The Department of Defense (DoD) faces the dual imperative of accelerating technology adoption to maintain operational advantage while also hardening systems against increasingly sophisticated cyber threats.
Meeting both demands requires a shift in how cybersecurity is designed, implemented, and governed.
Integrating Modular Open Systems Approach (MOSA) principles with the DoD Risk Management Framework (RMF) is more than a modernization exercise. It's a mission-critical alignment of two complementary philosophies. One is focused on agility and interoperability, the other on disciplined assurance. Together, they form the basis for a faster, more resilient approach to cybersecurity across the defense enterprise.
What Is the Modular Open Systems Approach (MOSA)?
MOSA is an acquisition and design strategy based on the idea that open standards and modular architectures make it possible for systems to evolve as technology and mission needs change. This approach encourages interoperability, innovation, and reduced lifecycle costs by ensuring system components can be developed, tested, and replaced independently.
Rather than locking a platform into a single vendor or monolithic software stack, MOSA promotes open interfaces and well-defined modules. These characteristics allow new capabilities to be integrated rapidly and securely, provided they adhere to established standards and verification criteria.
The DoD formalized MOSA requirements in 10 U.S.C. 2446a–c and DoDI 5000.88, mandating their use across major defense acquisition programs. The intent is not simply architectural flexibility, but also security resilience through transparency and component traceability.
Today's DoD Risk Management Framework (RMF)
The Risk Management Framework (RMF) is still the backbone of DoD cybersecurity governance. Implemented via DoDI 8510.01 and derived from NIST SP 800-37 Rev. 2, it provides a structured process for assessing, authorizing, and continuously monitoring information systems. It ensures that every system handling DoD data meets defined confidentiality, integrity, and availability standards.
But, in practice, RMF implementation often struggles to keep pace with modern development cycles. Programs may spend months or even years pursuing a single Authority to Operate (ATO), only for that authorization to become stale as software changes. This static model can slow innovation and impede mission responsiveness.
The current RMF process was designed for discrete, long-lived systems rather than continuously evolving software environments.
Three recurring challenges stand out:
-
Lengthy ATO Timelines: The documentation and testing required for each new baseline can delay deployment of critical capabilities.
-
Point-in-Time Assessments: Once authorization is achieved, security validation is often frozen, leaving gaps between updates.
-
Administrative Overhead: Manual evidence collection and disconnected toolchains impose heavy workloads on program and contractor teams.
The result is predictable. Security becomes a compliance exercise instead of an enabler of agility and assurance.
How MOSA Can Modernize the RMF
MOSA's modular architecture provides a technical foundation for transforming RMF from a static, system-level certification process into a dynamic, component-level security practice. By defining clear boundaries and standardized interfaces, MOSA allows security controls to be applied, tested, and monitored at the module level.
When each component is independently verified and continuously monitored, system authorization can evolve incrementally rather than in monolithic steps. This shift supports continuous authorization to operate (cATO), a model already recognized as essential to accelerating secure delivery.
Driving Interoperability and Secure Integration
A modular system simplifies integration risk. Each component carries its own documented security characteristics, ideally supported by an open-standard interface description and a maintained Software Bill of Materials (SBOM). Assessors can then evaluate interoperability based on verifiable control inheritance rather than redundant testing.
For example, a flight-line analytics tool that uses a pre-approved data-ingestion component does not need to re-establish every control from scratch. Instead, it can inherit validated protections through the MOSA interface definition. This approach aligns directly with NIST's emphasis on security control inheritance and can reduce both time and cost of RMF authorization activities.
Enabling Continuous Authorization (cATO)
Continuous ATO extends RMF into a living process. In a modular, DevSecOps environment, automated pipelines test, verify, and report control compliance with every build. When combined with MOSA, this means each module, whether software, container image, or microservice, maintains its own compliance posture, traceable to authoritative baselines.
The Air Force Platform One initiative and the Navy's Black Pearl platform are good examples of how DevSecOps and modular architectures can maintain continuous monitoring without sacrificing rigor. Applying those lessons at scale across DoD systems will depend on MOSA's structured modularity and consistent data exchange standards.
Accelerating Innovation with Secure, Reusable Components
MOSA's emphasis on reusability aligns with the concept of a secure component marketplace. Each module that has undergone RMF assessment becomes a reusable building block for future systems. Program offices can compose new capabilities from pre-authorized components, dramatically shortening the time from concept to deployment while preserving a trusted security baseline.
This reuse model also encourages stronger vendor accountability. Contractors who deliver secure, well-documented modules increase their competitive advantage by enabling faster integration for government customers.
Sonatype Nexus Repository and Sonatype Lifecycle already support this modular vision by providing a central source of truth for open-source and proprietary components. Within a MOSA framework, these tools allow programs to define and enforce software supply chain baselines, track provenance through automated SBOM generation and Continuous Monitoring, and reuse authorized components across multiple systems without rework.
This creates the foundation for a "trusted component marketplace," where modules are not just reusable but verifiably secure, a key enabler for RMF acceleration and continuous authorization.
A Roadmap for Federal Stakeholders
For Federal Agencies and Program Offices
-
Integrate MOSA into Acquisition Requirements. Explicitly require modular design and open interfaces in Requests for Proposals, ensuring new systems can participate in component-level authorization.
-
Adopt DevSecOps Platforms that Support Continuous Monitoring. Tools that automate vulnerability scanning, configuration validation, and control evidence generation are essential for sustaining cATO.
-
Champion cATO Pilots. Start with lower-risk systems to prove the viability of modular authorization. Document metrics such as time-to-deploy and defect reduction to support broader adoption.
-
Invest in Workforce Training. RMF practitioners, cybersecurity assessors, and acquisition professionals need a common understanding of how MOSA changes roles and responsibilities.
For Federal Contractors and the Defense Industrial Base
-
Develop Reusable Secure Components. Design software with well-defined boundaries and documentation that supports inheritance of RMF controls.
-
Maintain a Living SBOM. A machine-readable SBOM aligned with NTIA and CISA guidance enables transparency and accelerates security validation.
-
Automate Security Evidence Generation. Embed compliance checks directly into CI/CD pipelines to provide auditable, continuous proof of control effectiveness.
-
Collaborate Early. Engage Authorizing Officials and system integrators during design, not after delivery, to align on expectations for modular certification.
Building the Future of Mission-Ready Systems
Integrating MOSA and RMF is not about replacing one framework with another. It is about merging their strengths, MOSA's openness and modularity with RMF's rigor and accountability, to achieve continuous, measurable assurance.
This alignment allows the DoD to shift from episodic authorization toward ongoing trust validation. It enables rapid capability delivery without compromising the integrity of systems that protect national security.
The cultural change required is substantial. It demands leadership commitment, disciplined automation, and shared responsibility across government and industry. But the payoff is equally significant: a defense ecosystem that can adapt at the speed of technology while maintaining the highest security standards.
By building security into every component, we build trust into the mission itself. In an era where both threats and technologies evolve daily, that trust is the true foundation of readiness.
Tom Tapley specializes in securing software supply chains for Federal environments, bringing deep expertise in aligning agency security, compliance, and operational requirements with modern technology solutions. With a proven track record in supporting mission-critical systems, he bridges the gap ...
Tags
Comply with SBOM Regulations
Meet regulatory requirements with Sonatype SBOM Manager – a single solution for SBOM monitoring, management, and compliance.