A new MITRE study concludes that the Department of War’s acquisition reforms aimed at accelerating fielding timelines could be undermined by industrial security processes that have not kept pace with modern program execution or the push to expand the defense industrial base.
The Fast-tracking Acquisition Security Transformation study, which MITRE released Friday, found that acquisition security-related delays are increasing the cost and schedule burden for companies supporting classified and sensitive programs, particularly small businesses and nontraditional contractors that cannot absorb lengthy clearance and compliance timelines.
How Was the FAST Study Conducted?
MITRE said the study was funded by the Office of the Under Secretary of War for Intelligence and Security and focused on how security requirements affect the defense industrial base’s ability to support accelerated acquisition.
Between July and November 2025, MITRE researchers collected data representing 6,734 security professionals across 105 organizations through interviews, questionnaires and focus groups. The findings were then analyzed to identify systemic challenges and quantify impacts on time, cost and workforce hours.
Why Does MITRE Say Current Security Practices Are Misaligned?
The report argues that the National Industrial Security Program’s structure has remained largely intact since its establishment in 1993, even though the environment surrounding defense acquisition has changed significantly.
MITRE said today’s programs depend on distributed digital systems that generate and transmit sensitive information across networks, while many security processes still rely on a legacy mindset where data remains static, analog and confined to fixed locations.
The study also found that many delays are not driven by missing authorities but by inconsistent application of existing requirements across the system.
What Security Bottlenecks Did MITRE Identify?
MITRE identified 74 acquisition security challenges spanning five areas: entity eligibility and access, foreign ownership, control or influence; safeguarding of sensitive and classified information; cybersecurity; and the integration of security into acquisition and contracting workflows.
One of the most significant schedule impacts highlighted in the report involves foreign ownership reviews. MITRE said the process for addressing FOCI issues can routinely extend beyond 40 weeks, creating barriers for companies attempting to enter or expand within classified defense work.
The study also identified delays due to the absence of DD Form 254 at the solicitation stage. DD-254 is the primary form to justify a company’s need for classified access on government work and to sponsor an entity clearance determination. MITRE said providing the form late in the acquisition cycle forces program teams and contractors to make teaming and design decisions without complete security direction.
Why Do Security Timelines Matter for Small Business Participation?
MITRE said the department’s strategy to rely more heavily on small businesses and nontraditional defense contractors increases the urgency of reducing security-related delays, as newer entrants often lack the resources to navigate long, unpredictable processes.
The report also noted that the upcoming implementation of the National Defense Authorization Act Section 847 could further stress the system. Under Section 847, DOW contractors and subcontractors with contracts exceeding $5 million must undergo periodic assessments of their FOCI disclosure compliance. They are also subject to a re-assessment whenever a changed condition is reported to ensure continued eligibility.
What Reforms Did MITRE Recommend?
MITRE said it identified 155 recommended government actions intended to streamline the way existing security rules are implemented, including measures focused on automation, clarity and standardization.
The report recommended moving away from “facility clearance” terminology in favor of an “entity clearance” model that distinguishes between eligibility and access.
MITRE’s findings emphasize that modernizing the National Industrial Security System Increment II and TurboFCL tools is essential to providing the visibility needed to streamline industrial security. Beyond tooling, the report recommends adopting an integrated cybersecurity enterprise approach and including security requirements in the pre-award phase.
