DoD's old policy of COTS/COTS ERP is the preferred software solution worked for some programs when there were known requirements and the program could change their business rules to match the COTS ERP.  However, COTS is a black box.  When you purchase COTS, you purchase a proprietary architecture you cannot change.  When the government cannot control change, the government cannot meet budget projections, schedules or performance expectations reliably.  We are at the mercy of the COTS vendor.

For legacy COTS ERPs, the vendors have now gotten smarter.  They are implementing their solution in a Cloud Virtual environment where they can instantiate a unique version of their COTS ERP per customer.  This means the customer can now control change in the COTS ERP environment for a cost; but Agile-DevSecOps methods can be applied under this new scheme.  DISA NBIS is an example of Agile DevSecOps being applied smartly to a Cloud Virtual instantiation of a COTS ERP application.  You can contact DISA NBIS and see their new processes in place and they are very happy with their results. I am not sure it is the most cost efficient solution; DAU is being told that if at all possible, developing a GOTS solution where Government controls all aspects of change is the way to go.

The best method we have seen for dealing with COTS ERPs is to strangle them.  Using the Microservice-based strangler pattern, programs can now slowly wean themselves off the COTS ERP over time by applying agile methods and creating a microservice-based government solution (GOTS) of their functionality in an enviroment where the government controls everything; after you slowly wean yourself off the COTS ERP, your solution is much easier to manage/change and more cost efficient based on SME projections (I don't know of anyone doing this yet in DoD, but it is a valid alternative).