Naval Combat Systems Run on Software That Takes 5-7 Years to Update

The combat systems on U.S. Navy warships -- including the Aegis Weapon System on cruisers and destroyers, the Ship Self-Defense System (SSDS) on carriers and amphibious ships, and the combat management systems on submarines -- run on software baselines that take 5-7 years to develop, test, certify, and deploy. By the time a new software version reaches the fleet, the threat environment has already evolved, and the update cycle begins again. The Aegis system, the Navy's premier air and missile defense capability, currently operates across multiple software baselines (Baseline 9, Baseline 10) with some ships still running versions that are a decade or more old and cannot be easily upgraded due to hardware dependencies. This software ossification means that when a new threat emerges -- a novel missile trajectory, a new electronic warfare technique, a drone swarm tactic -- the Navy cannot rapidly update its combat systems to counter it. Commercial software companies push updates weekly; the Navy pushes combat system updates on multi-year cycles. A Chinese hypersonic glide vehicle that follows an unpredicted trajectory profile might not be trackable by an Aegis baseline that was designed before the threat existed, and patching that capability into the software could take years of development, integration testing, and fleet certification. The operational risk is compounding. As threats proliferate and evolve faster -- enabled by adversaries' own adoption of agile software development and AI -- the gap between the threat environment and the Navy's software-defined combat capabilities widens. The Navy is bringing a 2018 software baseline to a 2026 fight. This is not a theoretical concern: during real-world missile defense exercises, software limitations have caused tracking errors, engagement failures, and interoperability problems between ships running different baselines. The problem persists because naval combat system software development is trapped in a waterfall acquisition model designed for hardware procurement. The DoD's MIL-STD certification requirements, cybersecurity reviews (under the Risk Management Framework), and operational testing mandates (DOT&E) each add months or years to the update cycle. These processes exist for good reasons -- buggy combat system software can cause friendly fire incidents or system crashes during combat -- but they were designed for an era when threats evolved slowly and software was a secondary component of weapons systems. The Navy's DevSecOps initiatives and the Software Acquisition Pathway (created by the Adaptive Acquisition Framework) are intended to address this, but adoption has been slow. Combat system prime contractors (Lockheed Martin for Aegis, Raytheon for SSDS) have business models built around long-term, cost-plus software development contracts that incentivize lengthy development cycles over rapid iteration. The contractor workforce is organized around waterfall methodologies, and converting to agile/DevSecOps requires retraining thousands of engineers and restructuring contractual relationships -- changes that neither the government nor industry has fully committed to. The proprietary, vendor-locked nature of combat system software also prevents the Navy from independently modifying or updating its own systems. Unlike commercial software with open architectures and APIs, naval combat systems are closed ecosystems where only the prime contractor can make changes, creating a monopoly that slows updates and inflates costs.