Schellman’s Take on The Current State of Federal and DoD Software Security

This signals document reviews the current state of software security initiatives in the federal government and the Department of Defense (DoD), highlighting key programs and policies aimed at enhancing cybersecurity. This includes the recent Executive Order 14306 (signed on June 6th), the DoD’s new Software Fast Track (SWFT), and SSDF and associated CISA attestations under the Biden Administration, part of which were rescinded via Executive Order 14144. 

Central to these efforts are the practices for secure software development captured in NIST 800-218 Secure Software Development Framework (SSDF). While the new Executive Order (14144) pushes back to NIST for further review and consideration of self-attestation versus independent assessment, the objective of secure software for federal and mission systems remains the same. 

With our extensive leadership in both federal compliance and software security, Schellman is uniquely qualified to assist software providers in navigating these challenges. We have performed hundreds of assessments against the SSDF as part of our Software Security Assessment Services. To fully grasp the impact of these initiatives, it’s important to first understand the current state of federal and DoD software security. 

Executive Order 14306

On June 6, 2025, Executive Order (EO) 14306 amended prior federal cybersecurity directives, notably scaling back mandatory third-party software attestation reporting requirements. While intended to reduce compliance burdens and accelerate adoption of software, the update may undermine the robustness of software security verification unless accompanied by strong oversight mechanisms. This development underscores the importance of maintaining rigorous internal security practices and highlights the value of independent assessments like Schellman’s Software Security Assessment (S3A) service to ensure continued trust and compliance. 

It is important to note that an EO is a statement of strategy or direction, not formal law or regulation. 

The DoD SWFT Program

In April, Katie Arrington, acting Chief Information Officer (CIO) of the U.S. Department of Defense (DoD), announced the launch of the Software Fast Track (or SWFT) program aimed at quickly assessing and authorizing all software within the DoD, including cloud and on-prem. Like FedRAMP 20x, it also emphasizes speed and automation of review.   

The SWFT Initiative is a new program launched by the U.S. Department of Defense (DoD) aimed at accelerating the acquisition, testing, and authorization of secure software. The initiative was established through a memo titled "Accelerating Secure Software," signed by Ms. Arrington.. The SWFT program is aligned with Secretary Hegseth's guidance on modern software acquisition to maximize lethality.

Key aspects of the SWFT program include: 

1. Cybersecurity and Supply Chain Risk Management (SCRM) Requirements: The program aims to define clear and specific requirements for cybersecurity and SCRM. 
2. Rigorous Software Security Verification Processes: It introduces stringent processes for verifying software security. 
3. Secure Information Sharing Mechanisms: The initiative promotes secure mechanisms for sharing information. 
4. Federal Government-led Risk Determinations: The program expedites cybersecurity authorizations for rapid software adoption. 

As its 90-day sprint ended with July, Ms. Arrington has ordered, via recent memorandum, that the core programs and published guides for DoD technology acquisition be updated to include the SWFT requirements.  

In this memorandum, she also laid out the 12 key risk categories, including: 

1. Regulatory & Compliance 
2. Technology & Cybersecurity 
3. Human Capital 
4. Manufacturing & Supply 
5. Financial 
6. Environmental 
7. Foreign Ownership, Control, or Influence (FOCI) 
8. Economic 
9. Transportation & Distribution 
10. Political 
11. Product Quality & Design 
12. Infrastructure 

In line with OMB Memorandum 22-18, the DoD CIO memorandum reinforces the need for software producers to meet government-specified secure development practices. A key element is the DoD’s support for independent assessments of NIST 800-218 SSDF requirements—adding an external layer of verification that bolsters trust and integrity in the software supply chain while enabling faster, more secure adoption.

Additionally, ICT-SCRM requirements were updated to include: 

• Implement NIST SP 800-53r5 controls, including:
  • Supply Chain Risk Management Plan (SR-2) 
  • Supply Chain Controls and Processes (SR-3) 
  • Provenance tracking (SR-4) 
  • Supplier Assessments (SR-6) 
  • Tamper Resistance & Detection (SR-9) 

• Provide security authorization artifacts: inventories, certifications, incident response plan, certification results, SCRM policy, and STIG lists 
• Comply with DoD Security Requirements Guides (SRG) and Security Technical Implementation Guides (STIG) 

The CISA Sponsored SSDF Program

The Secure Software Development Framework (SSDF), sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), was developed by the National Institute of Standards and Technology (NIST) in response to President Biden’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028). SSDF provides a structured approach to identifying, mitigating, and managing security risks associated with software applications. 

Key aspects of the SSDF program include: 

1. Holistic Guidelines and Best Practices: The SSDF offers comprehensive guidelines, best practices, and recommendations to secure all phases of the software development lifecycle (SDLC). 
2. Secure Software Development Attestation Form: Companies selling software to the government were required to complete this form, confirming adherence to secure development practices. Note, this requirement appears to have been removed per the June 6th Executive however, we have not seen CISA publish updated guidance per the Order. 

The attestation form can be completed through self-attestation or by engaging a FedRAMP Third Party Assessment Organization (3PAO). 

Instead of enforcing new contract requirements, the Trump EO directs NIST to establish an industry consortium (by August 1, 2025) to help develop implementation guidance for secure software development practices. NIST is also tasked with publishing a preliminary update to the SSDF by December 1, 2025, which will include practical examples and controls for secure software development.

As of today, here is where the CISA SSDF stands: 

• SSDF is still active, but its enforcement mechanisms are evolving. 
• Attestation forms are still required, but FAR-based enforcement is paused. 
• Federal software suppliers should continue to comply with and monitor updates from CISA and NIST. 

Comparing EO 14306, SWFT, and SSDF

Objective: 

• EO 14306: Government-wide mandate which sets the tone and direction of the strategy and pushes the Agencies to implement. 
• SWFT: Focuses on accelerating secure software acquisition, testing, and authorization for the DoD. 
• SSDF: Provides a structured framework for secure software development and attestation for federal (civilian) procurement. 

Scope: 

• EO 14306: Same as above. 
• SWFT: Primarily targets the DoD and its software procurement processes. 
• SSDF: Applies to all federal agencies and software providers partnering with the government. 

Implementation: 

• EO 14306: No current guidance on implementation – pushes to NIST. 
• SWFT: Follows SSDF and provides additional risk areas for review and control enhancements to NIST 800-53 rev 5. 
• SSDF: In place since 2021 and offers ongoing assessments and attestation forms to ensure compliance with secure development practices, however no longer required under FAR. 

Verification: 

• EO 14306: No specific guidance, however, suggests self-assessment. 
• SWFT: Put more emphasis on third party assessment than CISA’s SSDF. 
• SSDF: Includes assessments of SDLC processes, secure code development training, and secure code testing practices. 

Why Alignment with SSDF Matters and How Schellman Can Help 

In summary, while the EO questions how companies will be accountable for software security, the SWFT and CISA legacy programs are clearly designed to focus on software security as the critical risk point for federal and mission data. 

Given that they are both aligned with NIST 800-218 (SSDF), Schellman Software Security Assessment (S3A) service is more than capable of addressing these needs. Contact us today to learn more. 

Furthermore, clients that undergo a NIST 800-218 review for CISA (Federal use) can obtain a DoD report at no additional cost assuming the scope’s align.