73 screens inside the fence
A publicly listed defense prime runs 73 Oracle Forms screens inside an ITAR-controlled enclave. The screens manage export license tracking, foreign national access controls, and technology transfer logs for a portfolio of programs worth 4.2 billion dollars a year. The application was built in 2001 for a single program. It now supports 14.
The enclave is air-gapped from the corporate network. Every patch requires a formal change control board. The last meaningful UI update was approved in 2013.
Why defense kept Forms the longest
Defense contractors operate under a compliance stack that punishes change. ITAR, EAR, NISPOM, CMMC, DFARS 252.204-7012, and for some programs FedRAMP High all sit on top of each other. Each adds review cycles. Each treats new software introductions as risk events. Oracle Forms survived because replacing it was harder than maintaining it.
We’ve reviewed Forms estates at four primes and two large subcontractors. Sizes range from 40 to over 300 screens. The programs they support often outlast the original developers by two decades.
The CMMC 2.0 reset
CMMC 2.0 changed the calculus. Level 2 assessments now require demonstrated control implementation for 110 NIST SP 800-171 controls. Several of those controls — audit logging, access enforcement, session management — surface immediate gaps in most Oracle Forms deployments.
A Forms application with shared database accounts, no individual session attribution, and a WebLogic tier running end-of-life Java is not passing a CMMC Level 2 assessment. We’ve seen three primes fail provisional assessments on exactly this pattern.
The ITAR problem is sharper than SOX
ITAR violations are criminal. A Forms screen that logs access to controlled technical data without reliable individual attribution is a reportable finding under 22 CFR Part 120. The State Department’s Directorate of Defense Trade Controls has been more active in the last 18 months than at any point in the preceding decade.
One subcontractor we spoke with discovered during an internal review that its foreign national access logs depended on a Forms trigger that had silently failed in 2022. Three years of access records were incomplete. The voluntary disclosure took nine months to prepare.
Why rip-and-replace usually fails inside the fence
Defense modernization programs carry a failure rate that dwarfs the commercial average. The reasons are structural. FedRAMP authorization for replacement SaaS platforms takes 18 to 24 months. ATO packages for on-prem replacements run to thousands of pages. Cleared developers are scarce and expensive. Every requirement change triggers a new security review.
A typical Forms replacement program inside a cleared environment budgets 60 months and delivers in 90, if it delivers at all. Two primes have told us they’ve written off more than 40 million dollars each on modernization attempts that never reached production.
Descriptor-based modernization inside the enclave
The approach that works inside classified and ITAR environments is the one that minimizes new software introduction. Automated extraction of .fmb files into JSON descriptors runs offline, on approved hardware, inside the enclave. No cloud dependency. No external service calls. The descriptors become the system of record for business logic, reviewable by security officers and program managers alike.
From those descriptors, a TypeScript application generates against an approved runtime baseline. The attack surface shrinks. The audit trail is continuous. The same Oracle Database underneath stays in place, which keeps the existing ATO boundary intact.
Evidence that survives a DCSA inspection
The primes that modernize successfully produce a specific artifact: a signed manifest tying every deployed build to a specific descriptor version, with cryptographic integrity through the build pipeline. DCSA inspectors and DCMA auditors can read it. So can the facility security officer.
We’ve seen this collapse inspection preparation time from six weeks to four days. The evidence is generated by the build, not assembled by hand from tribal knowledge.
The compliance trap, and the way out
The trap is that the longer Forms stays, the more compliance obligations accumulate around it, and the more any change looks like risk. The way out is to treat extraction as a controls-preservation exercise first and a modernization exercise second. The behavior the auditors already accept gets captured verbatim. The runtime it runs on gets replaced with something supportable.
Defense programs outlive most commercial software. The systems that manage them should too, without keeping the primes locked inside a 2001 runtime for another decade.