse forked codebases.
• Mechanics:
  • Commercial to cATO in ≤ 30 days via contracted middleware^[23] and inherited controls (no bespoke rebuilds unless safety demands it).
• Outcome scoring: Time-to-value from contract award to effect in a scrimmage; “two-sprint rule” (if we can’t show effect in 2 sprints, we either pivot the requirement or kill it).
• Budgeting: Services keep SBIR/STTR tax flows (AFWERX et al. stay service-aligned), but DIU prioritizes and sequences joint inserts and publishes the scoreboard.

3) Quarterly Red-Team Cadence (becoming muscle memory).

• Swarm-on-swarm with deception/economic traps that force adversary “inventory burn.”
• ACE logistics raids: adversary cell targets our fuel, parts, spectrum, and base data pipes; we measure survival under contestation.
• Algorithmic influence table-top exercise (TTX): treat platform algorithms as terrain and run truth-forward campaigns with allies; measure inoculation and counter-messaging speed.
• Rules: Every quarter must generate new datasets, changed TTPs, and at least one deprecation (killing a tactic or tool is a win).

4) Metrics (ratcheting targets).

• T2P (CVE/KEV): ≤ 48 hours in wing/division/equivalent lanes by Month 12.
• T2F (MTA/UON/JUON): ≤ 14 days for code/config changes; ≤ 90 days for new capability in the wing/division/equivalent stack.
• T2D (JADC2): −50% from baseline for named threads; audit trails show decision origin and model influence.
• Cost-per-effect: published per scrimmage (include decoy and deception wins; drive dollars per defended asset hour down).
• Model SLOs: accuracy, drift dwell, rollback time, and “adversarial robustness” measured in live red-team runs.
• CICO (code-in/code-out): ratio of new code merged vs. code retired. A healthy wing/division/equivalent kills old code.

5) Policy bolts tightened by Year-1.

• API FRAGO order: “If it isn’t on the bus, it isn’t in the fight.” Each wing/division/equivalent publishes its public (coalition-safe) schemas and internal secret annexes; all tasking messages align.
• BPAC pilot: Budget Program Activity Codes aligned to value streams (JADC2 thread, C-UAS thread, ACE logistics thread) rather than platforms; commanders can re-weight within BPAC without new paperwork (with reporting back to PPBE).
• Other services implement manning (through service equivalent Program Action Directive (PAD)) for their equivalents of the USAF Pathfinder, creating billets, affirming their participation in the joint IQC.
• No fork clause: Contract language bans bespoke forks to meet compliance; vendors ship the same core with wrappers; we pay for outcome, not ceremony.

6) Letters of Marque 2.0—Year-1.

• First Black List tranche (narrow scope): e.g., named GRU elements or groups like the Internet Research Agency (IRA) with strictly bounded disruption effects.
• Quarterly scorecards: CVE/KEV dwell (Red), SBOM coverage (White), time-to-effect and cost-per-effect (Black), and collision rate with ongoing ops.
• Bake bounty results into our wing/divisions/equivalents scrimmages and hunt-forward exchanges; convert best Red/White finds into immediate cATO pushes to the field.

Phase III — 2–3 Years: Lock in the Budget Physics, Make Green on JADC2

Commander’s intent: Convert momentum into structure. Two new Major Force Programs—MFP-CYBER and MFP-INNOVATION—fund the metabolism directly; PPBE scoring pays for effects shipped and technical debt retired; JADC2 metrics go green for named threads across combatant commands.

1) MFP-CYBER and MFP-INNOVATION live.

• Why: SOCOM's lesson is clear: a UCC with a dedicated MFP can steer purpose-built resources. We need the same for CYBERCOM (campaigns, hunt-forward, cyber logistics, dual-use software) and for DIU (inserts, standards, and the innovation franchise).
• What changes:
  • CYBERCOM gets its MFP: hunt-forward, persistent engagement, and shared tooling aren’t ad hoc asks—they’re the funded plan.
• DIU gets MFP-INNOVATION: funds lanes, franchises, and outcome buys across services; holds the joint scoreboard and the no-fork whip.^[49]
• Services retain SBIR/STTR equity (but must be executed by the innovation organizations beneath DIU, such as AFWERX, etc.)

