//
Air Force Issues New Guidance on SaaS Procurement, Usage
Published on
Department of the Air Force logo. DAF issued a new memorandum classifying SaaS as a commodity-based subscription service.

The Department of the Air Force has issued a new memorandum that classifies software as a service as a commodity-based subscription service rather than a licensed software asset.

In a LinkedIn post, the DAF chief information officer said the policy change shifts the department’s focus to usage, consumption and performance, unlocking real-time visibility into SaaS utilization, centralized procurement and cost control, stronger alignment with zero trust and data ownership mandates, and reduced sustainment burden on the workforce.

Unlike traditional licenses, which grants ownership of the product, SaaS provides only access to applications. That distinction, according to the memo, makes it critical for the service to closely monitor usage, consumption and associated costs.

The directive outlines new standards for acquiring, managing and tracking SaaS across the Air Force enterprise. By tightening procurement rules and mandating enterprise-level oversight, the service aims to improve cost control, strengthen data governance and ensure consistent security practices for cloud-based platforms that support mission operations.

Centralized Procurement and Oversight

To eliminate fragmented purchases, SaaS subscriptions may no longer be added as contract line items or other direct costs under larger agreements. Instead, they must be procured through separate contracting actions or established enterprise vehicles. Program offices are directed to check the Enterprise Service Catalog before pursuing new subscriptions, with exceptions requiring approval from the Air Force CIO.

Data Control and Usage Tracking

Vendors must guarantee government ownership of all data created under SaaS agreements and provide near-real-time reporting on subscriptions and usage. This approach is intended to provide leaders with visibility at both the individual and enterprise levels.

Monitoring and Platform Health

The guidance requires tracking of usage against purchased quantities, allocations and consumption rates. If demand exceeds contracted levels, adjustments must be coordinated with the CIO. Vendors are also required to support platform health checks at no additional cost, covering areas such as security patching, user activity and compliance.

Limits on Customization

The memo clarifies that while the basic configuration of SaaS platforms is permitted, custom code or unapproved modifications are not. Any expanded functionality must receive prior approval from the CIO to prevent security risks and ensure uniformity.

Alignment With Defense Acquisition Policy

SaaS offerings supporting mission operations will be governed as Defense Business Systems or National Security Systems, ensuring compliance with Department of Defense acquisition and lifecycle management standards.

/
NIST Releases Draft Guidance on Securing Controlled Unclassified Information for Public Comments
Published on
National Institute of Standards and Technology's logo. NIST published drafts of its proposed guidance for securing CUI

The National Institute of Standards and Technology has published drafts of new guidance for securing controlled unclassified information, or CUI.

The agency is seeking public feedback on Special Publications 800-172r3, or Enhanced Security Requirements for Protecting Controlled Unclassified Information, and 800-172Ar3, or Assessing Enhanced Security Requirements for Controlled Unclassified Information.

The drafts represent the third revision of the guidance, which NIST began updating in 2024.

The documents provide enhanced security requirements and flexible assessment procedures for upholding the confidentiality, integrity and availability of CUI in nonfederal systems and organizations.

What NIST Wants to Know

The agency is specifically seeking feedback and recommendations in three topics: new enhanced security requirements aimed at protecting critical systems and high-value assets, the mappings between security requirements and the SP 800-160 protection strategies and adversary effects, and the overall usefulness of the supplementary appendices.

Interested parties may submit their comments on both drafts until Nov. 14.

/
OMB Orders Agencies to Begin Implementation of Government Shutdown Plans as Funding Expires
Published on
OMB Director Russell Vought. Vought issued a memo to prepare agencies for the federal government's shutdown.

The White House’s Office of Management and Budget has ordered federal agencies to begin implementing plans to suspend functions. In a memorandum issued to executive department and agency leaders, Russell Vought, director of OMB, also warned that it will be difficult to predict how long the government shutdown will last, adding that officials must closely monitor developments. 

Vought added that his office will publish another memorandum for the resumption of government operations as soon as an appropriations bill is signed by the president. 

US Government Shuts Down 

The federal government officially shut down on Wednesday, after the Full-Year Continuing Appropriations and Extensions Act of 2025 expired without Congress passing a clean continuing resolution to fund operations. 

On Sept. 19, the House of Representatives passed H.R. 5371 to provide funding that would keep government programs and services running through Nov. 21, but Senate Democrats have opposed the bill to call for allotments for healthcare subsidies that are due to expire in the coming months under the Affordable Care Act. 

The Associated Press reported that about 750,000 federal workers are expected to be furloughed due to the government shutdown. 

