Defense technology companies are urging the Pentagon to clarify how it verifies software security compliance, citing a lack of standardized processes for software attestations, according to a new Pentagon report.
Vendors said uncertainty persists over what constitutes a valid attestation, including required evidence and frequency, and while there is broad agreement on secure software practices, the report found far less consistency in how the DOD expects compliance to be demonstrated.
Pentagon Acting Chief Information Officer Katie Arrington released the industry insights in the summary report, which compiles and analyzes more than 400 responses to three requests for information (RFI) tied to the department’s Software Fast Track (SWFT) initiative. The initiative aims to accelerate the delivery of secure software to the Department of Defense (DOD) – rebranded as the War Department by the Trump administration.
SWFT, which Arrington introduced in April, aims to streamline the DOD’s Authority to Operate process for software and provide military services and defense agencies with greater assurance that applications meet security requirements.
In the document’s foreword, Arrington said the responses to the RFIs will inform how the department can transform software security practices and maintain long-term military advantages.
Software supply chain security tools
The first RFI focused on software supply chain security tools currently in use.
Respondents showed strong alignment around established frameworks and standards, most frequently citing guidance from the National Institute of Standards and Technology (NIST), including secure software development, cybersecurity controls and supply chain risk management publications. Industry participants also commonly referenced Open Worldwide Application Security Project guidelines.
Despite that alignment, companies said the absence of consistent and standardized attestation methods makes it difficult to document compliance and integrate requirements into existing workflows. Respondents also pointed to challenges such as limited resources, supply chain visibility issues, and organizational culture barriers.
Most companies indicated a willingness to provide software bills of materials and related artifacts. These artifacts generally aligned with the core components of the risk management framework, including system security plans, risk assessment reports, and plans of action and milestones. Many respondents emphasized the importance of automated artifact generation and standardized, secure methods for exchanging documentation.
External assessment methods for software risk, authorization
The second RFI examined how external assessment organizations could help streamline risk assessment and authorization processes.
About half of respondents reported using both internal and external audits. Internal approaches commonly included continuous monitoring, code reviews and penetration testing, while external assessments were typically conducted by third-party auditors.
Companies said those audits are often mapped to broader compliance guidelines such as the Federal Risk and Authorization Management Program, NIST standards, Service Organization Control 2, and International Organization for Standardization 27001.
Respondents stressed that any external assessment body would need clear methodologies, independence, secure data handling practices, and qualified personnel with experience evaluating software used in high-impact military environments.
Automation, AI
The third RFI addressed the use of automation and artificial intelligence (AI) to speed secure software adoption.
Industry participants said automation and AI could reduce manual work in areas such as document processing, compliance validation, and monitoring, but also noted challenges related to explainability, data quality, security, and scalability.
Respondents said broader use of automation and AI would require standardized data tailored to DOD needs, including threat intelligence, vulnerability data, and software composition information.