2) PPBE incentives re-weighted to software effects.

• Mechanics:
  • Outcome CLINs normalized in contracts (effects with telemetry = payment).
• Deprecation credits: retiring dead apps/hardware earns budget points (and frees sustainment tail).
• BPAC expanded: every JADC2 thread and C-UAS/ACE thread runs as a managed value stream with reprogrammable funding bands (within congressional oversight).
• Annual posture hearings include T2D, Time-to-Patch, Cost-per-Effect tables alongside end-strength.
• Tools: GAO-style audits refocused to “goal attainment” for JADC2 rather than box-checking, and PPBE Commission recommendations baked into the reweighting.^{[18],[19],[39],[92]}

3) JADC2 metrics green across named threads.

• Definition of green:
  • Coverage: named mission threads (at least four per UCC) have contracts, lanes, and measured decisions within SLOs.^[7],[24]
• Interchange: cross-service data exchange hits SLA > 99% for mission-critical paths.
• Change rate: average code/config change that touches a mission thread deploys in days, not months.
• Resilience: CVE/KEV patching SLOs met for 95% of fleet within 48 hours; top-5 model drifts detected and corrected within target dwell windows.^[46]

4) Human system fully grown-in.

• Pathfinders: DoD-wide career field (mirroring USAF), with billets embedded in every UCC/Joint Task Force (JTF), plus a formal DVP requirement (industry rotations) feeding the gig board.
• Gig economy: cross-service tasking board with pre-cleared industry and reserve talent; pay by artifact and effect; one week to onboard to any wing/division/equivalent lane.
• Leadership training: intermediate and senior schools now include “API FRAGO practicum” and runtime risk labs; weapons school instructors co-author SBOT behaviors.

---

Epilogue — The Future of the Third Offset

The Third Offset is not a weapons program or a think tank slogan. It is the recognition that the industrial age of warfare is over — and the informational age is one in which speed, evidence, and adaptability are sovereign. The Department of War’s mission is therefore not only to win every battle, but to ensure no adversary learns faster than we do.

When every process, person, and platform emits evidence —
When every budget line learns, every contract adapts, every soldier iterates —
When learning velocity itself becomes deterrence —
Then the Third Offset will have fulfilled its purpose.
Because war will have been offset not by technology, but by intelligence —
Our own.

---

Works Cited

¹ Boyd, John R. 2018. A Discourse on Winning and Losing. Maxwell AFB, AL: Air University Press.

² Pellerin, Cheryl. 2016. Deputy Secretary Discusses Third Offset, First Organizational Construct. September 21.

³ Gansberger, Donald. 2023. Three Hammers. September 20.

⁴ Gansberger, Donald. 2025. Tactical Cyber: Why the Model of Sacrificing All Victories for Strategic Illusion Never Works. September 9.

⁵ DoD CIO. 2024. DevSecOps Continuous Authorization Implementation Guide. March.

⁶ DoD Chief Information Office. 2023. DevSecOps Reference Design v2.0.

⁷ Department of Defense. 2023. 2023 DoD Cyber Strategy. Washington, DC.

⁸ White House. 2023. National Cybersecurity Strategy. March 2.

⁹ Joint Chiefs of Staff. 2022. Joint Publication 3-12: Cyberspace Operations. June 8.

¹⁰ AFWERX. 2024. Department of the Air Force Innovation Directorate Overview.

¹¹ Department of the Navy. 2024. NavalX.

¹² Marine Innovation Unit. 2024. MIU.

¹³ United States Army. 2025. Army Applications Lab.

¹⁴ Acquisition.gov. 2024. FAR Part 12: Acquisition of Commercial Products and Services.