Not all agencies will cease operations. The Medicare and Medicaid health care programs will continue, albeit with a reduced workforce, which could mean delays in services. The Department of Defense and the Department of Homeland Security will also remain operational.

/
NSF Launches $12M Safe-OSE Initiative, Funds 8 Projects
Published on
NSF logo. The National Science Foundation has launched the Safe-OSE initiative and awarded eight research projects.

The National Science Foundation has awarded up to $12 million to eight research teams through the recently launched Safety, Security and Privacy of Open-Source Ecosystems, or Safe-OSE, investment.

NSF said Monday the initial cohort will address critical vulnerabilities in open-source software and its deployment pipelines, including code flaws, side-channel exploits and supply chain threats.

“Vulnerabilities in an open-source product can be exploited to attack users of the product. NSF is pleased to be investing in this portfolio to address critical risks before they can happen,” said Erwin Gianchandani, NSF assistant director for technology, innovation and partnerships.

Safe-OSE Awardees

Each project will receive up to $1.5 million over two years to bolster the resilience of critical open-source products and their continuous integration and deployment infrastructure. The teams will focus on fortifying systems used in artificial intelligence for cloud computing, medical records, national security, privacy infrastructure and other applications.

Awardees and their projects are:

  • The HDF Group: Enhance HDF5 to boost support for science, industry and national security.
  • Indiana University: Use AI to manage vulnerabilities and strengthen security in open-source cloud systems.
  • Indiana University: Build a secure community infrastructure for the Open Medical Records System.
  • The Tor Project: Strengthen privacy infrastructure to keep communications secure and anonymous.
  • University of Colorado Boulder: Enhance safety, security and privacy in the Community Earth System Model.
  • University of Colorado at Colorado Springs: Boost security in the TianoCore software ecosystem.
  • University of Virginia: Enhance the Tock embedded operating system’s security to protect trusted computing systems.
  • University of Wisconsin-Madison: Create scalable approaches to detect inconsistencies between Git commit messages and source code in open-source projects.
//
Army to Launch System Streamlining Foreign Military Sales Processes
Published on
Army logo. New service branch system to streamline foreign military sales processing

The U.S. Army will begin on Nov. 1 the official release of a newly developed system designed to improve its foreign military sales processes.

The launch follows the Friday completion of the initial capability deployment of the process called Foreign Military Sales – Army Case Execution System, or FMS-ACES, the service branch said Tuesday.

Learn more about FMS at the 2025 GovCon International and Global Defense Summit, a comprehensive Oct. 16 global GovCon networking conference.

System’s Development and Processes

The Army’s Program Executive Office Enterprise, in collaboration with several stakeholders, developed FMS-ACES using Agile methodologies. The system is a cloud-based, low-code software platform geared as a replacement for the Army’s 50-year-old, COBOL-based case management system non-compliant with audit systems. It will provide about 160 case officers at the U.S. Army Security Assistance Command with a full, timely and accurate look into the life cycle of FMS cases, according to the service branch.

The Army also noted that in its initial deployment, the new cloud-based system enabled officers to manage case implementation, execution, supply discrepancy reporting and closure. The process improved product tracking, transparency and feedback across the Army Security Assistance Enterprise, the service branch pointed out.

Official Comments on New FMS Process

Kelly Rutherford, FMS-ACES product lead at PEO Enterprise, acknowledged the teamwork behind the system’s development. “Modernization isn’t just about software—it’s about the people driving innovation to support our warfighters,” Rutherford stressed.

PEO Enterprise tasked two vendors April 2024 to develop FMS-ACES prototypes. The system came out on time and within budget for minimum viable capability release into the Army’s Software Acquisition Pathway, the service branch said.

The Army’s initiative is in line with a February announcement from Defense Secretary Pete Hegseth, a 2025 Wash100 Award winner, on Department of Defense plans for reforms on FMS processes for quicker execution and lesser red tape.

Army to Launch System Streamlining Foreign Military Sales Processes
//
Army Taps GDMS, Pacific Defense for CMFF Prototype Development
Published on
Army logo. The Army entered agreements with General Dynamics Mission Systems and Pacific Defense to build CMFF prototypes

The U.S. Army has signed new rapid prototype other transactional authority, also known as OTA, agreements with General Dynamics Mission Systems and Pacific Defense to build a chassis that would enable soldiers to plug and play capabilities into military vehicles.

