Air Force Moves to Commercial-First IT, Outsources Networks and Cuts Customization

Air Force IT Leaders Adopt Commercial-First Strategy

Dec. 16, 2025 - The Department of the Air Force is moving to a commercial-first approach for IT, following direction from Defense Secretary Pete Hegseth. CIOs across several DAF organizations say they will outsource networks and other infrastructure and push vendors to deliver standard offerings with far less customization.

The goal is simple: buy what already works, configure lightly, and ship faster. This shift changes how programs are planned, bought, secured, and measured.

What "commercial-first" actually means

• Commercial SaaS, PaaS, and managed services by default; custom builds only when mission-unique needs are proven.
• Configuration over customization to stay on vendor upgrade paths and reduce sustainment drag.
• Performance- and outcome-based contracts with clear SLAs and shared accountability.
• Standardized platforms to cut duplicates and retire aging on-prem gear where practical.

Why this matters

• Speed: shorter procurement and deployment cycles, faster security patching.
• Cost discipline: fewer bespoke integrations and lower sustainment overhead.
• Workforce focus: shift time from maintaining legacy stacks to mission software and data.
• Consistency: common tooling, logging, and controls improve visibility and audits.

Near-term moves you'll likely see

• Network- and Security-as-a-Service pilots expanding across bases and tenant units.
• Consolidation around a smaller set of approved collaboration, endpoint, and identity platforms.
• Contract language that prioritizes open standards, portability, and measurable service levels.
• Aggressive retirement of low-value custom tools duplicated by commercial suites.

Implications by role

For government and program leaders

• Publish "configure-not-customize" guardrails and enforce through technical authorities and reviews.
• Use ATO reciprocity where possible; don't re-assess already-approved services without cause.
• Write to outcomes: uptime, time-to-field, incident response, user satisfaction.
• Bake in data ownership, portability, and exit plans from day one.

For IT and security teams

• Shift skills toward vendor management, SRE practices, and FinOps.
• Implement Zero Trust controls across identity, device, network, and data planes.
• Map services to classification levels (IL2-IL6) and segment accordingly.
• Standardize telemetry (e.g., OpenTelemetry) for monitoring and compliance.

For developers

• Build on platform APIs and managed services first; only go custom for validated mission gaps.
• Adopt IaC, SBOM, and policy-as-code to keep compliance continuous.
• Target an "80/15/5" rule: 80% commercial fit, 15% configuration, 5% custom code.

Procurement playbook (use this checklist)

• Start with a problem statement and market research; issue an RFI to confirm options.
• Specify standards support: SAML/OIDC, SCIM, SCQA logging, OpenTelemetry, REST/GraphQL APIs.
• Require FedRAMP Moderate/High (as needed) and alignment to DoD SRG impact levels.
• Define SLAs and credits for outages, latency, ticket response, and vulnerability remediation.
• Include data egress terms, key custody options, and clear exit/transition assistance.

Risk areas to manage

• Vendor lock-in: mitigate with modular architectures, open standards, and short option periods.
• Data protection: classify data correctly and enforce least privilege with strong identity controls.
• Continuity: test failover and COOP; require provider incident playbooks and joint exercises.
• Custom creep: track configuration drift and cap one-off integrations without governance approval.

Metrics that matter

• Time-to-field (requirements to production) and change lead time.
• TCO by service, including licensing, support, integration, and training.
• Mean time to detect/respond, patch latency, and compliance drift.
• User task success rate and help desk ticket volume per user.

What to retire first

• Custom point solutions duplicated by commercial suites.
• On-prem systems with poor utilization, high sustainment cost, or security gaps.
• Integrations that break on every vendor update due to heavy customization.

Standards and guidance

• FedRAMP authorization program for cloud security baselines.
• DoD Zero Trust Strategy for identity, segmentation, and data controls.

What to do next

• Inventory services, rate them by mission value and replaceability, and pick three quick wins for commercial replacement.
• Update acquisition templates with standards, SLAs, and exit requirements.
• Stand up a configuration governance board to keep platforms clean.
• Upskill teams on cloud services, automation, and vendor management. If you need a shortcut, see role-based learning paths at Complete AI Training.

This shift is clear: buy standard services, keep them clean, and focus scarce engineering time on mission outcomes. Less custom work. More delivery.