Industry flags DoD’s lack of standardized software attestation processes - Federal News Network

DEFENSE Industry flags DoD’s lack of standardized software attestation processes Vendors said it is unclear what qualifies as a valid attestation, what evidence must be included or how often attestations are required. Anastasia Obis December 17, 2025 8:19 pm           Defense technology companies broadly agree on what secure software looks like. Less consistent, though, is industry-wide understanding of the Defense Department’s mechanisms for demonstrating security compliance. Instead, stakeholders generally see a lack of “consistent and standardized methods for attestation processes,” according to recent industry feedback. A new summary document released by Acting DoD CIO Katie Arrington compiled and analyzed industry responses to three separate DoD requests for information on advancing and securing software for the federal government. “Overall, there was a strong call for the DoW to define a legitimate attestation, identify what is required to complete an attestation, and to ensure consistency of these standards across the DoW,” the document states. “Additional hurdles such as resource constraints, difficulties managing supply chain opacity, and cultural barriers further underscore the intricacies of enforcing a robust secure software development practice.” In response to the DoD CIO’s requests for information under the office’s recently launched Software Fast Track Initiative, industry overwhelmingly pointed to established cybersecurity frameworks such as the National Institute of Standards and Technology’s Secure Software Development Framework and the widely used Open Worldwide Application Security Project standards for managing software and supply-chain risk. More than 75% of respondents said they rely on NIST’s secure software framework, which aligns with DoD’s approach to software security and risk management.         From new grant‑monitoring pilots to expanded access to the Do Not Pay database, top officials from HUD, Treasury, GAO and industry discuss how AI helps move fast and effectively against waste, fraud and abuse. Download our Executive Briefing! But companies told Pentagon IT leadership that uncertainty around compliance remains a major obstacle. Vendors said it is unclear what qualifies as a valid attestation, what documentation must be included in a body of evidence, how often attestations are required and whether companies are allowed to self-attest to security practices or must rely on third-party assessments. Since NIST’s secure software guidance is designed as a framework rather than a checklist, vendors warned that compliance is open to interpretation and risks inconsistent application across the department. Arrington announced the Software Fast Track, or SWFT Initiative, in April with the aim to reform the ways DoD buys, tests and authorizes secure software. Arrington has argued that the Pentagon’s existing processes for approving software are too slow. Since returning to the Pentagon in March in acting CIO capacity, she has pushed to overhaul the department’s legacy processes for buying software, namely the Risk Management Framework (RMF) and the authority to operate (ATO) approval process. She previously said she is “blowing up the RMF” and that she hopes ATOs are “something I never hear about again.” The SWFT effort intends to shift away from rigid checklist processes toward dynamic, continuous authorization to operate. To inform the shift, the CIO office issued three requests for information asking vendors for insights around tools in use, external assessment methodologies, and how automation and artificial intelligence could help the department accelerate secure software adoption. Not only did the first RFI, focused on Software Fast Track tools, reveal that companies are concerned about inconsistent attestation requirements, responses also flagged challenges with integrating the secure software framework into existing workflows.  “The amount of evidence required for NIST SP 800-218 compliance would likely require automation and integration of multiple tools within existing infrastructure. Similarly, integrating manual documentation and effort into existing logical processes and workflows could be challenging,” the Software Fast Track RFI summary reads.  At the same time, about 90% of respondents said they would provide software bills of materials — detailed inventories of the components used to build a software product — to the department. Most said those SBOMs would cover their own software. Nearly all companies said they already perform software risk assessments and would provide DoD officials with risk assessments artifacts. Most said those artifacts are generated through automated tools, and the majority made clear “their willingness to provide these artifacts in an efficient manner through standardized formats and secure exchange processes.”         Sign up for our daily newsletter so you never miss a beat on all things federal To that end, companies recommended allowing vendors to submit artifacts directly into DoD platforms such as Enterprise Mission Assurance Support Service (eMASS) through application programming interfaces to expedite software security reviews. External assessments Industry respondents said most companies already rely on a mix of internal and external audits to assess software security. Internal audit functions typically include continuous monitoring, code reviews and regular red-teaming exercises designed to identify vulnerabilities before they can be exploited. Meanwhile, external assessments are often conducted by third-party auditors or independent penetration testers to provide objective validation of a company’s security posture.  Top compliance regimes include the Federal Risk and Authorization Management Program, NIST cybersecurity standards and Service Organization Control (SOC), which “further evidences a mature security posture among organizations.” At the same time, companies stressed that any external assessment functions would require clear guardrails. Respondents said assessment organizations should demonstrate relevant experience in high-security environments, secure data handling methodologies, established quality management and high degree of independence. Moreover, such assessments should be conducted by qualified personnel with industry-recognized certifications and a strong understanding of DoD security frameworks. Applying automation and AI tools Industry respondents said automation and artificial intelligence could deliver the biggest gains in speeding DoD software risk assessments, particularly by reducing manual paperwork and enabling continuous monitoring. Companies emphasized that automation and AI serve different purposes, with automation best suited for executing repetitive, rule-based tasks, while AI can “make decisions and learn to perform tasks with a human-like intelligence.” Companies also warned about significant challenges in applying automation and AI. Vendors cited concerns around AI explainability, data quality and model reliability, noting that authorizing officials must be able to understand how risk determinations are made.  Arrington said the Software Fast Track Initiative is on track to roll out early next year. “People that think SWFT wouldn’t happen — joke’s on you. If it wasn’t for the furlough, that would have gone live in the beginning in November. So look in early January,” Arrington said during the Defense Information Systems Agency’s annual Forecast to Industry event on Dec. 8. “Software Fast Track: so you can ingest software and we can get it approved in days, not months and years. Making sure that we have a baseline called eMASS that can make sure that if an ATO is granted, then an ATO is reciprocated. We have the Software Assurance playbook. If anybody doesn’t know about that one, it’s when software has vulnerabilities. We work through them to remediate them, blowing up the RMF. We’re already starting to do it using continuous monitoring, the ten tenants of what it needs to be.”         Read more: Defense Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.           Sign up for breaking news. Related Stories Arrington kicks off effort to eliminate RMF for DoD software DEFENSE Read more Derace Lauderdale/Federal News Network Pentagon to establish secure software assurance program DEFENSE NEWS Read more Graphic By: Derace Lauderdale DoD has a new marketplace for the latest agile software tools DEFENSE Read more Related Topics ALL NEWS CONTINUOUS AUTHORITY TO OPERATE CYBERSECURITY DEFENSE DEFENSE INDUSTRY DEFENSE NEWS KATIE ARRINGTON SECURE SOFTWARE SWFT INITIATIVE TECHNOLOGY UPCOMING EVENTS Federal News Network’s Federal Leaders Guide to the CHCO Federal Employee Tax Planning [Live Q&A] Medicare, FEHB and TSP Maximization (LIVE EVENT) Federal Executive Forum Chief Data Officers Profiles in Excellence 2026: Data Analytics & AI Trends Federal News Network’s DoD Modernization Exchange 2026 More TOP STORIES State Dept evaluations could push out more diplomats, after mass layoffs last year WORKFORCE More than 1 million veterans may be eligible for education benefits they didn’t know they had As Golden Dome's price tag rises, some say new estimate is no more credible DEFENSE NEWS Mullin to revoke Noem’s $100K review policy FINANCIAL MANAGEMENT USPS cutting delivery days ‘on the table,’ as agency runs out of cash, postmaster general tells lawmakers AGENCY OVERSIGHT Federal employee unions, organizations call for an end to DHS shutdown GOVERNMENT SHUTDOWN