¹⁵ Cybersecurity and Infrastructure Security Agency (CISA). 2023. Zero Trust Maturity Model. Version 2.0.

¹⁶ National Security Agency & CISA. 2023. CNSA Suite 2.0.

¹⁷ Leveson, Nancy, et al. 2020. System-Theoretic Process Analysis: STPA for Engineering Safety-Critical Systems. NIST SP 800-160 Rev. 1.

¹⁸ Gansberger, Donald, Victor Lopez, and William Young Jr. PhD. 2025. System-Theoretic Process Analysis for Security (STPA) and Commander’s Risk for Risk Management Framework. July 18.

¹⁹ Young, William Jr. PhD. 2019. System-Theoretic Process Analysis for Security (STPA-SEC): Cyber Security and STPA. March 25.

²⁰ Hegseth, Peter. 2025. Directing Modern Software Acquisition to Maximize Lethality. March 6.

²¹ DoD Instruction 5000.87. 2020 (C1, 2022). Operation of the Software Acquisition Pathway.

²² Acquisition.gov. 2024. FAR Part 39: Acquisition of Information Technology.

²³ Metz, Danielle. 2025. Modernizing the Department of Defense’s Authorization to Operate Process For Agility. March 20.

²⁴ Nunn, Sam, and William Cohen. 1987. Nunn–Cohen Amendment: Establishment of U.S. Special Operations Command and MFP-11. U.S. Congress, 100th Congress, Title IX, Section 1311.

²⁵ MITRE. 2025. CVE: Common Vulnerabilities and Exposures.

²⁶ Cybersecurity and Infrastructure Security Agency. 2021–2025. Known Exploited Vulnerabilities (KEV) Catalog.

²⁷ Office of the Under Secretary of Defense for Research & Engineering. 2023. Modular Open Systems Approach (MOSA).

²⁸ PPBE Reform Commission. 2024. Final Report on Budget Agility and BPAC-like Mechanisms. March 12.

²⁹ DoD CIO. 2024. Cyber Excepted Service (CES) Overview.

³⁰ Congressional Budget Office. 2020. Approaches to Changing Military Compensation. January 14.

³¹ DoD Office of Systems Engineering and Architecture. 2025. Software Engineering for Continuous Delivery of Warfighting Capability. July.

³² DoD Instruction 5000.80. 2019 (C1, 2023). Operation of the Middle Tier of Acquisition (MTA).

³³ Department of Defense. 2022. DoD Announces Release of JADC2 Implementation Plan. March 17.

³⁴ National Institute of Standards and Technology. 2020. Security and Privacy Controls for Information Systems and Organizations (SP 800-53, Rev. 5). September.

³⁵ DARPA. 2024. Automated Rapid Certification of Software (ARCOS).

³⁶ American Binary. 2025. MaxKyber Product Page.

³⁷ McDowell, Jonathan. 2025. Jonathan's Space Pages: Starlink Statistics. September 15.

³⁸ Department of Defense. 2020. DoD Data Strategy. September 30.

³⁹ Crosby, Courtney, PhD. 2020. Operationalizing Artificial Intelligence for Algorithmic Warfare. July-August.

⁴⁰ Department of Defense. 2024. Chief Digital and Artificial Intelligence Officer. November 18.

⁴¹ Hurst, Jules. 2022. Fixing Defense Innovation: Rewriting Acquisition and Security Regulations. October 27.

⁴² Hopkins, Michael. 2011. The Exceptionalist's Approach to Private Sector Cybersecurity: A Marque and Reprisal Model. August 15.

⁴³ The NATO Cooperative Cyber Defence Centre of Excellence. 2021. Tallinn Manual 3.0.

⁴⁴ Department of Defense. 2021. Responsible AI Strategy & Implementation Pathway. May 26.

⁴⁵ Rowden, VADM Thomas, RADM Peter Gumataotao, and RADM Peter Fanta. 2015. Distributed Lethality. January.

⁴⁶ Kendall, Frank. 2024. Affordable Mass and Attritable Systems: USAF Posture Statement to Congress.

