Open-source software (OSS) may be in the crosshairs of military and government agencies as the U.S. Department of Defense (DOD) evaluates the risks of both free and proprietary software.
Katie Arrington, the DOD’s CIO, issued a memo on May 2 announcing the Software Fast-Track (SWFT) initiative to reform how software is acquired, tested, and authorized. Concerns over increasing campaigns attacking procurement systems and sensitive information leaks are fueling a system-wide review of how software is evaluated, approved, and granted an Authorization to Operate (ATO) within DOD systems.
Arrington set a 90-day timeframe for developing a framework for DOD’s Cybersecurity and Supply Chain Risk Management (SCRM) practices. As part of this effort, the DOD issued multiple requests for information (RFIs) from industry leaders on software security issues.
So far, the DOD has not issued an outright ban on open-source software. However, due to potential security risks, it has expressed significant concerns regarding its use in critical systems.
The DOD declined to answer questions submitted by LinuxInsider about the anticipated role of OSS tools. Previous documents within the DOD suggest a move toward a more security-focused approach to using all software rather than outlawing its use.
According to Jason Soroko, senior fellow at certificate lifecycle management platform Sectigo, the SWFT initiative subtly signals a potential shift in risk ownership from solely relying on vendor or community attestations to altered accountability.
“This suggests the DOD may increasingly define and accept risk for both proprietary and open-source software components,” he told LinuxInsider.
Risk Spans Both Open and Closed Software
Soroko added that a less obvious challenge is whether the DOD can build and scale its infrastructure and expertise required for such continuous, centralized risk assessment across its software ecosystem. That capability, he noted, could influence how all software providers engage with defense procurement.
Sharing a similar view, Eric Schwake, director of cybersecurity strategy at API security platform firm Salt Security, offered that the SWFT Initiative underscores the crucial need to expedite and secure software deployment in light of changing threats.
“While debates frequently center around the dangers of open-source versus proprietary software, the truth is that vulnerabilities can be present in any codebase, no matter its source,” he told LinuxInsider.
Schwake noted that the application programming interfaces (APIs) they expose and interact with are vital yet often overlooked aspects of secure software development and supply chain risk management for open-source and proprietary solutions.
“They create a substantial attack surface that, if breached, could result in data leaks and operational interruptions, reminiscent of the incidents the DOD encountered,” he said.
According to Schwake, achieving the objectives of the SWFT framework requires three key actions. All software needs thorough discovery, posture governance, and ongoing runtime protection of all APIs.
Open Source Software Remains Essential to DOD
According to Aditi Gupta, senior manager for professional services consulting at application security firm Black Duck, most government ATOs have previously focused on demonstrating point-in-time security and controls for products. That focus under SWFT must shift towards demonstrable security practices, evidence collection, and processes to maintain visibility in the software supply chain.
Gupta noted that over the years, regulatory emphasis tightened on open-source security, teeing up with the EO 14028 mandate, SSDF, and NIST 80053 controls. SWFT emphasizes faster deployments while maintaining resilience and trust in software.
“OSS is undoubtedly a top concern for authorities. Data from the 2025 Open-Source Security and Risk Analysis (OSSRA) report suggests that almost 70% of all code originates in open source,” she told LinuxInsider.
Laura Franzese, co-founder and CMO at open cloud security firm Prowler, says open source is not a liability. It is the blueprint for secure software in the age of AI.
“You can’t secure what you can’t see. Whether you’re shipping code or defending infrastructure, OSS gives you the transparency and control closed systems just can’t,” she told LinuxInsider.
Securing the Software Supply Chain
Franzese noted that the elements most important for SWFT to bake in software supply chain security best practices are transparency, provenance, and reproducibility.
“The most effective supply chain security starts with knowing what’s in your code — open source or not,” she said.
