Defense technology companies broadly agree on what secure software looks like. Less consistent, however, is the industry-wide understanding of the Department of Defense’s mechanisms to demonstrate security compliance. Instead, stakeholders generally see a lack of “consistent and standardized methods for attestation processes,” according to recent industry feedback.
A new summary document released by Acting DoD CIO Katie Arrington collected and analyzed industry responses to three separate DoD requests for information on advancing and securing software for the federal government.
“Overall, there was a strong call for the DoW to define a legitimate attestation, identify what is required to complete an attestation and ensure the consistency of these standards across the DoW,” the document said. “Additional hurdles such as limited resources, difficulties managing supply chain opacity, and cultural barriers further underscore the complexity of enforcing robust, secure software development practices.”
In response to Defense Department CIO requests for information under the Department’s recently launched Software Fast Track Initiative, the industry has overwhelmingly pointed to established cybersecurity frameworks such as the National Institute of Standards and Technology’s Secure Software Development Framework and the widely used Open Worldwide Application Security Project standards for managing software and supply chain risk. More than 75% of respondents said they trust NIST’s secure software framework, which aligns with the DoD’s approach to software security and risk management.
But companies told the Pentagon’s IT leadership that compliance uncertainty remains a major obstacle. Suppliers said it is unclear what qualifies as a valid attestation, what documentation must be included in a body of evidence, how often attestations are required and whether companies will be allowed to self-certify security practices or rely on third-party assessments. Because NIST’s Secure Software Guidelines are designed as a framework and not a checklist, vendors warned that compliance is open to interpretation and risks inconsistent application across the department.
Arrington announced the Software Fast Track, or SWFT Initiative, in April with the aim to reform the way DoD purchases, tests and authorizes secure software. Arrington has argued that the Pentagon’s existing processes for approving software are too slow. Since returning to the Pentagon in March as acting CIO, she has pushed for an overhaul of the department’s outdated processes for purchasing software, namely the Risk Management Framework (RMF) and the Authority to Operate (ATO) approval process. She previously said she is “blowing up the RMF” and that she hopes ATOs are “something I never hear about again.”
The SWFT effort is intended to move away from rigid checklist processes to dynamic, continuous authorization to operate. To inform this shift, the CIO office issued three requests for information asking vendors for insights on the tools used, third-party assessment methodologies, and how automation and artificial intelligence could help the department accelerate secure software adoption.
Not only did the first RFI focused on Software Fast Track tools reveal that companies are concerned about inconsistent attestation requirements, responses also noted challenges in integrating the secure software framework into existing workflows.
“The amount of evidence required for compliance with NIST SP 800-218 would likely require automation and integration of multiple tools within the existing infrastructure. Likewise, integrating manual documentation and efforts into existing logical processes and workflows could be challenging,” the Software Fast Track RFI summary said.
At the same time, about 90% of respondents said they would provide software bills of materials – detailed inventories of the components used to build a software product – to the department. Most said these SBOMs would cover their own software.
Nearly all companies said they already conduct software risk assessments and would provide DoD officials with risk assessment artifacts. Most said these artifacts are generated through automated tools, and the majority made clear “their willingness to provide these artifacts efficiently through standardized formats and secure exchange processes.”
To that end, companies recommended allowing vendors to submit artifacts directly to DoD platforms such as Enterprise Mission Assurance Support Service (eMASS) through application programming interfaces to accelerate software security assessments.
External assessments
Industry respondents said most companies already rely on a combination of internal and external audits to assess software security.
Internal audit functions typically include continuous monitoring, code reviews, and regular red-teaming exercises designed to identify vulnerabilities before they can be exploited. Meanwhile, third-party assessments are often conducted by third-party auditors or independent penetration testers to provide objective validation of a company’s security posture.
Key compliance regimes include the Federal Risk and Authorization Management Program, NIST cybersecurity standards, and Service Organization Control (SOC), which “provides further evidence of a mature security posture among organizations.”
At the same time, companies emphasized that external review functions require clear guardrails. Respondents said assessment organizations must demonstrate relevant experience in high-security environments, secure data processing methods, established quality management and a high degree of independence. Moreover, such assessments must be conducted by qualified personnel with industry-recognized certifications and an understanding of DoD security frameworks.
Apply automation and AI tools
Industry respondents said automation and artificial intelligence could deliver the biggest gains in accelerating DoD software risk assessments, especially by reducing manual paperwork and enabling continuous monitoring. Companies emphasized that automation and AI serve different purposes, with automation being best suited for performing repetitive, rules-based tasks, while AI “can make decisions and learn to perform tasks with human-like intelligence.”
Companies also warned of major challenges in adopting automation and AI. Vendors cited concerns about AI explainability, data quality and model reliability, noting that authorizing officers need to be able to understand how risk determinations are made.
Arrington said the Software Fast Track Initiative is on track to roll out early next year.
“People who think SWFT wouldn’t happen – the joke’s on you. If it wasn’t for the furlough, that would have gone live in early November. So look in early January,” Arrington said. during the Defense Information Systems Agency’s annual Forecast to Industry event on December 8. “Software Fast Track: So you can take software and we can get it approved in days, not months and years. Making sure we have a baseline called eMASS that can ensure that if an ATO is granted, an ATO is responded to. We have the Software Assurance playbook. If anyone doesn’t know about that, it’s when the software has vulnerabilities. We’re working through them. fix them and blow up the RMF. We’re already starting to do it using continuous monitoring, the ten tenants of what it should be.
Copyright © 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
