A dev’s guide to hacking DoD compliance

Sep 05, 2025

What’s inside:

DoD dev: John Muddle’s top five tips for overcoming DoD compliance challenges
Resources: DevSecOps definitions and requirements, Authority to Operate (ATO) explained
Take note: DevSecOps updates at the DoD, AI Cyber Challenge by DARPA, and an upcoming interview with Mike Frank, Deputy Chief Technology Officer, Department of the Navy CIO

DoD dev: John Muddle's top five

As VP of Software Engineering at VIA, John Muddle is no stranger to the compliance challenges of developing software for the Department of Defense (DoD). He may jokingly claim he embraced DevSecOps “before it was cool” (wait, is John implying DevSecOps is cool now?), but John was instrumental in VIA’s early efforts to meet the security controls for IL 2, 4, and 6. Read on to see his must-haves for navigating and conquering DoD’s compliance maze.

Handling DoD data in the cloud? You’ll need to become familiar with IL (“impact levels) 2, 4, 5, and 6.

John’s top five key takeaways for dev teams working with the DoD:

Build on top of secure and lean base images. Start by using hardened base images with minimal vulnerabilities. The choice of operating system is also critical. Python packages must be compatible with the right underlying C library.
- Pro tip: Initially tap Iron Bank, Chainguard, or Docker for hardened base images.
Minimize third-party dependencies. Reduce external dependencies to limit potential vulnerabilities and shrink the attack surface.
- Pro tip: If you only need one dataclass and minimal validation, for example, it might not make sense to install Pydantic. Instead, use Python’s built-in dataclasses.
Embrace "shift left" for code scanning. Integrate code scanning early in the development lifecycle to proactively identify and address security issues.
- Pro tip: Check out Trivy or Grype, both open source vulnerability scanners.
Understand your entire stack. Compliance extends to the entire software stack, including the OS, dependencies, and processor. Without a comprehensive understanding of your full stack’s vulnerability profile you’ll leave your organization open to exploitation.
- Pro tip: If you don’t know what processor you're using (which is surprisingly commonplace), then find out.
Be strategic with vulnerability management. You have three options when it comes to vulnerabilities and working with the DoD:
- 1. Ask if the problematic code is really necessary. If not, remove it.
- 2. Refactor your code or upgrade the library.
- 3. If those options don’t apply, then justify the vulnerability. But know that will be a hard sell.
- Pro tip: Check out CISA’s Known Exploited Vulnerabilities (KEV) Catalog and NIST’s National Vulnerability Database (NVD)

Need to know

You have pressing compliance questions…we have answers. So you can build faster and get back to shipping. Check out the resources below.

Rapid Assess and Incorporate Software Engineering 2.0 Implementation Guide
If you need to wrap your head around DevSecOps guidelines, definitions, and requirements, our engineers recommend starting with this guide, designed to enable the Department of the Navy Digital Warfighter to respond quickly to the “evolving demands of cyber warfare and achieve a continuous cyber readiness.”
Author: the Department of the Navy Chief Information Officer
What is Authority to Operate (ATO)?
Selling your software to the DoD may require an Authority to Operate (ATO) first. Don’t know what this means? Hint: “It’s a status that approves an IT system for use in a particular organization.” This article explains the process, what to expect, and how to overcome common obstacles.
Author: Second Front

Take note

With all the information swirling around, it’s hard to know where to focus. Don’t worry, we’ve sorted through current headlines, insights, and events and handpicked what should be on your radar for the week.