Reading Off the Same Sheet of Music: Government and Defense Contractors Unite to Secure Their System

The Department of Defense’s rigorous security standards can be daunting for contractors working with the agency for the first time. MITRE’s Security Automation Framework (SAF) can help with that. The one-stop shop supports cybersecurity processes across the software development life cycle, from planning secure system design to analyzing operational security data.

SAF’s trove of resources is available to the open-source security community, providing value for both government agencies and industry. The framework boasts a high adoption rate among small firms and Fortune 50 federal contractors alike. Microsoft, Sophos, and Rancher Federal have gone so far as to integrate SAF tools directly into their in-house security processes, commercial offerings, and applications.

The SAF suite is vast and constantly evolving, but its promise is simple. “We’re demystifying the cybersecurity process,” says Aaron Lippold, a cyber engineer and chief architect of the framework.

Operating in a High-Bar Security Environment

Unsurprisingly, contractors providing software services to the DoD are held to high cybersecurity standards. Each component of software requires its own layer of security, each of which is enforced by a strict set of guidelines.

In the DoD world, those standards are called Security Technical Implementation Guides, or STIGs. Years ago, the responsibility of STIG generation fell solely on the U.S. Defense Information Systems Agency (DISA), but as industry continued to innovate new software at a rapid clip, the process became unsustainable.

Lippold had a front seat to the software innovation revolution while working at DISA. His job was to create new processes, standards, and technologies to help teams struggling to generate STIGs in tandem with the myriad, complex products being churned out by federal contractors.

Picture: Lucille Ball trying to keep up with chocolates on the conveyer belt.

DISA pivoted accordingly, placing the onus on companies to write their own security guidance that Lippold and his colleagues would then peer review. The challenge evolved to: How do you enforce the security baseline cohesively?

What ensued was chaotic version control, laborious manual edits, and too many cooks in the kitchen using too many different words and methods to convey the same point.

Lippold recognized the need for both government and industry to get on the same page, and for the last 20 years, he’s dedicated his career to making it happen. In that time, he helped build many core technologies still in use by the DoD today and was an early adopter of DevOps/ DevSecOps (a software development practice that improves collaboration and software delivery). At MITRE, he began to formally tackle the tall task of automating STIG compliance via SAF.

Enforcing Security Benchmarks

SAF provides a cross-connection point for the defense industrial base, the government, industry, and academia. It saves time and costs these agencies would spend developing their own security automation. “It prevents them from constantly reinventing the wheel,” says Will Dower, a MITRE SAF cybersecurity engineer.

Dower explains further: “If Army has already figured out how to enforce a security baseline, Navy doesn't necessarily know that.” That’s where SAF comes in. “It’s a high-quality open-source community around enforcing security benchmarks.”

Companies face the same set of challenges. How and where do you begin the dizzying process of securing your systems to DoD standards? Planning is a critical first step, says Lippold. “All automation starts with the blueprint and benchmarks defining what you are trying to meet,” he continues. “Once you figure out your gaps, you need guidance on how to properly write the document to fill them.”

Breaking Security Guidance Down into Actionable Steps

The framework is broken down into five pillars: plan, harden, validate, normalize, and visualize, each of which is bolstered by applications that prop up the objectives at hand. Users are invited to jump in at any point of the software life cycle that suits their needs at a given moment, utilizing the tools in concert or as standalone solutions.

Josh Bressers, vice president of security at Anchore, summed it up in a recent blog post. “[SAF] is designed to simplify STIG compliance by translating DISA guidance into actionable steps.”

Among the tools is a validation library populated with published code for problems the SAF team has already fixed. “These tools completely sidestep what would be months-long acquisitions and development processes, because the problem is already solved and documented,” explains Dower.

SAF’s “normalize” function addresses data management issues. “We have written code that can convert common commercial cybersecurity scanning tool formats into a single, MITRE-defined data format, called the OASIS Heimdall Data Format,” Dower says. The goal is for SAF’s data language to become the standard exchange format recognized internationally.

Evolving to Help Companies Secure Systems Better, Faster, Cheaper

There are countless stories of federal contractors and sponsors who've benefited from MITRE SAF’s suite of tools, but maybe none more salient than that of VMware, a $60 billion cloud computing company (acquired by Broadcom in 2024) who counts the government as one of its biggest customers.

VMware’s cybersecurity team found themselves authoring endless guidance for federal STIG compliance. Lippold recalls them managing dozens of documents, across numerous versions of multiple product lines. By the time they finished writing one STIG, it was almost time to update it based on the next version of the product’s release. And over again the painstaking process would begin.

VMware enlisted MITRE to respond directly to the challenge. The result is a web-based application called Vulcan, which streamlines the process for writing DoD security guidance.

Once operational, VMware noticed a striking improvement in speed and accuracy, Lippold reports. “Being able to get a whole team working off the same document and collaborating through a web-based application rather than an Excel spreadsheet was critical.”

Because MITRE works in the public interest, we swiftly made Vulcan available as open-source software to keep time, money (and sanity) savings flowing for other companies.

“The compliance-related tasks and use cases that would otherwise take days of manual work are reduced to minutes by SAF, allowing us to spend our time on work that matters,” says Broadcom/VMware engineer Ryan Lakey.

Spreading Knowledge to the Community

“As we know more, we help the community know more,” Lippold explains, referencing the dozens of virtual classes his team has conducted. The free lessons have taught more than 1,000 professionals how to write guidance for advanced security, ultimately helping them learn how to bring good cyber posture into their workflows.

“We can't grow to the point where we can cover every possible type of cybersecurity testing for every piece of software,” Dower says. “We need to teach people to fish.”