Plug-and-Play Capabilities

The technology is dubbed CMFF, which is short for Command, Control, Computers, Communications, Cyber, Intelligence, Surveillance and Reconnaissance/Electronic Warfare Modular Open Suite of Standards Mounted Form Factor. It offers both hardware and software designed to converge multiple legacy systems into one chassis in ground and aviation platforms.

CMFF is equipped with power, networks and radio frequency to support Assured Position, Navigation and Timing; command and control; tactical communications waveforms; and force protection electronic attack systems.

Capabilities can be easily swapped to meet various mission requirements.

“CMFF will equip Soldiers in combat platforms with needed capabilities and do so in a way that is size and energy efficient, easy to use, and able to support new technologies as they emerge,” stated Mike Hartley, CMFF product manager at Program Executive Office for Command, Control, Communications and Network, or PEO C3N.

“CMFF offers flexibility, nests with the Next Generation Command and Control ecosystem, and is an important step in delivering capabilities at the speed of need,” added Brig. Gen. Shane Taylor, head of PEO C3N.

Prototype OTA Details

Under the agreements, GDMS and Pacific Defense will work separately on the CMFF chassis and the capability cards. The OTA also covers the provision of a ruggedized smart display or tablet that would interface with the chassis and continuous updates to the CMFF Software Infrastructure.

The technologies will be validated through laboratory and field-based risk reduction events, operational demonstrations, and soldier touch points.

//
CISA, UK NCSC Release Joint Guidance on Operational Technology Security
Published on
CISA logo. CISA and partners issued guidance to help organizations create a definitive view of their OT architecture.

The United Kingdom’s National Cyber Security Centre, in partnership with the Cybersecurity and Infrastructure Security Agency, the FBI and other international partners, has published new joint guidance aimed at helping organizations secure their operational technology environments.

The document, titled “Creating and Maintaining a Definitive View of Your Operational Technology Architecture,” builds on the recent Foundations for OT Cybersecurity: Asset Inventory Guidance and provides actionable steps to strengthen defenses against cyberthreats, CISA said.

CISA is a DHS agency. Potomac Officers Club’s 2025 Homeland Security Summit offers an inside look at the latest programs, technologies and strategies shaping America’s defense against evolving threats. Register to be part of the homeland security conversation.

CISA, UK NCSC Release Joint Guidance on Operational Technology Security

Building a Definitive OT Record

The guidance emphasizes that a central, authoritative record of an organization’s OT architecture is essential for effective risk management. The record should incorporate data from multiple sources, including asset inventories, vendor documentation and software bills of materials, to ensure accuracy and visibility across systems. Maintaining the record allows operators to identify vulnerabilities, understand interdependencies and prioritize protections for the most critical and exposed assets.

Architectural Controls and Standards Alignment

According to the guidance, organizations should implement strong architectural controls such as segmentation, zoning and access restrictions to protect critical OT systems. The measures should align with international standards like International Electrotechnical Commission 62443 for industrial control system security and International Organization for Standardization/IEC 27001 for information security management.

The document also highlights the need to manage third-party and supply chain risks by integrating supplier-provided data and patching requirements into the OT record.

CISA and its partners note that OT security is not a one-time exercise. To remain effective, the definitive OT record must be continuously updated through configuration management, monitoring and change management processes.

The guidance recommends fostering collaboration between IT and OT teams to align governance, security policies and incident response procedures.

Enabling Risk Reduction and Resilience

By maintaining an accurate and comprehensive view of OT environments, organizations are meant to be able to conduct more thorough risk assessments, address cost asymmetries between threats and defenses, and implement security controls more effectively.

According to the guidance, establishing a definitive OT record is a critical step toward reducing risk and strengthening resilience. It urges operators to adopt a proactive approach to safeguarding systems that are essential to national infrastructure.

//
NOAA Taps Raytheon for NEON Stratus Project Study
Published on
Irene Parker headshot. NESDIS official at NOAA, cited the goals of a study Raytheon will conduct for the Stratus project

The National Oceanic and Atmospheric Administration has tapped Raytheon for a mission design and feasibility study on weather imagery capabilities under its Near Earth Orbit Network, or NEON, Stratus project. 

The company will conduct the Stratus critical design review study under an other transaction agreement NOAA signed with Raytheon valued about $5.9 million, the agency said Friday. Raytheon’s CDR study will focus on a U.S. Space Force design adapted to NOAA’s requirements for Stratus.

Under NEON, low-Earth orbit environmental satellites will be launched for weather forecasting, environmental observation and public safety. The program also seeks to demonstrate faster data delivery through inter-satellite links and evaluate the benefits of quicker imagery refresh rates, particularly in the Arctic.

