The Pentagon must balance speed with safety as it modernizes software

The Department of Defense is at grave risk of being caught flat-footed by the next software vulnerability. When an adversary discovers it, the Pentagon may not know which systems are exposed until substantial damage has been done. This blind spot is dangerous. The Pentagon needs to balance expediting its software acquisition process with a better system for gauging prospective vulnerabilities and mitigating harm in the event of an attack.

DOD understands the need for software modernization and is taking steps to improve both its development and procurement methods. A recent directive designates the Software Acquisition Pathway (SWP) as the primary process for creating both weapons and business systems. This necessary evolution marks a shift from lengthy, hardware-focused timelines to a faster and more flexible software-centric model. SWP streamlines development and emphasizes speed by allowing programs to share and repurpose software test results.

While speed is important, this new approach also magnifies potential vulnerabilities: If a flaw goes undetected in one project or only comes to light after initial testing, there may be no subsequent security tests to identify it. This creates a critical visibility problem.

Software is constantly changing. A system that passed security tests last month could be vulnerable today because of a newly discovered flaw in one of its dependencies. Without a clear record of what is inside each software package, there is no reliable way to assess whether existing test results still apply.

To remedy these challenges, the Pentagon should require Software Bills of Materials (SBOMs) for all software it acquires and manages. SBOMs will prepare the Pentagon to quickly respond and mitigate software flaws that adversaries exploit to conduct espionage and disruptive cyberattacks. They should be complemented by Vulnerability Disclosure Reports (VDRs) from software’s original producers and a centralized system to track and share this information across the DOD enterprise.

SBOMs are digital manifests that list the ingredients of a software package — every component, version, and dependency. They give cybersecurity teams the context necessary to act quickly when a vulnerability emerges. Requiring SBOMs will enable the Pentagon to trace threats and pinpoint risk in minutes rather than hours or days.

The benefits are not hypothetical. When the Log4Shell vulnerability hit in 2021, organizations with SBOMs immediately identified their exposure to the compromised Log4j library. Entities without them scrambled, manually combing through codebases and vendor lists. That sort of delay is not just inefficient in a defense setting — it is a catastrophe. Other countries recognize this as well. India, for example, has explicitly endorsed SBOM requirements in public sector procurement, while the British government has publicly acknowledged the benefits of SBOMs for tracing vulnerabilities in cyber components.

Although SBOMs provide transparency into a product’s components, they do not fully demonstrate whether a given vulnerability is exploitable. That is why the Pentagon should complement SBOMs with VDRs from the product’s original developers to make that determination. When researchers discover vulnerabilities in component pieces of software, only the producer has the expertise to confirm whether the vulnerability affects their product. Similar to how a thorough home inspection reveals potential hazards or a Carfax report tracks issues with cars, a VDR is a dynamic document that details known weaknesses or issues with a software product. As a result, a VDR is just as essential to effective software risk assessment as an SBOM.

Furthermore, SBOMs and VDRs save time and money. They reduce redundant testing, speed up incident response, and help acquisition teams verify that what they procure is safe. The up-front cost of implementation is small compared to the damage a breach could cause, not just in dollars but in mission impact.

DOD policy already supports the principles behind SBOMs and VDRs. The SWP encourages continuous testing and automated security checks. Executive Order 14028 directs federal agencies to enhance software supply chain security and allows them to request SBOMs from vendors, particularly for critical software, as part of broader secure development and procurement practices. Guidance from the Office of Management and Budget states software suppliers must ensure no known exploitable vulnerabilities are present in software released to the market, a requirement echoed in the EU Cyber Resilience Act and CISA’s Secure Software Attestation Form. The DOD Cybersecurity Test and Evaluation Guidebook, the Army’s 2024 directive on software transparency and guidance from the National Institute of Standards and Technology reinforce this direction. The foundation is there, but the recommendations outlined here need to be put into practice.

To do that effectively, the Pentagon also needs a plan to manage the information it gleans from SBOMs and VDRs. If each DOD office or military unit stores these artifacts in separate systems, the visibility problem will not disappear. Instead, DOD needs a centralized repository, a common platform where teams across the department can access SBOMs, VDRs and other attestations to inform decisions, track risks and avoid duplication.

That capability already exists. CISA’s Repository for Software Attestations and Artifacts (RSAA) portal provides centralized, secure storage for SBOMs and related artifacts, including VDRs, accessible to all U.S. government agencies. Leveraging RSAA as a government-wide resource requires no new infrastructure or cost, and it can serve as the backbone for software transparency efforts moving forward.

Speed is critical. Speed without insight and security is a gamble. As the Pentagon races to modernize its software acquisition, it must do so with a clear knowledge of what it is operating. The solutions proposed here are easily implementable, cost-effective and will advance a secure supply chain worthy of the missions it supports.

Dr. Georgianna “George” Shea is chief technologist at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab. She is at the forefront of cybersecurity innovation with nearly 30 years of pioneering experience across federal and commercial sectors.

Read More

Opinion

C4ISRNet

[crypto-donation-box type=”tabular” show-coin=”all”]