Modernizing Acquisition to Match the Speed of the Threat

Presented by Carahsoft

Caroline Bean, Director of Portfolio Acquisition Executive Command, Control, Communications Enterprise (PAEC3E) at DISA, joined host Francis Rose at TechNet Cyber 2026 to discuss what acquisition reform really means — not just for DISA's portfolio, but for the culture and workforce that have to live it.

Bean opened by explaining the significance of the name change to C3E — Command, Control, Communications Enterprise — and why it matters. The portfolio has always been about getting the right data to the right people at the right time for senior leaders and combatant commanders. The new name aligns DISA's portfolio with how the rest of the department speaks about command and control, while the "E" signals enterprise-wide scale and ambition.

The deeper challenge Bean described is cultural. Acquisition reform — streamlining processes, eliminating redundant steps, adopting out-of-the-box technology without customizing it to death — requires people to let go of deeply ingrained habits. Bean illustrated this vividly: if a commercial solution delivers a process in 10 steps, and the organization currently runs it in 50, the answer is not to shoehorn 50 steps into a 10-step tool. It's to restructure the organization around the 10-step process. That requires not just policy change, but genuine buy-in — and she acknowledged that not every member of the workforce will make the transition. The goal is to find the pockets of movement and build from there.

Bean also described her DevSecOps philosophy, in which security accreditation is not an end-of-pipeline event but a continuous thread woven through every phase of development. By embedding war fighters and stakeholders directly into the development process, DISA can fail fast early, catch vulnerabilities during design rather than after fielding, and deliver capabilities that actually match what operators need — when they need it. Industry partners, she said, are essential to this model — but they must come prepared to interoperate with what already exists, not just pitch standalone solutions.

Key Takeaways:

• Acquisition reform requires cultural transformation, not just process change — organizations must restructure around more efficient tools, not force legacy workflows into modern platforms.
• DevSecOps means embedding security and stakeholder input from day one — catching vulnerabilities during design rather than discovering them at the testing or fielding stage.
• Industry partners are most valuable when they understand the existing architecture and come prepared to interoperate — integration capability matters as much as individual product quality.