Security Clause Meets Audit Gap: The Army Unbundles Its IT for 216 Million – NDP Dependency Remains in the Dark

Blog (EN)

clarus.news | Analysis | June 30, 2026

The Swiss Federal Audit Office warns of significant risks in its end-of-June report on the Army's IT unbundling (SFAO-24115). The unbundling – initiated after the 2016 Ruag cyberattack and consolidated in the key project "iTask" – aims to separate 124 IT services by 2032 at most, at a cost of around 216 million francs. The mission-critical services among them will be rebuilt on the New Digitalization Platform (NDP), which goes live on July 1, 2026. When asked by clarus.news about its technological dependencies, the Army does not provide details for security policy and operational reasons – and the SFAO did not examine this exact level in its NDP audit. So what now?

The Unbundling: 216 Million, 124 Services, Completion by 2032

The DDPS is separating its civilian from military IT – a consequence of the cyberattack on defense contractor Ruag in 2016. The SFAO report published at the end of June (SFAO-24115, dated March 30, 2026) certifies solid foundations for the project but warns clearly: success metrics are missing to measure planned efficiency gains; the overall planning is incomplete; tasks, competencies and responsibilities are not conclusively regulated; financial incentives for decommissioning outdated systems are lacking, which favors duplicate structures.

So far, around 116 million francs have been spent, with another 100 million planned for the phase from mid-2026 onwards – a project of a good 216 million with a target horizon of 2032. Robert Scheidegger, Deputy Secretary General of the DDPS, describes it as changing the wheel "on a moving car." Daniel Keller, Chief of the Armed Forces Staff, sees the project in the "green zone" and at a high level of maturity for technical implementation – however, the Federal key project reporting listed iTask with an overall "yellow" status as of mid-2025, partly because piloting remained temporally challenging. Keller identifies the availability of specialists over the long implementation period as the central hurdle. The leadership change at the top of the army at the end of 2025 exacerbates this personnel risk in a critical phase.

The Crux: iTask Runs on the NDP

This is where two stories converge. Of the 124 services to be unbundled, the mission-critical ones will be rebuilt on the NDP – one of five unbundling scenarios listed by the SFAO (alongside: operation by FOITT, by third parties, temporary dual operation, or decommissioning). This platform becomes operational on July 1, 2026. For the mission-critical services, the unbundling is thus only as robust as the NDP on which they are built.

And the Chief of the Armed Forces Staff himself names the risks of this platform: The new platform harbors "technical dependencies," open resource questions and "aspects we may not know today." This is remarkably candid – and it is precisely where the sovereignty question sits. Because the NDP is based on virtualization technology from Broadcom/VMware, a US provider subject to the CLOUD Act that has restructured licensing models and massively increased prices since the VMware acquisition in 2023.

The SFAO inadvertently confirms this crux: A Priority 1 architecture recommendation open since 2022 remains unimplemented – according to the SFAO, precisely because the necessary interoperability architectures between Cyber Command and FOITT can only be meaningfully addressed based on the NDP's development status. In the context of architecture, the SFAO also found significant deficits. The unbundling is thus waiting for the NDP at a central point.

The Army's Answer: No Details for Security Reasons

clarus.news asked the Army about the continuity of this virtualization layer: Is there a tested fallback path if license, support or security updates are discontinued for sanctions or export law reasons? The Swiss Army's answer is essentially a non-answer: The Army does not comment in detail on specific products, their deployment, replacement or possible alternative paths for security policy and operational reasons – explicitly including architecture, migration, exit, fallback and continued operation scenarios.

The Army also maintains that resilience is not merely architecturally asserted but verified at various levels and using concrete operational scenarios; technological dependencies, licensing models and supply chain risks are continuously assessed in the responsible management, architecture and risk processes; requirements for portability, reversibility, open standards and exit capability are taken into account. Evidence for this remains – naturally – outside.

The security reservation is legitimate. Nobody demands that the Army publicly lay out fallback plans for a mission-critical platform. But it has a consequence: It transforms a verifiable architecture question into a question of trust. "We continuously review this" can neither be confirmed nor refuted from the outside.

Complexity Is Not Architecture

What's striking is how the Army addresses the concerns: with process features. The NDP is modularly and agilely built, following the DevSecOps principle, and does not follow the logic of a big-bang project. This addresses complexity – but not the structural dependency. Modularity at the application level does not eliminate a load-bearing dependency at the virtualization level on which all virtual machines are based.

