The Pentagon must balance speed with safety as it modernizes software
DOD understands the need for software modernization and is taking steps to improve both its development and procurement methods. A recent directive designates the Software Acquisition Pathway (SWP) as the primary process for creating both weapons and business systems. This necessary evolution marks a shift from lengthy, hardware-focused timelines to a faster and more flexible software-centric model. SWP streamlines development and emphasizes speed by allowing programs to share and repurpose software test results.
While speed is important, this new approach also magnifies potential vulnerabilities: If a flaw goes undetected in one project or only comes to light after initial testing, there may be no subsequent security tests to identify it. This creates a critical visibility problem.
Software is constantly changing. A system that passed security tests last month could be vulnerable today because of a newly discovered flaw in one of its dependencies. Without a clear record of what is inside each software package, there is no reliable way to assess whether existing test results still apply.
To remedy these challenges, the Pentagon should require Software Bills of Materials (SBOMs) for all software it acquires and manages. SBOMs will prepare the Pentagon to quickly respond and mitigate software flaws that adversaries exploit to conduct espionage and disruptive cyberattacks. They should be complemented by Vulnerability Disclosure Reports (VDRs) from software's original producers and a centralized system to track and share this information across the DOD enterprise.
SBOMs are digital manifests that list the ingredients of a software package — every component, version, and dependency. They give cybersecurity teams the context necessary to act quickly when a vulnerability emerges. Requiring SBOMs will enable the Pentagon to trace threats and pinpoint risk in minutes rather than hours or days.
The benefits are not hypothetical. When the Log4Shell vulnerability hit in 2021, organizations with SBOMs immediately identified their exposure to the compromised Log4j library. Entities without them scrambled, manually combing through codebases and vendor lists. That sort of delay is not just inefficient in a defense setting — it is a catastrophe. Other countries recognize this as well. India, for example, has explicitly endorsed SBOM requirements in public sector procurement, while the British government has publicly acknowledged the benefits of SBOMs for tracing vulnerabilities in cyber components.
Although SBOMs provide transparency into a product's components, they do not fully demonstrate whether a given vulnerability is exploitable. That is why the Pentagon should complement SBOMs with VDRs from the product's original developers to make that determination. When researchers discover vulnerabilities in component pieces of software, only the producer has the expertise to confirm whether the vulnerability affects their product. Similar to how a thorough home inspection reveals potential hazards or a Carfax report tracks issues with cars, a VDR is a dynamic document that details known weaknesses or issues with a software product. As a result, a VDR is just as essential to effective software risk assessment as an SBOM.
Furthermore, SBOMs and VDRs save time and money. They reduce redundant testing, speed up incident response, and help acquisition teams verify that what they procure is safe. The up-front cost of implementation is small compared to the damage a breach could cause, not just in dollars but in mission impact.
DOD policy already supports the principles behind SBOMs and VDRs. The SWP encourages continuous testing and automated security checks. Executive Order 14028 directs federal agencies to enhance software supply chain security and allows them to request SBOMs from vendors, particularly for critical software, as part of broader secure development and procurement practices. Guidance from the Office of Management and Budget states software suppliers must ensure no known exploitable vulnerabilities are present in software released to the market, a requirement echoed in the EU Cyber Resilience Act and CISA's Secure Software Attestation Form. The DOD Cybersecurity Test and Evaluation Guidebook, the Army's 2024 directive on software transparency and guidance from the National Institute of Standards and Technology reinforce this direction. The foundation is there, but the recommendations outlined here need to be put into practice.
To do that effectively, the Pentagon also needs a plan to manage the information it gleans from SBOMs and VDRs. If each DOD office or military unit stores these artifacts in separate systems, the visibility problem will not disappear. Instead, DOD needs a centralized repository, a common platform where teams across the department can access SBOMs, VDRs and other attestations to inform decisions, track risks and avoid duplication.
That capability already exists. CISA's Repository for Software Attestations and Artifacts (RSAA) portal provides centralized, secure storage for SBOMs and related artifacts, including VDRs, accessible to all U.S. government agencies. Leveraging RSAA as a government-wide resource requires no new infrastructure or cost, and it can serve as the backbone for software transparency efforts moving forward.
Speed is critical. Speed without insight and security is a gamble. As the Pentagon races to modernize its software acquisition, it must do so with a clear knowledge of what it is operating. The solutions proposed here are easily implementable, cost-effective and will advance a secure supply chain worthy of the missions it supports.