⁴⁷ Hicks, Kathleen H. 2023. Remarks Announcing the Replicator Initiative. August 28.

⁴⁸ Department of Defense. 2024. Continuous ATO Evaluation Criteria (DevSecOps Use Case).May 30.

⁴⁹ Department of the Navy. 2021. Unmanned Campaign Framework. March 16.

⁵⁰ NATO. 2015. STANAG 4586 –Standard Interfaces of UAV Control System (UCS) for NATO UAV Interoperability. January 20.

⁵¹ DARPA. 2024. Air Combat Evolution (ACE).

⁵² Tirpak, John. 2023. Kendall: Air Force Wants as Many as 2,000 CCAs with a Common, Modular Airframe. March 16.

⁵³ National Institute of Standards and Technology (NIST). 2023. AI Risk Management Framework 1.0 (AI RMF). January 26.

⁵⁴ Arquilla, John and David Ronfeldt. 2000. Swarming and the Future of Conflict. October 13.

⁵⁵ Department of Defense. 2023. Directive 3000.09 — Autonomy in Weapon Systems (Update 2023).

⁵⁶ Defense Acquisitions University. 2025. PBL Overview.

⁵⁷ DoD CIO. 2024. Cyber Information Technology Exchange Program (CITEP).

⁵⁸ U.S. Marine Corps. 2023. Forging the Future: How Advanced Manufacturing Is Revolutionizing Marine Corps Logistics. October 5.

⁵⁹ U.S. Office of Personnel Management. 2024. Direct Hire Authority (Cyber/IT & STEM).

⁶⁰ NTIA & OpenSSF. 2021. Software Bill of Materials (SBOM) Minimum Elements.

⁶¹ RAND Corporation. 2025. One Team, One Fight.

⁶² Bates, Emma and S. Ryan Quick. 2025. Drones Aren’t Swarming Yet — But They Could. War on the Rocks. August 4.

⁶³ Salman, Muhammad, David Garzón Ramos, and Mauro Birattari. 2024. Automatic design of stigmergy-based behaviours for robot swarms. February 14.

⁶⁴ Demarest, Colin. 2023. Anduril unveils Anvil-M counter-drone kit that can defeat smaller UAS. October.

⁶⁵ Beaucar Vlahos, Kelley. 2023. The cost of US fighting Houthis in the Red Sea just went up. December 19.

⁶⁶ Alia-Novobilski, Marisa. 2020. AFMC digital campaign aims to modernize, streamline life cycle process. June 8.

⁶⁷ IBM Research. 2021. Deep Blue and the Legacy of Human–Computer Competition.

⁶⁸ Eversden, Andrew. 2020. AI algorithm defeats human fighter pilot in simulated dogfight. August 21.

⁶⁹ DARPA. 2024. Artificial Intelligence Reinforcements (AIR).

⁷⁰ DARPA. 2020. OFFSET (Offensive Swarm-Enabled Tactics) Program Overview.

⁷¹ Xiao, Yuchen, Weihao Tan, Joshua Hoffman, Tian Xia, and Christopher Amato. 2024. Asynchronous multi-agent deep reinforcement learning under partial observability. September 20.

⁷² Department of Defense and Department of State. 2023. Law of War Manual (Updated 2023). July.

⁷³ DIU. 2025. Replicator Initiative.

⁷⁴ Bressers, Josh. 2021. Viewpoint: The Future of Software Supply Chain Security. November 16.

⁷⁵ Department of Defense. 2020. DoDI 8320.02 (C1): Sharing Data, Information, and Information Technology (IT) Services in the Department of Defense . June 24.

⁷⁶ Air Combat Command. 2025. Air Force Concludes WEPTAC 2025. February 20.

⁷⁷ Black Hat Conference. 2024. Black Hat USA: Briefings & Trainings.

⁷⁸ DEF CON. 2024. DEF CON Conference Overview.

