The federal government is at a pivotal moment in understanding how to effectively bring the transformative power of AI to bear on mission assurance. Modernizing the software pipelines of government agencies and the contractors serving them is necessary to create better experiences for people accessing vital services like housing assistance, student aid, or medical benefits. Just as importantly, responsible AI adoption in the service of our national defense is foundational to our ability to innovate quickly while maintaining a strong cybersecurity posture.
In this blog, we explore how mission assurance can be an accelerator with automated compliance checks that speed up ATO timelines, risk-based controls that focus on critical threats, and transparency that fosters trust among agencies, contractors, and oversight bodies.
Understanding Federal Supply Chain Risks and the Legislative Push to Shift Left
Just like virtually every other sector, government agencies are off and running with AI and its seemingly limitless potential. But while the world is adjusting to this disruption, many organizations lack the expertise to stay secure in the rush. The use of third-party data and pre-trained models can introduce hidden vulnerabilities. Opaque algorithms undermine traceability, and model drift can turn a previously validated system into a liability. Without clear provenance and ongoing oversight, these systems can drift, bias can creep in, and vulnerabilities can be exploited. Just like we saw with open source, AI is making tools more accessible, but also introducing vulnerabilities that adversaries are quick to exploit. Every application is just one bad model from being front-page news. Or worse, a congressional hearing.
It has long been Sonatype's perspective that solving these challenges would be an industry-wide effort, including direct government involvement. We've been following the emergence of global cybersecurity regulations for a while, and welcome their role in catalyzing more secure development. Mandates like Executive Order 14028, Improving the Nation's Cybersecurity, and the Department of Defense's SWFT initiative are shaping the way federal agencies approach development and emphasizing the shift of security practices earlier in the process.
Agencies that align proactively with these requirements gain speed and resilience. By embedding controls and evidence generation into pipelines, compliance becomes a natural outcome of disciplined engineering, rather than a last-minute scramble.
AI Presents an Opportunity to Get Back to Basics
We need to think about AI the same way we think about open source. In many ways, they're the same: a community of people building large language models that we're tapping into. Just as we learned about open source, we should extend software composition analysis to include AI for a holistic view of our CI/CD pipelines. Making it part of continuous monitoring and standard operating procedures ensures your software is delivered faster, more efficiently, and more securely.
And importantly, it's a principle we're already familiar with.
While the raft of cybersecurity legislation specifies what needs to be done, it often lacks (by design) direction on how to accomplish these goals. That's where SWFT steps in for the DoD, offering actionable frameworks to address compliance and security priorities. We expect this trend to adopt a similar approach to previous projects like Continuous Diagnostics and Mitigation (CDM), launched in 2012 to protect federal civilian computer systems and networks. The CDM started by requiring organizations to have visibility into their networks, control access, monitor threats, and patch vulnerabilities. Over time, the program matured to offer specific solutions so agencies could measure and report risks in a standardized manner.
Sonatype's approach to securing the AI stack for federal missions is the same as our approach to open source in general. Our model is about ensuring trust, traceability, and governance across the entire software supply chain. We've been leading the charge in this area for years, and sound CI/CD practices will keep any organization secure, resilient, and ahead of the game.
Comprehensive Data Superiority and Automation as a Force Multiplier
Every AI decision is only as good as the data it learns from. Vetting datasets for origin, transparency, and integrity is mission-critical. This means validating that datasets have not been manipulated, contain no hidden biases, and are sourced from trusted providers. Automation can dramatically reduce the manual burden here, continuously monitoring incoming data for anomalies or unauthorized changes. Sonatype's data sets are the most precise and complete in the industry, offering unparalleled value to our customers. This stems from our foundational expertise and resources, including Maven Central, which allows us to deliver cutting-edge, up-to-the-minute insights.
By continuously uncovering new risks and identifying potential breaches, like the recent discovery of more than 200 unique malware packages attributed to North Korea-backed Lazarus Group, we provide organizations with actionable intelligence. This proactive approach is ingrained in our DNA, ensuring that we remain a trusted partner for addressing the evolving challenges of software security and innovation.
Data superiority, coupled with effective automation, means security reviews no longer turn into bottlenecks. Automation can execute compliance checks and dependency scans in real time, allowing agencies to meet speed-to-mission demands without cutting corners. Today's authority to operate (ATO) process can be an 18-month saga, which is an eternity for organizations responsible for national defense, space exploration, or emergency management. Besides the life-and-death nature of these systems, a tool may be obsolete by the time it's approved. Automation can handle large portions of the required control checks, leaving only a fraction for manual review. This reduces human error and enables operators to put systems into the hands faster by augmenting the ATO process.
Building Trust and Traceability in AI Supply Chains
By addressing these realities with automation that validates datasets and enforces policy, SBOMs that map model lineage and dependencies, and governance that monitors models in production, agencies can maintain both trust and velocity. When done correctly, mission assurance becomes an accelerator. Automated compliance checks shorten ATO timelines. Risk-based controls focus on the highest-impact threats. Transparency builds confidence across agencies, contractors, and oversight bodies.
When it comes to AI adoption in federal missions, we know what works because we're already doing it. Starting in September, I'll be kicking off a blog series here that will highlight how federal agencies and contractors can balance mission assurance with speed and innovation. To learn more about how federal agencies navigate AI/ML adoption, check out our recent webinar, "Securing the AI Supply Chain: Federal Strategies for Safe and Compliant Adoption," where some of the industry's leading experts discussed key challenges in this area.
Antoine Harden brings 25 years of public-sector technology leadership spanning Oracle, CA Technologies, Google, Elastic, and startups like Imperva and Exabeam, to his current role leading Sonatype's federal efforts. He combines strategic insight into federal procurement and mission requirements ...
Tags
Build Smarter with AI and ML.
Take control of your AI/ML usage with visibility, policy enforcement, and regulatory compliance.