Defense Industry Calls for Pentagon Clarity on Software Security Verification

A new Pentagon report reveals that defense technology companies are urgently requesting clearer guidelines from the Department of Defense regarding software security compliance, citing a significant lack of standardized processes for verifying software attestations. The concerns, stemming from analysis of over 400 industry responses, highlight a critical need for consistency in how the DOD assesses and approves software used in military applications.

The report, released by Pentagon Acting Chief Information Officer Katie Arrington, underscores a disconnect between broad agreement on what constitutes secure software practices and how the DOD expects that compliance to be demonstrated. Vendors expressed uncertainty over what constitutes a valid attestation, including the required evidence and the frequency of verification.

Streamlining Security Through SWFT

The push for clarity comes as the DOD accelerates its Software Fast Track (SWFT) initiative, launched in April. SWFT aims to drastically reduce the time it takes to get secure software into the hands of military personnel and defense agencies, streamlining the often-cumbersome Authority to Operate (ATO) process. The initiative, originally conceived under the Trump administration – which at the time rebranded the DOD as the “War Department” – seeks to provide greater assurance that applications meet stringent security requirements.

According to Arrington, the feedback gathered through three Requests for Information (RFI) will be instrumental in transforming the department’s approach to software security and safeguarding long-term military advantages. “These responses will directly inform how we evolve our practices,” she stated in the report’s foreword.

Supply Chain Security & Standards Alignment

The first RFI focused specifically on software supply chain security tools. Industry participants demonstrated strong alignment with established frameworks and standards, particularly those developed by the National Institute of Standards and Technology (NIST). Guidance on secure software development, robust cybersecurity controls, and effective supply chain risk management were frequently cited. The Open Worldwide Application Security Project (OWASP) guidelines also emerged as a common reference point.

Despite this consensus on foundational standards, companies reported significant challenges. A key obstacle is the absence of consistent and standardized methods for software attestations, making it difficult to document compliance and integrate security requirements into existing workflows. Other hurdles include limited resources, a lack of visibility throughout the supply chain, and ingrained organizational cultural barriers.

Most companies indicated a willingness to provide software bills of materials (SBOMs) and related documentation, aligning with core risk management components like system security plans, risk assessment reports, and plans of action and milestones. A recurring theme was the need for automated artifact generation and secure, standardized methods for exchanging documentation.

External Assessments & Qualified Personnel

The second RFI explored the potential for external assessment organizations to streamline risk assessment and authorization. The report found that roughly half of respondents currently utilize both internal and external audits. Internal assessments typically involve continuous monitoring, rigorous code reviews, and penetration testing, while external assessments are generally conducted by independent third-party auditors.

These audits are often mapped to broader compliance frameworks, including the Federal Risk and Authorization Management Program (FedRAMP), NIST standards, Service Organization Control 2 (SOC 2), and International Organization for Standardization 27001 (ISO 27001).

Respondents emphasized the critical need for any external assessment body to possess clear methodologies, maintain complete independence, adhere to secure data handling practices, and employ qualified personnel with specific experience evaluating software deployed in high-impact military environments.

Automation, AI, and the Future of Secure Software

The final RFI addressed the role of automation and artificial intelligence (AI) in accelerating the adoption of secure software. Industry participants believe automation and AI can significantly reduce manual effort in areas like document processing, compliance validation, and continuous monitoring. However, they also acknowledged challenges related to explainability, data quality, overall security, and scalability.

Respondents stressed that wider adoption of automation and AI hinges on the availability of standardized data tailored to the DOD’s specific needs, including comprehensive threat intelligence, up-to-date vulnerability data, and detailed software composition information.

The Pentagon’s response to these industry concerns will be crucial in shaping the future of software security within the defense sector, ensuring that the nation’s military maintains a technological edge in an increasingly complex threat landscape.