⁷⁹ U.S. Small Business Administration. 2023. SBIR/STTR Policy Directive. May 3.

⁸⁰ United States Code. 2024. 10 U.S.C. § 4022 (Other Transaction Authority).

⁸¹ SBIR.gov. 2024. SBIR/STTR Phase III: What Makes Phase III So Valuable?

⁸² AcqNotes. 2024. Contracts & Legal: Other Transaction Authority (OTA) February 7.

⁸³ SBIR.gov. 2025. SBIR/STTR Guide.

⁸⁴ Acquisition.gov. 2024. FAR Subpart 4.10—Uniform Use of Line Items (CLIN/SLIN Structure).

⁸⁵ Gansberger, Donald. 2025. Just a Glimpse - How to go from a dual-use commercial venture into the Department of Defense as a Program of Record: a tale of misery, torture and ugliness. January 14.

⁸⁶ OSD. 2018. DoD Digital Engineering Strategy.

⁸⁷ Sion, Michael, John Wenzel, and Eric Quirk. 2025. Defense Investment at a Turning Point. September.

⁸⁸ Acquisition.gov. 2024. DFARS Part 227: Rights in Technical Data and Computer Software.

⁸⁹ Defense Acquisition University. 2025. DFARS 252.227-7013: Rights in Technical Data—Other Than Commercial Products and Commercial Services. October 1.

⁹⁰ Defense Acquisition University. 2017. Understanding and Leveraging Data Rights in DoD Acquisitions. July 24.

⁹¹ OUSD(A&S). 2025. Intellectual Property Guidebook for DoD Acquisition. April 30.

⁹² Defense Acquisitions University. 2023. Product Support - Contract Data Requirements List (CDRL) and Data Item Descriptions (DID).

⁹³ Acquisition.gov. 2024. DFARS Part 239: Acquisition of Information Technology.

⁹⁴ Acquisition.gov. 2024. FAR Part 9: Contractor Qualifications (Use in Evidence-Driven Source Selection).

⁹⁵ Held, Bruce, Thomas R. Edison, Jr., Shari Lawrence Pfleeger, Philip S. Anton, and John Clancy. 2006. Evaluation and Recommendations for Improvement of the Department of Defense Small Business Innovation Research (SBIR) Program. October 31.

⁹⁶ Small Business Administration. 2024. SBIR Program Overview.

⁹⁷ Government Accountability Office (GAO). 2021. Small Business Innovation Research: Agencies Need to Fully Implement Requirements for Managing Fraud, Waste, and Abuse. June 30.

⁹⁸ AFWERX. 2025. AFWERX: Get Funded.

⁹⁹ Rogue. 2023. How to Sell Technology to the Government.

¹⁰⁰ Klein, Mark et al. 2015. High-Speed Idea Filtering with the Bag of Lemons.

¹⁰¹ AFWERX. 2024. Spark Cells and Unit-Level Innovation.

¹⁰² Defense Acquisition University. 2023. Building a Repeatable Innovation Career Path.

¹⁰³ Wrigley, Cara, Genevieve Mosely, and Michael Mosely. 2021. Defining Military Design Thinking: An Extensive, Critical Literature Review. Spring.

¹⁰⁴ Feijao, Carolina, Isabel Flanagan, Christian Van Stolk, and Salil Gunashekar. 2021. The global digital skills gap. December 15.

¹⁰⁵ Johnson, Jamie. 2024. Looking Back on My Journey with Defense Ventures. November 19.

¹⁰⁶ McQuillen, Blair. 2025. The Gig Economy Revolution: How HR Must Adapt to Thrive in the New World of Work. August 26.

¹⁰⁷ Chandramouli, Ramaswamy and Zack Butcher. 2020. NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture. May.

¹⁰⁸ U.S. Air Force. 2024. Education With Industry (EWI) Program.

¹⁰⁹ Marcell, Christopher, Gaylon McAlpine, Reagan Schaupp, and Joseph Varuolo. 2025. The Urgency of Warfighting Renewal: Five Principles for Today’s Professional Military Education. January 27.

