Modernizing Software Standards for Defense Contractors

Secretary Pete Hegseth is directing all Defense Department components to embrace a rapid software acquisition pathway and use commercial solutions opening and Other Transaction authority to speed up the procurement of digital tools for warfighters. The department’s Software Acquisition Pathway, or SWP, was set up during the first Trump administration under then Undersecretary of Defense for Acquisition and Sustainment Ellen Lord as part of a broader push for a so-called Adaptive Acquisition Framework that enables the department to procure software differently than it buys hardware. Programs on that pathway are not subject to some of the encumbrances associated with the Joint Capabilities Integration and Development System and major defense acquisition program designations. “Programs using the software acquisition pathway will demonstrate the viability and effectiveness of capabilities for operational use not later than 1 year after the date on which funds are first obligated to develop the new software capability. New capabilities will be delivered to operations at least annually to iteratively meet requirements, but more frequent updates and deliveries are encouraged where practical,” according to DOD Instruction 5000.87 issued in October 2020. The instruction also requires government and contractor software teams to use modern iterative software development methods such as DevSecOps. Now, Hegseth wants to make sure all DOD components are taking advantage of the pathway. “Software is at the core of every weapon and supporting system we field to remain the strongest, most lethal fighting force in the world. While commercial industry has rapidly adjusted to a software-defined product reality, DoD has struggled to reframe our acquisition process from a hardware-centric to a software-centric approach. When it comes to software acquisition, we are overdue in pivoting to a performance-based outcome and, as such, it is the Warfighter who pays the price,” he wrote in a March 6 memo addressed to senior leaders, combatant commanders, and agency and field activity directors. To address the problem, Hegseth is decreeing that all DOD components must adopt the SWP as the “preferred pathway for all software development components of business and weapon system programs.” “This will enable us to immediately shift to a construct designed to keep pace with commercial technology advancements, leverage the entire commercial ecosystem for defense systems, rapidly deliver scaled digital capabilities, and evolve our systems faster than adversaries can adapt on the battlefield,” he wrote. As the U.S. military pursues new AI tools — a tech pursuit which Hegseth is prioritizing as the department moves to modernize for potential fights against advanced adversaries — software is expected to become even more critical. Read more:

The United States Department of War, formerly the Department of Defense (DOD), just finalized CMMC 2.0, and defense contractors now have a compliance timeline problem. The Pentagon's final rule published last week introduces a three-tier certification system that fundamentally changes how defense contractors prove their cybersecurity posture. The big shift: self-assessments are out for most contractors. Levels 2 and 3 now require third-party assessments. And the bar is high. Level 2 contractors need to implement 110 security measures from NIST SP 800-171 on top of Level 1 requirements. Level 3 contractors must fulfill both Level 1 and Level 2 requirements, plus 24 additional security measures from NIST SP 800-172. Annual affirmations are now mandatory to maintain certification. Contractors who fall short get 180 days after assessment to develop and implement plans of action. The DOD is also making something very clear: knowingly misrepresenting your cybersecurity practices now carries real accountability. This is where the rubber meets the road. Defense contractors aren't just dealing with certification; they're dealing with speed. Third-party assessments take time. Documentation takes time. Gathering evidence across 110+ controls takes time. And the DOD wants contracts to start including CMMC requirements next year. At SecurityPal, we work with organizations that face this exact challenge: proving compliance fast without sacrificing accuracy. Our platform handles the documentation grind, questionnaire responses, and evidence collection that bog down security teams for weeks. We've seen companies cut security review cycles by 40 to 60%, freeing up technical teams to focus on actual security improvements rather than paperwork. CMMC 2.0 isn't just about meeting requirements. It's about meeting them efficiently enough to stay competitive for contracts while the assessment infrastructure catches up to demand. Defense contractors who can move through certification faster will have a distinct advantage. The ones who treat this as a checkbox exercise will find themselves stuck in assessment queues while competitors close deals.

