How Veeam earned its place in the DoW’s secure ecosystem

In today’s national security environment, data is just as important as equipment in the field. Every mission, every system, and every decision depends on having accurate, protected, and recoverable information. Recent attacks on critical infrastructure have made it clear that adversaries are increasingly targeting the systems behind the mission. If a single backup is compromised, entire operations may be at risk.

That reality has pushed the Department of War (DoW) to raise the bar for how technology partners secure their software and supply chains.

“We need to accelerate our ability to adopt secure software and technology solutions … including specific considerations to address the unique challenges of the software supply chain,” wrote Katherine E. Arrington, performing the Duties of DoW CIO, in a June 2025 memorandum for senior pentagon leadership.

Defense agencies require robust, thoroughly vetted solutions to protect mission-critical information. Vendors must validate how they build, secure, and maintain their products.

Among those vendors, Veeam has distinguished itself as a proactive and trusted partner. In late 2024, Veeam brought on James Burchfield, vice president of government strategy, to chart a path forward with government partners and facilitate transparent government relations between Veeam and Washington. And in 2025, the company voluntarily entered the Supply Chain Product Assurance Playbook (SCPAP) process, an industry-developed and Department of War-informed roadmap, providing comprehensive documentation of its secure software development lifecycle, architectural design choices, code provenance, and security controls. This early engagement and commitment to transparency ultimately earned Veeam formal recognition from the Department for its mature and trustworthy supply-chain security posture.

This achievement required broad commitment from Veeam’s C-suite to its operational staff in order to implement both technical and physical controls. Physical controls included the relocation of Veeam’s software development pipeline to U.S. based infrastructure and ensuring the personnel managing the infrastructure are U.S. trusted persons.  All software development will occur in the US or NATO member countries.  Technical controls were introduced into the software development lifecycle including third party code testing and validation, implementation of applicable DoD Security Technical Implementation Guides (STIGs), and supply chain transparency through Software Bill of Materials and cryptographically secure releases.

This milestone reinforces a core reality: Resilience cannot be a static checkbox. It must be a measurable, repeatable process grounded in transparency, validation, and continuous improvement.

Setting a new standard for trust

While many vendors respond to compliance only after requirements are imposed, Veeam’s approach reflects a security architecture that is designed for assurance from the outset, not retrofitted under pressure. 

As data sets grow larger and workloads become more distributed, agencies need backup and recovery tools that support the quick, secure restoration of operations after a cyber incident, system failure, or insider misuse. Veeam’s platform, secure by design, does this via:

• Immutable Backups 

• Malware & Anomaly Detection 

• End-to-End Encryption 

• Secure Restore 

• Multi-Factor Authentication (MFA) 

• Hardened Infrastructure 

• Role-Based Access Control (RBAC) 

• Comprehensive Auditing & Logging 

• Zero-Trust Architecture Support 

By engineering its products to meet DoW security requirements upfront, Veeam delivers data availability without compromising compliance or assurance. Its architecture verifies, encrypts, and audits data throughout the lifecycle, reflecting a level of integrated rigor that earned Veeam formal recognition from the Department. 

“It’s a seal of approval from the highest levels within the department, indicating that we are going above and beyond in terms of cybersecurity standards and protecting critical infrastructure. It also enables us to fully embrace DoW’s competitive procurement process” said Burchfield.

Building confidence through collaboration

The Department has deep expertise protecting mission data; the challenge has been bringing commercial products up to that same standard. Veeam is one of the first companies to complete the industry-developed Supply Chain Product Assurance Playbook (SCPAP), an effort the Department formally recognized. Veeam’s engagement demonstrates the kind of transparent, collaborative partnership that strengthens mission outcomes and ensures data is protected throughout its lifecycle.

The process wasn’t without complexity, especially as requirements evolved, but Burchfield said early dialogue helped both sides address questions quickly and avoid the delays that often accompany authorization efforts.

“Veeam set out on a mission to address challenges that plague all of industry,” Burchfield said. “In collaboration with the US government, we developed a deep understanding of what best practices look like and how we could actually improve those best practices.”

By inviting DoW stakeholders into its internal processes, Veeam helped accelerate reviews, reduce uncertainty, and give defense teams real visibility into how resilience is engineered. That level of openness is uncommon, yet increasingly necessary as agencies navigate hybrid and multi-cloud environments.

The result is a framework for shared security accountability, not just compliance. 

Veeam’s journey to DoW authorization offers a template for how industry leaders can strengthen the defense industrial base. By embracing transparency and demonstrating proactive accountability, Veeam shows how vendors can support national security beyond product features through secure development, repeatable assurance processes, and a shared commitment to resilience.

“Work with the U.S. government. Don’t work against them,” Burchfield advised. “You’re going to be able to position your company, not only to be a good vendor to the U.S. government, but as a security-first organization. And when you’re talking about a national security environment, that is the most important thing. You have to be able to provide the tools, but the tools and the code must be secure.”

Learn more about Veeam’s trusted partnership with the Department of War.