Taking a cue from the Cybersecurity Maturity Model Certification (CMMC), the Department of Defense (DoD) is preparing to roll out new security criteria that will change how software vendors deliver secure solutions to the military. The goal? To ensure software products and their development pipelines are resilient enough to withstand today’s fast-evolving cyber threats—without burying projects in red tape.

Rob Vietmeyer, the DoD’s Chief Software Officer, emphasized the urgency during his address at AFCEA NOVA’s IT Innovation Day. “We need to accelerate that conversation with industry,” he said. “It’s not just about speeding up delivery—it’s about building trust that software products are secure and won’t introduce risk into our environment.”

To that end, the DoD is expected to release a series of Requests for Information (RFIs) in the coming weeks to better understand which security controls should be required across commercial software solutions. The move is part of a broader initiative to create a “fast-pass” authority to operate (ATO) system, saving months typically spent in exhaustive risk assessments.

Shifting From Assessment to Trust

Vietmeyer explained that this approach won’t require building a brand-new certification body. Instead, it will likely leverage existing structures like the CMMC and other widely recognized frameworks. If software providers can show that their products and pipelines meet a defined set of security controls, they could bypass time-consuming processes while still meeting DoD’s risk tolerance.

“What we’re looking at is defining a set of controls,” he said. “If industry can demonstrate compliance, we remove the burden of months of assessments. It allows us to say—this software meets our risk posture. It’s safe to deploy.”

The shift comes as part of a larger strategy launched in February 2022, aimed at modernizing the way the Pentagon acquires software. In March, Defense Secretary Pete Hegseth backed this momentum by directing agencies to use the software acquisition pathway as the default for business and weapons systems.

Combatting an Evolving Threat Landscape

Why the urgency? Because adversaries are now targeting software supply chains with alarming sophistication. From simple credential compromises to advanced build-system hacks that inject malicious code directly into the final software, the DoD recognizes the battlefield is no longer just physical—it’s digital.

“There’s a set of both basic and sophisticated attacks being employed against the software the department relies upon,” said Vietmeyer. This includes pipeline poisoning, typo-squatting, and other deceptive tactics that exploit weaknesses long before the software is even deployed.

To combat these threats, the DoD is not just focusing on compliance, but also on defining technological standards that ensure long-term resilience. Vietmeyer emphasized that these innovations shouldn’t be “thrown over the fence” and forgotten. Instead, they should be deeply integrated into a tech framework that supports the warfighter’s evolving needs in a highly dynamic battlespace.

Bringing AI Into the DevSecOps Fold

As if redefining software trust wasn’t enough, the DoD is also exploring how artificial intelligence can further revolutionize its software development pipeline. In partnership with MITRE, the department has launched a new initiative to map where AI tools can boost each stage of the DevSecOps lifecycle.

“Emerging AI capabilities are showing real potential,” said Vietmeyer. “We want to use them to accelerate the department’s journey through agile development and deliver resilient capabilities faster.”

From integrating general-purpose large language models (LLMs) to mapping potential AI-enhanced tools across the development lifecycle, the initiative is as much about efficiency as it is about safeguarding against AI-specific threats.

“How do we understand where AI fits? Where does it help? Where does it pose new risks? That’s what we’re digging into now,” he added.

The Bottom Line

The Pentagon’s new software security efforts signal a transformative era—one where speed, trust, and national defense aren’t at odds, but part of the same strategy. By partnering with industry, setting clear standards, and embracing AI, the DoD is building a software ecosystem ready for the challenges of tomorrow.

This isn’t just a tweak in policy—it’s a foundational shift in how America defends itself in the digital age.