31 class deviations. 30 DFARS parts revised. Effective December 18, 2025. The Revolutionary FAR Overhaul just hit DoD contracting. Miss these changes, and your next proposal quotes dead language. Three Executive Orders drove this. EO 14275 on common sense procurement. EO 14265 on defense acquisition modernization. OMB Memo M-25-26 mandates the FAR overhaul. DoD moved fast, using class deviations as interim measures while formal rulemaking catches up. What actually changed? Acquisition planning streamlined. Parts 207 and 210 cut documentation burdens for market research and planning. Less paperwork. Faster timelines. Commercial products prioritized. Part 212 revisions push COTS-first. If commercial solutions exist, custom development becomes harder to justify. Competition rules simplified. Part 206 changes reduce barriers to entry. More pathways for nontraditional vendors to compete on an equal footing. Emergency acquisitions accelerated. Part 218 revisions speed up urgent capability delivery. When speed matters, bureaucracy steps aside. Contract financing improved. Part 232 updates help contractors working on government programs improve cash flow. Simplified acquisition procedures expanded. Part 213 revisions raise thresholds and reduce friction for smaller buys. More work is moving under simplified procedures rather than full FAR compliance. The scope is broad. Everything from bonds and insurance (Part 228) to R&D contracting (Part 235) to IT acquisition (Part 239) got touched. Even value engineering (Part 248) and termination procedures (Part 249) were revised. Reality check for contractors. These deviations apply to new solicitations, contracts, task orders, and delivery orders issued on or after December 18, 2025. Some ongoing actions have exceptions. RFO definitions supersede FAR 2.101 where conflicts arise. If you're quoting old FAR language in proposals, verify it still applies. Full line-out documents showing strikethroughs and revisions are posted on the official DoD acquisition site. Review them before your next submission. The government just removed excuses for slow procurement. Contractors who can't match that velocity will watch faster competitors take their share. How many of these 31 deviations has your team actually read? ---------- Like this content? Join our newsletter. Link located below my name 👆

Defense Software for a Contested Future At the request of the DARPA, the National Academies conducted a study to explore how to enhance the assurance and agility of large-scale, integrated software-based systems. This report recommends ways the Department of Defense can engineer and manage its software systems to reduce cyber risk and enable more rapid system evolution to meet changing mission needs. Report is here: https://lnkd.in/eDrUdrUu Neat section on use and rapid maturing of formal methods to help with software assurance. Examples given: - CompCert: formally verified compiler for the C. An automated test tool that found hundreds of bugs in mainstream compilers like gcc and clang/LLVM found no bugs in CompCert's verified components after years of testing. - seL4: A high-assurance, open-source microkernel that serves as a trustworthy foundation for security-critical systems. It was successfully used in a Defense Advanced Research Projects Agency (DARPA) program to build a quadcopter drone that could resist red-team attacks. - NATS iFACTS: A large-scale air traffic control system in the United Kingdom, comprising 250,000 lines of code, that was formally proven to be free of runtime exceptions and to have functional correctness. It is written in SPARK, a subset of the Ada programming language designed for high-assurance systems. - Project Everest: A collaboration that produced formally verified, high-performance implementations of components of the HTTPS ecosystem, such as the TLS protocol and cryptographic algorithms. This verified code is now widely deployed in Mozilla Firefox, the Linux kernel, and Microsoft's Hyper-V hypervisor, among others.

The DoD is making a much-needed shift in how it acquires, secures, and deploys software. Traditional acquisition cycles have failed to keep pace with modern software development, leading to delays, security gaps, and outdated systems in the hands of warfighters. Defense Secretary latest memo on modern software acquisition reinforces this urgency, emphasizing that we must move beyond slow, compliance-heavy procurement models to an approach that accelerates delivery, strengthens security, and ensures mission success. His directive aligns with ongoing efforts like the Software Acquisition Pathway, which aims to create a more agile, iterative model for defense software. But there’s still a major challenge: Risk Management Framework (RMF) integration. The Problem: Security vs. Speed While RMF provides a structured approach to cybersecurity, its current application often slows software delivery instead of enabling it. The 2023 Software Acquisition Pathway & RMF Integration guidance tried to address this, but the reality is: ❌ Security approvals still take too long ❌ Compliance is often treated as a checkbox, not a risk-based process ❌ There’s a disconnect between software teams, acquisition officers, and security leaders The Fix: A Smarter, Risk-Based Approach To truly modernize software acquisition while maintaining strong security, we need a different approach: 1️⃣ Embed RMF into the DevSecOps pipeline. Security controls should be automated and continuous, rather than an afterthought at the end of development. cATO should be the default, ensuring security is built into the development cycle, not just at deployment. 2️⃣ Adopt a risk-tiered approach. Not every software update should be treated as a high-risk deployment. RMF should prioritize mission impact and threat level, allowing low-risk software to move faster while keeping critical systems under stricter controls. 3️⃣ Streamline acquisition processes. Hegseth’s memo stresses faster procurement and delivery cycles—we need to align security with these goals. Instead of compliance roadblocks, we should integrate security-by-design principles from the contract stage onward. 4️⃣ Improve collaboration between acquisition, cybersecurity, and development teams. The biggest challenge is often not technology, but process. We need cross-functional teams that can make rapid, risk-informed decisions without endless delays. BLUF: We have an opportunity to fix defense software acquisition, but it requires real execution, not just policy updates. If we don’t integrate security into this new model properly, we risk trading one bottleneck for another. https://lnkd.in/e4t-B7yh

