For years, government and industry leaders have talked about speeding up defense acquisition. We’ve debated flexible contracting, embraced OTAs, and launched innovation hubs meant to attract nontraditional companies into national security work.
And yet, the security side of the house hasn’t kept pace.
That reality is laid out in a new study from MITRE, the 2025 FAST (Fast-Tracking Acquisition Security Transformation) Study. The report doesn’t just diagnose problems, it documents them at scale, across thousands of organizations, and confirms something many cleared employers have quietly known for years: security processes are too often working against today’s acquisition goals.
Old Security Models, New Mission Reality
The FAST study examined how acquisition security requirements including everything from facility clearances to FOCI reviews to cybersecurity evidence, affect the government’s ability to deliver capabilities quickly and securely. The conclusion is blunt: most of the friction isn’t coming from a lack of policy authority, but from outdated implementation and sequencing.
Security requirements were largely built for a world of:
- Long-term, facility-based contracts
- Large, traditional defense primes
- Paper processes and physical spaces
Today’s acquisition environment looks nothing like that. Software, cloud services, AI tools, and distributed teams now dominate the mission landscape. But security processes still assume a cleared building, a static workforce, and timelines that stretch into years.
That mismatch has consequences.
The Real Cost of Security Lag
According to the FAST study, security is too often introduced late in the acquisition lifecycle, after technical approaches are chosen and vendors are selected. When security finally enters the conversation, it can derail schedules, increase costs, or eliminate promising performers altogether.
This hits small businesses and nontraditional defense contractors the hardest. Companies that might bring cutting-edge capability frequently walk away—not because they can’t meet security requirements, but because the process is opaque, slow, and unpredictable.
In some cases, the mission moves forward anyway with cleared primes performing work originally scoped for uncleared specialists, simply because the system can’t onboard those specialists in time. That may preserve schedule, but it doesn’t preserve innovation.
Facility Clearance Isn’t the Center of Gravity Anymore
One of the FAST study’s most telling observations is how much acquisition security still revolves around the Facility Clearance (FCL) model. The report even suggests renaming it, shifting from a facility-centric concept to an “entity clearance” framework that better reflects how work is actually done today.
It’s an acknowledgment that:
- Work is increasingly virtual and distributed
- Data matters more than walls
- People and systems, not buildings, carry risk
Security hasn’t failed—but it has become misaligned with modern risk.
Cybersecurity: Everyone’s Job, Nobody’s Lane
The FAST study is also clear that cybersecurity now underpins all industrial security, yet it remains fragmented across programs, offices, and evidence requirements. Contractors are often asked to submit overlapping—or conflicting—proof to multiple stakeholders, each using different frameworks and assumptions.
The result isn’t stronger security. It’s wasted time, duplicated effort, and confusion about what “good” actually looks like.
MITRE’s recommendation is to treat cybersecurity as an integrated enterprise function, not a bolt-on requirement that sits alongside physical and personnel security.
This Isn’t About Lowering the Bar
One of the most important takeaways from the FAST study is what it doesn’t argue. This is not a call to weaken security standards or accept more risk. In fact, MITRE’s findings suggest the opposite: poorly aligned processes can increase risk by pushing work into less transparent or less optimal paths.
When the system is too slow or confusing to use, people route around it.
Modernizing acquisition security isn’t about doing less security. It’s about doing security earlier, more clearly, and in ways that reflect how work actually happens.
Why This Matters to the Cleared Workforce
For cleared professionals and employers, the implications are significant. Delays in security onboarding don’t just affect contracts. They affect careers, hiring timelines, and workforce planning. When acquisition security lags, cleared talent sits idle, companies hesitate to bid, and missions wait.
The FAST study provides data-backed validation that these problems are systemic, not anecdotal. And it calls for more, not less, alignment across personnel and industrial security. Amongst the recommendations is adjusting entity and personnel eligibility timelines to five year timeframes, to better create the kind of work force elasticity and eligibility needed in an era where careers and opportunities span across the commercial and government sector.
Now the challenge is what comes next.
From Study to Action
MITRE’s report outlines more than 150 recommended actions, many of them practical and achievable. The real test will be whether agencies treat acquisition security reform with the same urgency they’ve given contracting reform.
Speed, innovation, and security don’t have to be in tension. But aligning them will require moving past legacy assumptions—and recognizing that in today’s threat environment, slow security is its own risk.
