The Pentagon is developing a “fast pass” approach to putting secure software on its network.
Taking lessons from the Cybersecurity Maturity Model Certification (CMMC) program, the Defense Department soon will issue criteria for vendors to meet that will give the services and defense agencies a level of assurance that applications are secure.
“What we’re finding is we need to accelerate that conversation and our integration with industry about how we raise the bar on what it means to be a secure software component. What does it mean to secure the development pipelines?” said Rob Vietmeyer, DoD’s chief software officer, after speaking at AFCEA NOVA’s IT Innovation day. “As we move forward with industry, how do we partner to address these supply chain concerns? Industry is looking for, how do I accelerate delivery into the department? We’re interested in, how do we raise our posture from a supply chain security controls perspective? So we’re trying to find that interface.”
DoD will issue requests for information (RFIs) in the coming weeks that describe its objectives and collect feedback about the security controls for software products it should consider.
“How do we establish a basis and then work with industry so that they can demonstrate that their products are trustworthy?” Vietemeyer said on Ask the CIO.
Vietmeyer said while DoD still is working out details for how to approach this effort, it’s a high priority for the administration and he expects more information to come shortly. The overall goal is to create a fast track authority to operate (ATO) process for software.
“We will announce the objectives for this effort, a high-level framework, and in a few months, engage with industry to establish these controls and processes to have this conversation about how we raise our posture of supply chain security,” he said. “What we’re looking at is defining a set of controls, and if industry can demonstrate that their products and their pipelines meet those controls, that removes from us the burden from going through months and months of risk management framework assessments. It can get us to understanding, yes, this software meets our risk posture to a level that we can now look at. We built that trust with industry that if we install this software, it will not bring unacceptable risk into our environment.”
Ongoing effort to improve software
This new “fast-pass” approach is part of the broader software acquisition modernization effort DoD kicked off in February 2022 with a new strategy.
Most recently, Defense Secretary Pete Hegseth signed a memo in March directing the services and defense agencies to use the software acquisition pathway as the preferred approach to acquiring business and weapons systems.
“I am directing the use of Commercial Solutions Openings and Other Transactions as the default solicitation and award approaches for acquiring capabilities under the SWP,” Hegseth wrote. “This applies to any software pathway program in the planning phase prior to execution.”
DoD created the six acquisition pathways in 2018, including one focused on software. The use of the software acquisition pathway has been slow to materialize.
Vietmeyer said DoD’s need to focus on software security has reached a new level of importance as adversaries are trying to exploit software vulnerabilities at a greater rate.
“What we’re finding is adversaries are increasingly going after the software supply chain in both basic attacks and very sophisticated attacks,” he said. “So looking at everything from just trying to standard identity and credential compromises to inject into the pipeline all the way to compromising build systems so that even if you have security checks built into your continuous integration pipeline, once it gets to a compromised build system, it can then inject malicious binaries in the final product so pipeline poisoning, typo squatting. There’s a set of both basic and sophisticated attacks that are being employed against the software that the department mission relies upon.”
Vietmeyer said DoD is learning lessons from its approach to the Cybersecurity Maturity Model Certification (CMMC), not necessarily setting up a new program, but taking advantage of existing certification or similar efforts.
“What we want to do from a technology perspective is to make sure that we have defined the technology platforms. We have defined the set of standards and specifications for what it means to be deployable in a highly resistant way. How are we going to govern those critical components as we move forward? Then, if we can plug in software that meets our trustworthiness requirements that meets our resiliency requirements, that can plug into our digital platforms in a way that continues to add mission value and we can support those over time,” he said. “We want to make sure that we’re not looking at these processes as throw over the fence innovations, but we can build them into an integrated technology framework across the department that allows us to make sure that these are deploying in a way that meets and will continue to meet the warfighter mission need, the resilience, the security posture of the highly dynamic battle space that we’re facing right now.”
Adding AI to DevSecOps pipeline
Along with ensuring commercial software is secure, Vietmeyer said DoD wants to apply artificial intelligence to its own DevSecOps pipeline.
A new effort with MITRE kicked off recently to map how AI tools could help each stage of development.
“When we look at the DevSecOps pipeline, what we find is there are emerging AI capabilities that appear to provide very powerful capabilities for us to be able to accelerate the department’s journey through agile development and our ability to deliver resilient capabilities into the to the warfighter faster. What we’re trying to lay out now is the full DevSecOps model and where are AI solutions maturing to help the department on this journey and where we can identify those,” he said. “How do we bring them in and make them available like we’re doing with the general purpose large language models (LLMs). How do we understand where these capabilities plug into the lifecycle, looking at the particular threat models that AI brings, making sure that we understand what those threats look like, that we understand the risks, that we can mitigate those risks and then and then bring on board these capabilities to be able to support that and rapidly accelerate this full journey for the department.”
Along with MITRE, DoD is looking at how AI can help with everything from code generation, modernizing legacy code, and evaluating the entire pipeline process for cyber vulnerabilities.
“We can look at a lot of our legacy systems that have become, I’ll describe as a boat anchor for how do we drive innovation. We’re stuck with an existing footprint that we need to modernize. So how do we take decades old COBOL software where we don’t have the installation instructions anymore, no one knows how it really is configured and work and how we can leverage AI to help modernize and bring forward those capabilities when for code development, code transformation, modernization and can we use AI to help us rearchitect some of this?” he said. “How can we go from these monolithic architectures to microservices architectures and decompose these systems? How can we expose capabilities as application programming interfaces (APIs) when we look at the data flows within an application? AI can be very useful in trying to decompose those data flows to try to give you guidance on how you can move this into a microservices architecture.”
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