In addition, the project will provide hands-on experience on the procurement of commercially sourced spacecraft, instruments, launch services and ground operations.

Sharper Weather Imaging Via Commercial Services

Irene Parker, deputy assistant administrator for systems at the NOAA’s National Environmental Satellite, Data and Information Service, noted the agreement’s potential in advancing weather imagery, with Raytheon as commercial partner. 

“The Stratus project will help modernize NOAA’s observing systems by leveraging commercial best practices and cutting-edge technologies while allowing us to explore new acquisition strategies,” added Parker, who is also NOAA’s acting assistant administrator for satellite and information services.

/
GAO Report: ODNI Yet to Address Key Recommendations on Managing Workforce, Facilities
Published on
Logo of the Government Accountability Office. GAO issued a new report on the Office of the Director of National Intelligence

The Government Accountability Office has identified 44 previously issued recommendations that remain unresolved at the Office of the Director of National Intelligence. The congressional watchdog said in a report published Friday that addressing the open recommendations would improve workforce, intelligence enterprise, and infrastructure and facilities management

GAO Report: ODNI Yet to Address Key Recommendations on Managing Workforce, Facilities

Hear from senior ODNI leaders at the Potomac Officers Club’s 2025 Intel Summit on Oct. 2. The in-person event will feature panels on commercial and emerging technologies and threats relevant to the IC. Attendees will also have opportunities to network with government and industry leaders. Secure your tickets to the highly anticipated event today!

GAO Recommendations to ODNI

According to the report, GAO made a total of 122 recommendations to ODNI between July 2011 and September 2025. While the national intelligence director closed 59 percent of the recommendations, the office still lags behind the government-wide average of 70 percent. As of Sept. 15, 44 recommendations remain open or only partially addressed. 

GAO highlighted 14 that ODNI should prioritize, including ensuring that current and future IT systems used for personnel vetting maintain complete and accurate information. Another calls for new guidance on minimum specifications for accessibility concerns at entrances and within sensitive compartmented information facilities.

ODNI agreed with seven recommendations but did not comment on the others.

///
DIU Selects Anduril, Zone 5 to Prototype Counter-UAS Interceptors
Published on
Defense Innovation Unit logo. DIU selected Anduril and Zone 5 to prototype counter-UAS interceptors.

The Defense Innovation Unit has selected Anduril Industries and Zone 5 Technologies to develop prototype counter-unmanned aerial systems under the Counter NEXT program. The effort focuses on rapidly prototyping commercially derived interceptors that defeat Group 3 and larger threats, protect national airspace, and safeguard personnel, equipment and facilities.

The companies were chosen from more than 65 commercial and dual-use applicants, DIU said Monday, noting that Anduril and Zone 5 completed initial design and development sprints and baseline flight testing of their proposed counter-UAS products in less than a year. Based on data, warfighter feedback and lessons from the first sprint, Anduril and Zone 5 are making iterative improvements ahead of further flight testing and safety and qualification activities.

Counter-UAS Prototype Funding

Following the recent flight demonstrations, DIU awarded additional funding to both Anduril and Zone 5 to refine their prototypes, integrate with mission partners’ combat systems and complete the safety testing required prior to a planned live-fire test event in summer 2026. DIU said further flight testing and qualification work will take place in the months ahead.

Counter NEXT Focus Areas and Design Goals

Counter NEXT concentrates on several specific capability gaps: providing a deeper interceptor magazine to preserve higher-cost interceptors for the most demanding threats, simplifying and accelerating the reloading process, addressing the current cost asymmetry between threats and interceptors, and integrating prototype interceptors with existing combat systems. DIU said vendors are applying modern air vehicle design approaches so platforms are fit for purpose without using unnecessarily costly materials.

To reduce supply-chain risk and keep unit costs low, the prototypes use commercial off-the-shelf components where feasible. The systems are being built with a modular open systems architecture to enable rapid subsystem upgrades and easier integration as components improve. DIU said all solution elements will be qualified and certified to stringent military standards before fielding.

“The Counter NEXT project is focused on leveraging the best-in-breed commercially derived technology and processes to accelerate the development, production, and fielding of these vital Counter UAS interceptors to our warfighters,” said Joshua Zike, Counter NEXT program manager for DIU.  “While this solution is focused on a specific, pressing subset of the counter UxS problem set, variants for all domains should be developed and deployed to provide this vital layered kinetic counter UxS defeat capability to all our warfighters.” 

1 7 8 9 10 11 2,627