A detail of the response is telling: The NDP is designed to support different integration depths. This admits that the overall architecture, to which the Army refers for assessment, is not cast from a single mold – individual systems integrate less deeply or run alongside. Thus the argument that one should not look at a single component undermines itself: Precisely from an architectural perspective, the load-bearing position of the virtualization provider is crucial.

Who Actually Reviews the Dependency?

The question remains who independently assesses this level. The SFAO is only partially suitable for this. Its NDP report 25130 from October 2025 reviewed the settlement planning and the plausibility of reporting – explicitly not project management, finances, technology selection or vendor dependency. It did not issue a single new recommendation, and a final discussion was dispensed with. The report thus provides nothing for the sovereignty question. When asked, the Army refrained from contextualizing this audit scope.

This is not an accusation but a structural problem. It remains open which body examines the vendor and virtualization dependency with IT architectural depth – the SFAO did not make this level the subject of review in Report 25130. This creates a gap: The operator refers to security, the auditor stays with the process – and the most dependency-critical level of the Army's most expensive platform falls through the cracks.

Key Points

  • The IT unbundling iTask (around 216 million francs, completion by 2032, 124 services) rebuilds the mission-critical services on the NDP, which goes live on July 1, 2026 – these thus inherit the platform's dependencies.
  • The SFAO warns of missing success metrics, incomplete overall planning and personnel risks; the Chief of the Armed Forces Staff himself names "technical dependencies" and unknown risks of the new platform.
  • The Swiss Army refuses information on exit and fallback scenarios for the virtualization layer for security reasons – understandable, but thus unverifiable.
  • The SFAO audit 25130 excluded technology selection and vendor dependency. The most dependency-critical level is currently not publicly verifiably reviewed by any body.

Three Critical Questions

1. On oversight: Which body examines the vendor and virtualization dependency of the NDP with IT architectural depth – and why did the SFAO explicitly not examine this exact level in Report 25130?

2. On continuity: What tested exit or fallback option exists for the NDP's virtualization layer if license, support or updates are discontinued for sanctions or export law reasons – and can Parliament review this examination in an appropriate, confidential form?

3. On benefits: With what measurable criteria will the success of the 216-million unbundling iTask be demonstrated, after the SFAO criticized missing success metrics and incomplete overall planning – and when will these be available?

Conclusion

The Army is doing many things right: It separates sensitive systems, it works agilely, it is transparent about deadlines and maturity levels. But at the crucial point – the dependency of the supporting platform on a US virtualization provider – the curtain closes. The operator is silent for security reasons, the financial oversight has not looked. What remains is an assurance without evidence.

On July 6, the answers to parliamentarians are due. This is the moment when it must be shown whether the sovereignty of the Army's most expensive platform is audited reality – or a promise based on trust. So what now? The question has an addressee: that body that finally answers it independently.

This article is based on the SFAO report on the Army's IT unbundling (SFAO-24115, dated March 30, 2026, published end of June 2026), reporting by SRF ("DDPS IT project: 'We're changing the wheel on a moving car'", Philipp Burkhardt, June 30, 2026), SFAO Report 25130 on the NDP (October 6, 2025), and an email exchange between clarus.news and the Swiss Army (June 2026). Army statements are reproduced in substance and attributed to "Swiss Army".

Sources:

  • SFAO-24115: Audit of the DTI key project iTASK, Defence Group, 30.03.2026 (published end of June 2026)
  • SRF News / Philipp Burkhardt: "DDPS IT project: We're changing the wheel on a moving car", 30.06.2026 – https://www.srf.ch/news/schweiz/pruefung-durch-finanzkontrolle
  • SFAO Report 25130: Audit of the key project NDP, 06.10.2025
  • Email exchange clarus.news / Swiss Army (Armed Forces Staff Communications Defence), June 2026
  • clarus.news: "DDPS IT unbundling project: Audit Office criticizes planning gaps in iTask", 30.06.2026

clarus.news | Andreas Binggeli, Thierry Leserf, Ernst Anker, with Claude Opus | June 30, 2026

Tags: #iTask #NDP #DigitalSovereignty #SFAO #DDPS #Army #Broadcom #VMware #Cybersecurity #ITGovernance #Ruag #Unbundling

Zurück zur Übersicht