Dr. Georgianna 'George' Shea is chief technologist at the Foundation for Defense of Democracies' Center on Cyber and Technology Innovation and its Transformative Cyber Innovation Lab. She is at the forefront of cybersecurity innovation with nearly 30 years of pioneering experience across federal and commercial sectors.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
4 hours ago
- Yahoo
Canaccord Genuity Affirms ‘Buy' Rating on AeroVironment (AVAV) on Drone Technology Demand
AeroVironment, Inc. (NASDAQ:AVAV) is one of the top industrial stocks to buy amid easing tariff uncertainties. On August 11, Canaccord Genuity reiterated a 'Buy' rating on the stock with a $305 price target. The research firm's positive stance reflects growing confidence in the company's growth prospects, driven by increasing demand for drone technology. The company has carved a niche in providing unmanned aerial vehicles and tactical missile systems for both defense and commercial applications. Consequently, AeroVironment continues to attract orders from military and civilian sectors. It remains well-positioned to capitalize on the US Pentagon's push to ramp up drone production and deployment. The company has also inked a strategic partnership with SNC for the development of integrated air and missile defense capabilities to protect critical infrastructure from advanced aerial threats. AeroVironment, Inc. (NASDAQ:AVAV) is an industrial company that develops and deploys autonomous systems, precision strike systems, and counter-UAS technologies for defense and government customers. Its solutions are used for intelligence, surveillance, and reconnaissance. While we acknowledge the potential of AVAV as an investment, we believe certain AI stocks offer greater upside potential and carry less downside risk. If you're looking for an extremely undervalued AI stock that also stands to benefit significantly from Trump-era tariffs and the onshoring trend, see our free report on the best short-term AI stock. READ NEXT: 12 Best Falling Stocks to Buy Now and 12 Best Copper Stocks to Buy According to Hedge Funds. Disclosure: None. This article is originally published at Insider Monkey.
Yahoo
4 hours ago
- Yahoo
US aid cuts to Ukraine raise risk of waste and fraud, say watchdogs
WASHINGTON (Reuters) -USAID is concerned that the Trump administration's cancellation of independent aid monitoring contracts for Ukraine has increased the risk of waste, fraud and abuse, according to three U.S. watchdog agencies. "The termination of third-party monitoring contracts has further limited USAID's ability to oversee programs," the State Department, Pentagon and USAID inspectors general said in a report issued on Thursday. The U.S. Agency for International Development was the main U.S. agency that administered civilian foreign aid for more than 60 years. It is being dismantled by the Trump administration and is scheduled to be closed on September 2. The three inspectors general submit quarterly reports to Congress on their oversight of U.S. civilian support for Ukraine in its fight against Russia's full-scale invasion launched in February 2022. In January, President Donald Trump froze all U.S. foreign assistance programs pending a review of their alignment with his "America First" policies, and ordered the dismantling of USAID, which stopped disbursing funds in July. As part of this decision, billionaire Elon Musk's Department of Government Efficiency oversaw the termination of 83 percent of USAID programs, including some that supported Ukraine. The watchdogs' report said that USAID managed $30.2 billion in direct support for the Ukrainian government's budget, and provided a guarantee that secured a $20 billion loan for Kyiv. It said that in the three months ending June 31, 25 civilian aid programs for Ukraine were terminated, while 29 active programs, five under stop-work orders and four of unknown status were transferred to the State Department. The terminated programs included contracts with third parties that provided independent tracking of USAID funds to ensure that they were spent as intended and that helped "inform both current and future decision-making," it said. "USAID said that without independent monitoring, it cannot verify that programs are being implemented in line with award terms, increasing the risk of waste, fraud and abuse," the report said. This is especially true in conflict-affected areas "where there is a heightened potential for diversion of funds," it warned.
