Modernizing Software Standards for Defense Contractors

Secretary Pete Hegseth is directing all Defense Department components to embrace a rapid software acquisition pathway and use commercial solutions opening and Other Transaction authority to speed up the procurement of digital tools for warfighters. The department’s Software Acquisition Pathway, or SWP, was set up during the first Trump administration under then Undersecretary of Defense for Acquisition and Sustainment Ellen Lord as part of a broader push for a so-called Adaptive Acquisition Framework that enables the department to procure software differently than it buys hardware. Programs on that pathway are not subject to some of the encumbrances associated with the Joint Capabilities Integration and Development System and major defense acquisition program designations. “Programs using the software acquisition pathway will demonstrate the viability and effectiveness of capabilities for operational use not later than 1 year after the date on which funds are first obligated to develop the new software capability. New capabilities will be delivered to operations at least annually to iteratively meet requirements, but more frequent updates and deliveries are encouraged where practical,” according to DOD Instruction 5000.87 issued in October 2020. The instruction also requires government and contractor software teams to use modern iterative software development methods such as DevSecOps. Now, Hegseth wants to make sure all DOD components are taking advantage of the pathway. “Software is at the core of every weapon and supporting system we field to remain the strongest, most lethal fighting force in the world. While commercial industry has rapidly adjusted to a software-defined product reality, DoD has struggled to reframe our acquisition process from a hardware-centric to a software-centric approach. When it comes to software acquisition, we are overdue in pivoting to a performance-based outcome and, as such, it is the Warfighter who pays the price,” he wrote in a March 6 memo addressed to senior leaders, combatant commanders, and agency and field activity directors. To address the problem, Hegseth is decreeing that all DOD components must adopt the SWP as the “preferred pathway for all software development components of business and weapon system programs.” “This will enable us to immediately shift to a construct designed to keep pace with commercial technology advancements, leverage the entire commercial ecosystem for defense systems, rapidly deliver scaled digital capabilities, and evolve our systems faster than adversaries can adapt on the battlefield,” he wrote. As the U.S. military pursues new AI tools — a tech pursuit which Hegseth is prioritizing as the department moves to modernize for potential fights against advanced adversaries — software is expected to become even more critical. Read more:

How do we get critical technology to the warfighter faster? Our acquisition system has powerful tools like Other Transactions and SBIR Phase III, but we're often slowed down by legacy processes, appropriation, risk aversion, and a misalignment with the commercial tech world. It's time for targeted, common-sense reforms. I've been developing a few concrete proposals for the next NDAA (or sooner if some DoW innovators want to take them and run). 1. Demystify Innovation Authorities (OTA & SBIR): Mandate robust, role-based training and create a "safe harbor" for the good-faith use of these authorities. Empower our workforce to use the tools they already have. 2. Buy Software Like It's 2026, Not 1986: Officially define Software-as-a-Service (SaaS) as a commercial product, not a level-of-effort service. This simple change aligns acquisitions with the commercial market and eliminates a major bottleneck for buying modern software. 3. Fix Out-of-Cycle Funding: Transform the unpredictable Unfunded Requirements (UFR) scramble into a structured 'Innovation Readiness Fund.' This provides a dedicated, rapid funding vehicle to get proven, warfighter-demanded tech to the field without waiting for the next budget cycle. 4. Create a "Buying Cell for DoD Marketplaces": Pilot a centralized buying cell that acts as a "Contracting-as-a-Service" for DoD's innovation marketplaces. This removes the burden from local contracting shops and ensures any program with funding can buy quickly. These fixes unlock the speed and potential we already have. They empower our people and deliver better capability, faster. What are your thoughts? Which of these ideas would have the biggest impact on your work? #DefenseAcquisition #NDAA #GovCon #Innovation #OTA #SBIR #ProcurementReform #DigitalTransformation #MilitaryModernization #DoD COL Christopher M. Hill Sr. A.V. W. Marina Nitze Arun Seraphin Joshua McMillion Ryan Connell Jenna Roueche' Arun Nair Matt Nelson Joshua Marcuse David Bonfili Noah Sheinbaum Tyler Sweatt Bryon Kroger Nikhil Shenoy Justin Fanelli Eric Lofgren Agile Acquisitions, LLC

I've had thirty-eight CMMC conversations with defense contractors and compliance leads this month. The same question comes up in almost every one. "How do we know if we're actually ready?" Not ready to start the program. Ready to call a C3PAO and begin the formal Level 2 assessment process. The honest answer I give every time: You're ready when you can answer five questions without hesitation. 1. What's in scope? Not what you think is in scope. What is categorized, documented, and defensible right now in line with CMMC scoping guidance. 2. Is your SSP current and accurate? Not drafted. Current. Signed. Reflecting what your environment actually looks like today. Say what you do, do what you say. 3. Do you have evidence your controls are performing? Real evidence, not drafts, for every control you're claiming as MET. The importance of self-assessment can not be overstated. 4. Has your Affirming Official read §170.22 and do they understand what they're personally attesting to? This is leadership accountability. The Affirming Official is the executive leader who must stand before the entire program. Build an advocate. 5. Has your leadership team had a direct conversation about what happens to the business if certification fails or lapses? CMMC is a business requirement with contractual commitments and revenue impacts. Not an IT project. It must be treated as such. Most organizations can confidently answer two or three. The ones ready for assessment can answer all five. Where does your organization stand? The mission continues. #cmmc #defensebase #readiness A-LIGN Petar Besalev Patrick Sullivan Matt Bruggeman Joseph Cortese