Last week, the U.S. DoD released an updated version of its Software Modernization Implementation Plan for the next 2 fiscal years. As a succinct summary: The plan positions the DoD to maintain competitive advantage through transformed processes, empowered teams, and innovation. Success relies on leadership engagement, Department-wide collaboration, and commitment to software modernization to deliver capabilities at the "speed of relevance." There are 3 strategic goals: 1. Accelerate the DoD Enterprise Cloud Environment 2. Establish Department-wide Software Factory Ecosystem 3. Transform Processes to Enable Resilience and Speed Major focus areas include: - Cloud innovation through expanded contract options and financial operations - Quick track authorization processes for SaaS - Enhanced cloud security through modern security models - Scale adoption of DevSecOps and modern software practices - Tools to increase software development productivity - Better software interoperability through APIs - AI and automation readiness in software factories - Standards for secure software development - Modernizing requirements, acquisition, and testing processes - Transforming legacy business and weapons systems - Developing software engineering talent What I really liked in the plan: - Emphasis on scaling adoption of DevSecOps practices - Infrastructure as code focus - Repository services based around git - cATO focus - API-first approach, enabling software interoperability through APIs - Secure software standards adoption, including SBOM - Preparing software factories for AI - Consideration of FinOps DevSecOps is in a season of rapid change. This plan is a great step in the right direction for the DoD. You can read the Implementation Plan in its entirety here: https://lnkd.in/gj-cmrGU #devsecops #ai #DOD #GitLab

Announced last week, the DoD's Acquisition Transformation Strategy is a sweeping reform that renames the system the Warfighting Acquisition System (WAS), fundamentally shifting its focus from compliance and bureaucracy to speed, urgency, and execution to deliver capabilities to the warfighter faster. The strategy is built on five key pillars of reform: 1. Rebuilding the Defense Industrial Base (DIB): The DoD will increase contract values and duration to incentivize industry, and will actively engage private capital to spur innovation. A major change is the move to Go Direct-to-Supplier, allowing the DoD to bypass prime contractors to invest in and negotiate directly with component providers. 2. Empowering the Acquisition Workforce: The strategy mandates an increased focus on training, recruitment, and expertise, including rotations between industry and the DoD. 3. Maximizing Acquisition Flexibility: It directs an end to the complex Joint Capabilities Integration and Development System (JCIDS). Middle Tier Acquisition (MTA) and alternative contracts like Other Transaction Agreements (OTAs) and Commercial Solutions Openings (CSOs) are made the preferred and default pathways for new programs, especially software. 4. Structural Changes and Accountability: Program Executive Offices (PEOs) are replaced by Portfolio Acquisition Executives (PAEs), who have consolidated authority to make trade-offs on cost, schedule, and performance to accelerate delivery. Programs are measured by Portfolio Scorecards that track speed and scale. 5. Technical Excellence: The DoD is mandating the use of Modular Open Systems Approach (MOSA) to ensure interoperability, competition, and reduce lifecycle costs by preventing "vendor lock." The ultimate goal is to instill a "warrior ethos" in the acquisition process, aggressively prioritize commercial solutions, and accept more risk to field modern systems at the speed of the threat. Get the full Dept of War report here: https://lnkd.in/e6rTBnTV