Business Wire
8 hours ago
- Business Wire
Tivic Health Advances Discussions on Use of Entolimod as a Radiation Countermeasure at Military Health System Research Symposium 2025
FREMONT, Calif.--(BUSINESS WIRE)--Tivic Health® Systems, Inc. (Nasdaq: TIVC), a diversified therapeutics company, is proud to announce it advanced discussions with key US Government agencies through its participation in the 2025 Military Health System Research Symposium (MHSRS), held August 4-7, 2025, in Kissimmee, Florida. The MHSRS is the Department of Defense's premier scientific meeting that brings together military, academic, and industry experts to discuss medical research and innovation in support of warfighter health and readiness. Direct Access to DoD Decision-Makers and Researchers MHSRS provides direct access to organizations seeking military partnerships and connects companies with key funding organizations. Tivic's President of Biopharma and Chief Operating Officer, Michael Handley, met with key members of the Biomedical Advanced Research and Development Authority (BARDA), the Armed Forces Radiobiology Research Institute (AFRRI) and the Medical CBRN Defense Consortium (MCDC) to discuss potential pathways to deploy Entolimod as a military countermeasure. BARDA's mission is to develop medical countermeasures that address the public health and medical consequences of chemical, biological, radiological, and nuclear (CBRN) accidents, incidents and attacks, pandemic influenza, and emerging infectious diseases. AFRRI's mission is to defend the Nation from nuclear and radiological threats through research, leadership, training, and education. The MCDC was formed in response to the US Government's expressed interest to engage and fund advanced development efforts to support the Department of Defense's (DoD) medical pharmaceutical and diagnostic requirements as related to enhancing the mission effectiveness of military personnel. 'It was an honor to contribute to the vital conversations that were focused generally on radiation medical countermeasures, and specifically on our lead clinical product candidate, Entolimod, which has the potential to protect the warfighter in the instance that they are exposed to radiation,' said Handley. Representatives from Tivic joined global thought leaders, military leaders and researchers to share insights, explore collaborative opportunities, and present ongoing research intended to improve health outcomes for warfighters exposed to radiation in the field. About MHSRS MHSRS serves as a dynamic platform for the exchange of research findings across multiple disciplines, including combat casualty care, medical countermeasures, infectious disease, and mental health. The symposium fosters collaboration among business leaders, scientists, clinicians, and policymakers, ensuring innovations reach those who serve as quickly and effectively as possible. About Tivic Tivic's dual platform utilizes the body's biopharmaceutical and bioelectronic systems to treat unmet medical needs through targeting the immune system. Tivic's biologics compounds activate an innate immune pathway to prevent cell death in the bone marrow and epithelial tissues across systems impacted by radiation and age. The company's lead drug candidate, Entolimod™ for acute radiation syndrome, is a novel TLR5 agonist that has been granted Fast Track designation and is in late stage development. Tivic's bioelectronic program is developing a novel, non-invasive medical device designed to target the neural pathways implicated in many prevalent and debilitating diseases. Early trials show promising signals that Tivic's approach may regulate specific biologic responses, and the company believes its early-stage vagus nerve stimulation device has the potential to deliver clinical outcomes similar to or better than those of surgically implanted devices. To learn more about Tivic, visit: Forward-Looking Statements This press release may contain 'forward-looking statements' that are subject to substantial risks and uncertainties. All statements, other than statements of historical fact, contained in this press release are forward-looking statements. Forward-looking statements contained in this press release may be identified by the use of words such as 'anticipate,' 'believe,' 'contemplate,' 'could,' 'estimate,' 'expect,' 'intend,' 'seek,' 'may,' 'might,' 'plan,' 'potential,' 'predict,' 'project,' 'target,' 'aim,' 'should,' 'will' 'would,' or the negative of these words or other similar expressions, although not all forward-looking statements contain these words. Forward-looking statements are based on Tivic Health Systems Inc.'s current expectations and are subject to inherent uncertainties, risks, and assumptions that are difficult to predict. Further, certain forward-looking statements are based on assumptions as to future events that may not prove to be accurate, including as a result of interactions with and guidance from the FDA and other regulatory authorities, as well as interactions with governmental agencies, such as BARDA, the AFRRI and the MCDC; changes to the company's relationship with the its partners; the failure to obtain FDA or similar clearances or approvals and noncompliance with FDA or similar regulations; the company's future development of its ncVNS treatment, Entolimod and Entolasta; changes to the company's business strategy; timing and success of clinical trials and study results; regulatory requirements and pathways for approval; consummation of any strategic transactions; the company's need for, and ability to secure when needed, additional working capital; the company's ability to maintain its Nasdaq listing; and changes in tariffs, inflation, legal, regulatory, political and economic risks. Actual results could differ materially from those contained in any forward-looking statement as a result of various factors. Accordingly, you are cautioned not to place undue reliance on such forward-looking statements. For a discussion of risks and uncertainties relevant to the company, and other important factors, see Tivic Health's filings with the SEC, including, its Annual Report on Form 10-K for the year ended December 31, 2024, filed with the SEC on March 21, 2025, under the heading 'Risk Factors," as well as the company's subsequent filings with the SEC. Forward-looking statements contained in this press release are made as of this date, and Tivic Health Systems, Inc. undertakes no duty to update such information except as required by applicable law.