That means requiring a Software Bill of Materials (SBOM), she insisted, which lists all open-source and third-party components used in all software applications.
https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9033170205386889&output=html&h=280&slotname=8047494026&adk=2204676535&adf=689600387&pi=t.ma~as.8047494026&w=970&abgtt=9&fwrn=4&fwrnh=0&lmt=1747609452&rafmt=1&armr=3&format=970×280&url=https%3A%2F%2Fwww.linuxinsider.com%2Fstory%2Fdod-raises-software-security-expectations-with-swft-initiative-177550.html&fwr=0&rpe=1&resp_fmts=3&wgl=1&uach=WyJXaW5kb3dzIiwiMTkuMC4wIiwieDg2IiwiIiwiMTM1LjAuNzA0OS44NSIsbnVsbCwwLG51bGwsIjY0IixbWyJHb29nbGUgQ2hyb21lIiwiMTM1LjAuNzA0OS44NSJdLFsiTm90LUEuQnJhbmQiLCI4LjAuMC4wIl0sWyJDaHJvbWl1bSIsIjEzNS4wLjcwNDkuODUiXV0sMF0.&dt=1747609335753&bpp=10&bdt=2041&idt=2876&shv=r20250514&mjsv=m202505130101&ptt=9&saldr=aa&abxe=1&cookie=ID%3Dc4a246447b278778%3AT%3D1747607891%3ART%3D1747609339%3AS%3DALNI_MYZqoilGpwnlfomBca5iWtKJIH95A&gpic=UID%3D000010b372c4de30%3AT%3D1747607891%3ART%3D1747609339%3AS%3DALNI_MbDMpLbnyKzHPDM7YtaUjo0j6s0tw&eo_id_str=ID%3D9bcabcec92092ac7%3AT%3D1747607891%3ART%3D1747609339%3AS%3DAA-AfjbTe6e9MOkH1CpqWjwso9jr&prev_fmts=0x0%2C1200x280%2C970x280%2C440x280%2C440x280&nras=1&correlator=7788070812541&frm=20&pv=1&rplot=4&u_tz=60&u_his=1&u_h=720&u_w=1280&u_ah=672&u_aw=1280&u_cd=24&u_sd=1&dmc=8&adx=214&ady=3578&biw=1897&bih=827&scr_x=0&scr_y=485&eid=31092462%2C42531705%2C42532523%2C95331832%2C95332584%2C95353386%2C95360813%2C95360815%2C95360959%2C95360294%2C95360950%2C95340253%2C95340255&oid=2&psts=AOrYGsmguwnaE_I51edwQeqw3oHFoEpEOaVIfn7fPqlaD1kVmSPnrmOtbSk4WjF334_Q_SkpE1FBwvoH0Yj6_UOd%2CAOrYGsnk3tHghS_4ed9_r7G8P3BYKF7p0Qq5u0hwNNY7mHLvhUCCkKQtaPXGebJptRPFcn5xYtqtumG1CX6SnDBw%2CAOrYGslsT4daWWg45JCXD7DEeGsOQLCtaDFwL-hCe7gnK4jFhM7luq5gJdc7st4nZJRfe6lQvMRQ5UM3KxKQeiT8yw&pvsid=8598510846710921&tmod=1484695994&uas=0&nvt=1&ref=https%3A%2F%2Fwww.linuxinsider.com%2Fstory%2Fpowerful-mini-pcs-provide-efficient-replacement-for-desktop-computers-177532.html&fc=1920&brdim=0%2C0%2C0%2C0%2C1280%2C0%2C1280%2C672%2C1920%2C827&vis=1&rsz=%7C%7CpeEbr%7C&abl=CS&pfx=0&fu=128&bc=31&bz=0.67&td=1&tdf=2&psd=W251bGwsbnVsbCxudWxsLDNd&nt=1&ifi=4&uci=a!4&btvi=4&fsb=1&dtd=M
She explained that the SBOM continuously validates dependencies and ensures reproducible builds across environments. But just as important is the ability to test and verify everything end-to-end.
“That’s where open source has a structural advantage: you can inspect it, instrument it, and improve it in the open,” added Franzese. “SWFT should lean into that, not just to harden the supply chain, but to make security practices scalable and automation-friendly from day one.”