The United States Department of War, formerly the Department of Defense (DOD), just finalized CMMC 2.0, and defense contractors now have a compliance timeline problem. The Pentagon's final rule published last week introduces a three-tier certification system that fundamentally changes how defense contractors prove their cybersecurity posture. The big shift: self-assessments are out for most contractors. Levels 2 and 3 now require third-party assessments. And the bar is high. Level 2 contractors need to implement 110 security measures from NIST SP 800-171 on top of Level 1 requirements. Level 3 contractors must fulfill both Level 1 and Level 2 requirements, plus 24 additional security measures from NIST SP 800-172. Annual affirmations are now mandatory to maintain certification. Contractors who fall short get 180 days after assessment to develop and implement plans of action. The DOD is also making something very clear: knowingly misrepresenting your cybersecurity practices now carries real accountability. This is where the rubber meets the road. Defense contractors aren't just dealing with certification; they're dealing with speed. Third-party assessments take time. Documentation takes time. Gathering evidence across 110+ controls takes time. And the DOD wants contracts to start including CMMC requirements next year. At SecurityPal, we work with organizations that face this exact challenge: proving compliance fast without sacrificing accuracy. Our platform handles the documentation grind, questionnaire responses, and evidence collection that bog down security teams for weeks. We've seen companies cut security review cycles by 40 to 60%, freeing up technical teams to focus on actual security improvements rather than paperwork. CMMC 2.0 isn't just about meeting requirements. It's about meeting them efficiently enough to stay competitive for contracts while the assessment infrastructure catches up to demand. Defense contractors who can move through certification faster will have a distinct advantage. The ones who treat this as a checkbox exercise will find themselves stuck in assessment queues while competitors close deals.

31 class deviations. 30 DFARS parts revised. Effective December 18, 2025. The Revolutionary FAR Overhaul just hit DoD contracting. Miss these changes, and your next proposal quotes dead language. Three Executive Orders drove this. EO 14275 on common sense procurement. EO 14265 on defense acquisition modernization. OMB Memo M-25-26 mandates the FAR overhaul. DoD moved fast, using class deviations as interim measures while formal rulemaking catches up. What actually changed? Acquisition planning streamlined. Parts 207 and 210 cut documentation burdens for market research and planning. Less paperwork. Faster timelines. Commercial products prioritized. Part 212 revisions push COTS-first. If commercial solutions exist, custom development becomes harder to justify. Competition rules simplified. Part 206 changes reduce barriers to entry. More pathways for nontraditional vendors to compete on an equal footing. Emergency acquisitions accelerated. Part 218 revisions speed up urgent capability delivery. When speed matters, bureaucracy steps aside. Contract financing improved. Part 232 updates help contractors working on government programs improve cash flow. Simplified acquisition procedures expanded. Part 213 revisions raise thresholds and reduce friction for smaller buys. More work is moving under simplified procedures rather than full FAR compliance. The scope is broad. Everything from bonds and insurance (Part 228) to R&D contracting (Part 235) to IT acquisition (Part 239) got touched. Even value engineering (Part 248) and termination procedures (Part 249) were revised. Reality check for contractors. These deviations apply to new solicitations, contracts, task orders, and delivery orders issued on or after December 18, 2025. Some ongoing actions have exceptions. RFO definitions supersede FAR 2.101 where conflicts arise. If you're quoting old FAR language in proposals, verify it still applies. Full line-out documents showing strikethroughs and revisions are posted on the official DoD acquisition site. Review them before your next submission. The government just removed excuses for slow procurement. Contractors who can't match that velocity will watch faster competitors take their share. How many of these 31 deviations has your team actually read? ---------- Like this content? Join our newsletter. Link located below my name 👆

Defense Software for a Contested Future At the request of the DARPA, the National Academies conducted a study to explore how to enhance the assurance and agility of large-scale, integrated software-based systems. This report recommends ways the Department of Defense can engineer and manage its software systems to reduce cyber risk and enable more rapid system evolution to meet changing mission needs. Report is here: https://lnkd.in/eDrUdrUu Neat section on use and rapid maturing of formal methods to help with software assurance. Examples given: - CompCert: formally verified compiler for the C. An automated test tool that found hundreds of bugs in mainstream compilers like gcc and clang/LLVM found no bugs in CompCert's verified components after years of testing. - seL4: A high-assurance, open-source microkernel that serves as a trustworthy foundation for security-critical systems. It was successfully used in a Defense Advanced Research Projects Agency (DARPA) program to build a quadcopter drone that could resist red-team attacks. - NATS iFACTS: A large-scale air traffic control system in the United Kingdom, comprising 250,000 lines of code, that was formally proven to be free of runtime exceptions and to have functional correctness. It is written in SPARK, a subset of the Ada programming language designed for high-assurance systems. - Project Everest: A collaboration that produced formally verified, high-performance implementations of components of the HTTPS ecosystem, such as the TLS protocol and cryptographic algorithms. This verified code is now widely deployed in Mozilla Firefox, the Linux kernel, and Microsoft's Hyper-V hypervisor, among others.