¹¹⁰ Keliauskaitė, Ugnė, Simone Tagliapietra, and Georg Zachmann. 2025. Europe urgently needs a common strategy on Russian gas. April 2.

¹¹¹ European Commission. 2022. REPowerEU Plan: Communication from the Commission (COM/2022/230). May 18.

¹¹² U.S. Department of Commerce, BIS. 2022. Implementation of Additional Export Controls: Advanced Computing and Semiconductor Manufacturing Items (Interim Final Rule). Federal Register, Oct 13.

¹¹³ The White House. 2022. Executive Order 14083 — Ensuring Robust Consideration of Evolving National Security Risks by CFIUS. September 15.

¹¹⁴ U.S. Department of the Treasury. 2021. OFAC Ransomware Payments Advisory. September 21.

¹¹⁵ U.S. Senate Select Committee on Intelligence. 2020. Russian Active Measures Campaigns and Interference in the 2016 U.S. Election. Multi-volume report.

¹¹⁶ United States District Court. 2018. United States of America vs. Internet Research Agency et al. February 16.

¹¹⁷ Timberg, Craig, et al. 2017. Russian content on Facebook, Google and Twitter reached far more Americans than thought. October 30.

¹¹⁸ U.S. Department of Justice. 2019. Report on the Investigation into Russian Interference in the 2016 Presidential Election (Mueller Report), Vol. I. March 7.

¹¹⁹ ODNI. 2017. Assessing Russian Activities and Intentions in Recent U.S. Elections. January 6.

¹²⁰ U.S. Senate Select Committee on Intelligence. 2019. Report Vol. II: Russia’s Use of Social Media. October 8.

¹²¹ Dwoskin, Elizabeth, et al. 2017. Russian ads, now public, show sophistication of the influence campaign. November 1.

¹²² U.S. Cyber Command. 2018. Achieve and Maintain Cyberspace Superiority: Command Vision for USCYBERCOM. April.

¹²³ DAU Adaptive Acquisition Framework. 2024. Framework Navigator (SAP/MTA/Urgent).

---

Other References

^a1 Clausewitz, Carl von. 1873/1976. On War. (Howard & Paret translation excerpts)

^a2 Sun Tzu. 1910. The Art of War. Translated by Lionel Giles. Project Gutenberg.

^a3 Truman Presidential Library. 1948. Functions of the Armed Forces and the Joint Chiefs of Staff (Key West Agreement). March.

^a4 Osinga, Frans P.B. 2006. Science, Strategy and War: The Strategic Theory of John Boyd. Routledge.

^a5 NATO CCDCOE. 2008. Cyber Attacks Against Georgia: Legal Lessons.

^a6 Glenn, Russell W. 2008. Trust and Leadership in Counterinsurgency. Parameters.

^a7 Yegge, Steve. 2011. Steve Yegge's Google Platforms Rant.

^a8 Hollis, David. 2011. Cyberwar Case Study: Georgia 2008. Small Wars Journal.

^a9 Symantec. 2011. W32.Stuxnet Dossier. February. (Note: Link redirects, content verified)

^a10 Glenn, Russell W. 2013. Rethinking Western Approaches to Counterinsurgency. SSI.

^a11 Langner, Ralph. 2013. To Kill a Centrifuge. November.

^a12 Rule, LtCol Jeffrey N. 2013. A Symbiotic Relationship: The OODA Loop, Intuition, and Strategic Thought. March.

^a13 U.S. Digital Service. 2014. U.S. Digital Services Playbook. August. (Note: Link redirects to main site, Playbook content verified)

^a14 Zetter, Kim. 2014. Countdown to Zero Day (excerpt & coverage). November 11.

^a15 E-ISAC & SANS ICS. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. March 18.

^a16 U.S. Department of Defense. 2016. DoD to Launch “Hack the Pentagon” Cyber Bug Bounty Program. March 2.

