Resiliency has been top of mind in 2025, and recent high-profile CVEs serve as holiday reminders that adversaries aren't slowing down. But what changed this year was how the federal community responded. Increasingly, exploitability drove the clock: when vulnerabilities surfaced as actively exploited, agencies leaned on a more operational posture where "Are we exposed?" and "How fast can we fix it?" mattered as much as "How severe is it?" In that environment, 2025 was defined by a single, powerful transition: the shift from planning modernization to executing it at scale. For years, agencies have discussed digital transformation, zero trust, and the promise of AI. This year, those themes moved from strategy decks into day-to-day delivery.
This year, those discussions became an operational reality, measured in deployed controls, reduced remediation time, and more repeatable pathways to ship secure software.
As we close the book on 2025, it is clear that the federal sector has reached a turning point. We are no longer just reacting to the threat landscape; we're actively shaping it through better policy, smarter technology, and a renewed commitment to secure innovation. From the maturation of software supply chain management to the governed adoption of AI, this year proved that government technology can be both secure and agile when security is engineered into the system, not bolted on at the end.
In this retrospective, we reflect on the milestones that defined 2025 and explore how federal agencies can carry this momentum into the year ahead with even greater speed, confidence, and mission impact.
The Maturity of Software Supply Chain Security
If 2023 was the year of the Software Bill of Materials (SBOM), and 2024 was the year of implementation, 2025 was the year of actionability.
Just as importantly, federal teams increasingly connected supply chain data to real-world exploitation signals. When a vulnerability moved from theoretical to exploited, teams that had asset context and trustworthy component visibility could pivot quickly: identify impacted applications, prioritize what mattered most, and reduce time-to-remediate without freezing delivery.
Moving Beyond Compliance
Compliance often feels like a checklist, but in 2025, it became a strategic advantage. The enforcement of strict software supply chain security standards — driven by evolving CISA guidance and executive mandates — pushed agencies to adopt automated governance.
We saw a shift away from manual security reviews, which act as bottlenecks, toward automated policy enforcement. By integrating security guardrails, which can include concepts like shift-left and secure-by-design principles, directly into the development lifecycle, developers can innovate without fear of introducing avoidable risk. This represents a cultural shift: security is no longer a gatekeeper saying "no," but a partner ensuring "yes, but securely."
AI Governance Meets Mission Delivery
AI ceased to be a buzzword in 2025 and became a fundamental component of federal infrastructure. However, the narrative shifted significantly from "adoption at all costs" to "governed innovation", where agencies demanded that mission value and risk management move in lockstep.
Agencies faced the complex challenge of leveraging LLMs and generative AI to improve citizen services while maintaining strict data privacy and security standards. We saw the emergence of robust AI governance frameworks tailored for the public sector. This year is when agencies began operationalizing NIST AI RMF principles within their development workflows, ensuring that both models and the open source components powering them met consistent cybersecurity and ethical standards
These frameworks prioritize the provenance of AI models and understanding the data sets used for training and the open source components that underpin these tools.
The Role of Open Source in AI
The intersection of AI and open source became undeniable this year. The vast majority of modern AI development relies heavily on open source libraries and frameworks. For federal agencies, this reinforced the need for a comprehensive approach to open source management.
Agencies that succeeded in deploying AI this year were those that treated AI models like any other software component. They vetted them for vulnerabilities, monitored them for licensing issues, and ensured that their "AI supply chain" was as secure as their traditional software supply chain. This disciplined approach allowed forward-thinking agencies to accelerate AI pilots into production programs that are already streamlining operations and reducing administrative backlogs.
The Human Element: Empowering the Federal Workforce
Technology is only as effective as the people who wield it. A recurring theme in 2025 was the critical need to support the federal workforce, specifically the developers and security professionals tasked with protecting the nation’s digital infrastructure.
The "do more with less" mantra has plagued the public sector for decades. However, this year saw a breakthrough driven by developer productivity tools. By automating the mundane aspects of dependency management and vulnerability remediation, agencies gave their engineering teams the gift of time.
Bridging the Talent Gap
The cyber talent gap remains a challenge, but 2025 showed us that better tools can alleviate the pressure. When developers are not bogged down by manual component verification or chasing false positives, they can focus on high-value tasks that advance the agency's mission.
We also observed a cultural alignment between DevOps and Security teams. The friction that historically existed between these groups is dissolving. Shared visibility into the software supply chain has created a common language. When everyone works from the same set of data regarding component quality and security, collaboration replaces conflict. This cultural unity is perhaps the most understated achievement of the year.
Policy as a Driver for Innovation
Policy changes in 2025 continued to refine the "Secure by Design" philosophy. We saw a move toward holding software manufacturers more accountable for the security of their products, which inevitably impacted how the federal government procures software. Initiatives, including SWFT and CMMC, push defense contractors to operationalize secure software practices across the supply base.
Agencies are now demanding higher standards of evidence regarding the security practices of their vendors. This pressure has created a virtuous cycle: as the government demands better security, the private sector innovates to provide it. This has raised the bar for software quality across the board, benefiting not just federal agencies but the entire digital ecosystem.
Looking Ahead: 2026 and the Future of Federal Tech
As we look toward 2026, the foundation we built this year will serve as a launchpad for even greater advancements. The future of federal technology will be defined by resilience and velocity.
Automated Remediation at Scale
Next year, we anticipate a move toward fully autonomous remediation for low-risk vulnerabilities. As trust in automated governance grows, agencies will allow systems to self-heal, applying patches and updates to open source components without human intervention. This will free up human analysts to focus on complex, nation-state-level threats.
The Evolution of Zero Trust
Zero Trust architectures will continue to mature, extending deeper into the application layer. The focus will shift from securing the network perimeter to securing the code itself, including in highly restricted air-gapped environments. We expect to see "Policy-as-Code" become the standard for federal software development, ensuring that no line of code is deployed unless it meets rigorous security criteria.
Continuous Authority to Operate (cATO)
The traditional Authority to Operate (ATO) process is often a long, paperwork-heavy burden, but will continue its evolution toward Continuous ATO (cATO). By leveraging real-time monitoring of the software supply chain, agencies will maintain a continuous state of compliance. This will dramatically reduce the time it takes to get new software into the hands of the warfighter and the civil servant.
The achievements of 2025 prove that the federal government is capable of moving with the speed and precision of the private sector, without compromising on the security required for public trust. By continuing to embrace open innovation, trusting in data-backed decision-making, and prioritizing the security of our software supply chains, the federal sector is well-positioned to meet the mission requirements of tomorrow.
Here is to a secure, innovative, and impactful 2026.
To hear more perspective on these topics, watch the following conversation with Jay Kalath, CEO of Allied Mission Group, as he explores the challenges and opportunities facing federal leaders in the year ahead:
Antoine Harden brings 25 years of public-sector technology leadership spanning Oracle, CA Technologies, Google, Elastic, and startups like Imperva and Exabeam, to his current role leading Sonatype's federal efforts. He combines strategic insight into federal procurement and mission requirements ...
Tags
Comply with SBOM Regulations
Meet regulatory requirements with Sonatype SBOM Manager – a single solution for SBOM monitoring, management, and compliance.