The Department of Defense, through its FutureG office, plans to release an open-source 5G/6G RAN software stack (OCUDU), signaling a structural move to reduce vendor lock-in and reshape telecom innovation dynamics. By publishing the stack on GitHub under governance aligned with the Linux Foundation and in coordination with the National Spectrum Consortium, the Pentagon is effectively seeding a sovereign, innovation-driven ecosystem rather than relying solely on incumbent OEM roadmaps. Strategically, this positions open RAN software as a geopolitical lever, enabling modular upgrades, AI integration and mission-specific features tailored to defense needs while influencing commercial standards evolution. The initiative also creates a shared baseline for academia and industry experimentation, accelerating interoperability and potentially compressing 6G development cycles. In essence, as reported by DefenseScoop, the move reframes 5G/6G from proprietary infrastructure to programmable, open digital capability infrastructure: https://lnkd.in/dPCcJSZa

Did you know DISP cyber expectations have moved beyond the old “top four” Essential Eight conversation? Defence has stated that cyber assessments against the top four Essential Eight controls concluded on 15 November 2025. DISP members are now required to achieve and maintain compliance with the full Essential Eight Maturity Level 2 standard. That is a meaningful shift. Full E8 ML2 is not just a questionnaire. It cuts across: - application control - patching applications - configuring Microsoft Office macro settings - user application hardening - restricting administrative privileges - patching operating systems - multi-factor authentication - regular backups The phrase that matters is “achieve and maintain”. That means Defence suppliers need an operating rhythm, not just a once-off uplift. Evidence, ownership, review cadence, exception management and continuous improvement all matter. For businesses wanting to work in Defence supply chains, this is no longer a future concern. It is part of the readiness conversation now.

Think your current NIST 800-171 self-attestation will keep DoD work flowing in 2026? Think again. As both a CISO and an AI developer supporting defense programs, three points in the new CMMC final rule jump off the page: 1️⃣ "No cert, no contract" begins November 2025. Whether you touch basic FCI or the most sensitive CUI, the required CMMC level becomes a gate to award, option, or extension. 2️⃣ The scope is bigger than you expect. Subcontractors inherit your CMMC obligations, and every workload that stores, processes, or transmits FCI/CUI needs its own unique CMMC identifier. That means scrutinizing data flows all the way down to your MLOps pipeline and container registry. 3️⃣ Third-party audits aren’t optional for most Level 2 environments. Waiting for the three-year phase-in is risky; C3PAO schedules and budget approvals will collide right when AI-enabled capabilities are supposed to hit the field. My team is already: • Mapping data lineage across hybrid clouds and on-prem clusters • Automating control evidence collection with dev-sec-ops hooks • Re-negotiating supplier agreements to include flow-down language How are you preparing for the compliance sprints ahead while still delivering innovation on time? #CMMC #Cybersecurity #DefenseContracting #CISO #AI Read more: https://lnkd.in/gWra7nBc

eMASS Isn’t Dead. It’s Evolving. In the DoD space, you’ll often hear people say “eMASS is falling behind” or “it’s too old to keep up with modern systems.” But that’s far from the truth. eMASS isn’t disappearing. It’s still the backbone of how ATOs are monitored and managed across federal environments. What’s really happening is transformation, not retirement. Today, eMASS is evolving, introducing API integrations, aligning with SBOM tracking, and bridging FedRAMP Equivalency and CMMC alignment efforts that will define the next era of automated RMF. FedRAMP Equivalency: DoD and DoW components leveraging FedRAMP-authorized cloud services can now map RMF controls to FedRAMP Moderate/High baselines. While it’s still in pilot stages, Authorizing Officials (AOs) are expecting full Rev5 Moderate equivalency as DoD cloud adoption matures. CMMC Alignment: CMMC Level 2 and 3 assessments are now built to mirror RMF inheritance. By linking RMF Step 6 continuous monitoring data directly to CMMC control status, organizations can reduce redundancy and move toward a “comply once, report many” model. This integration allows data from eMASS, POA&Ms, and system scans to automatically inform CMMC readiness, paving the way for unified RMF–CMMC automation, where continuous monitoring drives both accreditation and audit requirements in real time. The truth is, eMASS isn’t being replaced. It’s being modernized at the edges. APIs and automation are building the bridge between DevOps pipelines and compliance workflows. The future of ATO acceleration isn’t about leaving eMASS behind. It’s about teaching your systems to work with it. #RMF #DoD #eMASS