^a17 Center for Strategic and International Studies. 2016. The Kremlin Playbook: Understanding Russian Influence in Central and Eastern Europe. October 13.

^a18 Intel. 2017. Intel Drone Light Show Takes to the Skies for Super Bowl LI Halftime. Feb 5.

^a19 Snider, Mike. 2017. Lady Gaga’s 300 drones light up halftime show. USA Today, Feb 5.

^a20 Leveson, Nancy & Thomas, John. 2018. STPA Handbook. MIT PSAS.

^a21 Nakashima, Ellen & Timberg, Craig. 2019. Cyber Command disrupted IRA on 2018 election day. February 27.

^a22 U.S. Department of Justice. 2019. Report on the Investigation into Russian Interference in the 2016 Presidential Election (Mueller Report), Vol. I. March 7.

^a23 Boyd, John R. 1989 (transcript). Patterns of Conflict (USMC Command & Staff College).

^a24 Fadok, David S. 1995. John Boyd and John Warden: Air Power’s Quest for Strategic Paralysis. Air University.

^a25 Meilinger, Phillip S., ed. 1997. The Paths of Heaven: The Evolution of Airpower Theory. Air University Press.

^a26 Glenn, Russell W. 2001. Reading Athena’s Dance Card: Men Against Fire in Vietnam. RAND.

^a27 Barnett, Thomas P.M. 2005. Let’s Rethink America’s Military Strategy. TED.

^a28 Barnett, Thomas P.M. 2005. The Pentagon’s New Map. TED Talk.

^a29 Knutson, Barbara et al. 2005. How Should the Army Use Contractors on the Battlefield? RAND.

^a30 Schwartz, Moshe. 2011. DoD Contractors in Afghanistan and Iraq: Background and Analysis. CRS.

^a31 Boyd, John. 1987. A Discourse on Winning and Losing (Briefing Compendium). Air University.

^a32 ODNI. 2017. Assessing Russian Activities and Intentions in Recent U.S. Elections. January 6.

^a33 U.S. Senate Select Committee on Intelligence. 2019. Report Vol. II: Russia’s Use of Social Media. October 8.

^a34 Gordon, Randy. 2019. Special Lecture: F-22 Flight Controls. (Video)

^a35 U.S. Marine Corps. 2023. Forging the Future: How Advanced Manufacturing Is Revolutionizing Marine Corps Logistics. October 5.

^a36 U.S. Office of Personnel Management. 2024. Direct Hire Authority (Cyber/IT & STEM).

^a37 RAND Corporation. 2025. One Team, One Fight.

^a38 Salman, Muhammad, David Garzón Ramos, and Mauro Birattari. 2024. Automatic design of stigmergy-based behaviours for robot swarms. February 14.

^a39 Alia-Novobilski, Marisa. 2020. AFMC digital campaign aims to modernize, streamline life cycle process. June 8.

^a40 IBM Research. 2021. Deep Blue and the Legacy of Human–Computer Competition.

^a41 Eversden, Andrew. 2020. AI algorithm defeats human fighter pilot in simulated dogfight. August 21.

^a42 DARPA. 2024. Artificial Intelligence Reinforcements (AIR).

^a43 DARPA. 2020. OFFSET (Offensive Swarm-Enabled Tactics) Program Overview.

^a44 Department of Defense and Department of State. 2023. Law of War Manual (Updated 2023). July.

^a45 DIU. 2025. Replicator Initiative.

^a46 Bressers, Josh. 2021. Viewpoint: The Future of Software Supply Chain Security. November 16.

^a47 Department of Defense. 2020. DoDI 8320.02 (C1): Sharing Data, Information, and Information Technology (IT) Services in the Department of Defense . June 24.

^a48 Air Combat Command. 2025. Air Force Concludes WEPTAC 2025. February 20.

^a49 Black Hat Conference. 2024. Black Hat USA: Briefings & Trainings.

^a50 DEF CON. 2024. DEF CON Conference Overview.

^a51 U.S. Small Business Administration. 2023. SBIR/STTR Policy Directive. May 3.

^a52 United States Code. 2024. 10 U.S.C. § 4022 (Other Transaction Authority).

^a53 SBIR.gov. 2024. SBIR/STTR Phase III: What Makes Phase III So Valuable?

^a54 AcqNotes. 2024. Contracts & Legal: Other Transaction Authority (OTA) February 7.

^a55 SBIR.gov. 2025. SBIR/STTR Guide.

^a56 Acquisition.gov. 2024. FAR Subpart 4.10—Uniform Use of Line Items (CLIN/SLIN Structure).

^a57 Gansberger, Donald. 2025. Just a Glimpse - How to go from a dual-use commercial venture into the Department of Defense as a Program of Record: a tale of misery, torture and ugliness. January 14.

^a58 Sion, Michael, John Wenzel, and Eric Quirk. 2025. Defense Investment at a Turning Point. September.

^a59 Acquisition.gov. 2024. DFARS Part 227: Rights in Technical Data and Computer Software.

^a60 Defense Acquisition University. 2025. DFARS 252.227-7013: Rights in Technical Data—Other Than Commercial Products and Commercial Services. October 1.

^a61 Defense Acquisition University. 2017. Understanding and Leveraging Data Rights in DoD Acquisitions. July 24.

^a62 OUSD(A&S). 2025. Intellectual Property Guidebook for DoD Acquisition. April 30.

^a63 Defense Acquisitions University. 2023. Product Support - Contract Data Requirements List (CDRL) and Data Item Descriptions (DID).

^a64 Acquisition.gov. 2024. DFARS Part 239: Acquisition of Information Technology.

^a65 Acquisition.gov. 2024. FAR Part 9: Contractor Qualifications (Use in Evidence-Driven Source Selection).

^a66 Held, Bruce, Thomas R. Edison, Jr., Shari Lawrence Pfleeger, Philip S. Anton, and John Clancy. 2006. Evaluation and Recommendations for Improvement of the Department of Defense Small Business Innovation Research (SBIR) Program. October 31.

^a67 Small Business Administration. 2024. SBIR Program Overview.

^a68 Government Accountability Office (GAO). 2021. Small Business Innovation Research: Agencies Need to Fully Implement Requirements for Managing Fraud, Waste, and Abuse. June 30.

^a69 AFWERX. 2025. AFWERX: Get Funded.

^a70 Rogue. 2023. How to Sell Technology to the Government.

^a71 AFWERX. 2024. Spark Cells and Unit-Level Innovation.

^a72 Defense Acquisition University. 2023. Building a Repeatable Innovation Career Path.

^a73 Wrigley, Cara, Genevieve Mosely, and Michael Mosely. 2021. Defining Military Design Thinking: An Extensive, Critical Literature Review. Spring.

^a74 Feijao, Carolina, Isabel Flanagan, Christian Van Stolk, and Salil Gunashekar. 2021. The global digital skills gap. December 15.

^a75 Johnson, Jamie. 2024. Looking Back on My Journey with Defense Ventures. November 19.

^a76 McQuillen, Blair. 2025. The Gig Economy Revolution: How HR Must Adapt to Thrive in the New World of Work. August 26.

^a77 Chandramouli, Ramaswamy and Zack Butcher. 2020. NIST SP 800-204A: Building Secure Microservices-based Applications Using Service-Mesh Architecture. May.

^a78 U.S. Air Force. 2024. Education With Industry (EWI) Program.

^a79 Marcell, Christopher, Gaylon McAlpine, Reagan Schaupp, and Joseph Varuolo. 2025. The Urgency of Warfighting Renewal: Five Principles for Today’s Professional Military Education. January 27.

^a80 Keliauskaitė, Ugnė, Simone Tagliapietra, and Georg Zachmann. 2025. Europe urgently needs a common strategy on Russian gas. April 2.

^a81 Global Energy Monitor. 2023. Russian Gas and Europe 2023. December.