New ISSO for a DoD organization performing some software development. ISSM is new to our organization too.

Organization is performing static code analysis and CM , but needs to grow beyond that. Some engineers think it is okay to grab just about any code from GitHub and management thinks absolutely nothing should be used from GitHub. Obviously there is a middle ground and we need some process for assessing Open Source Software, libraries, etc. not to mention properly assessing our own applications and I'm not sure where to start. What I could find is that getting a list of components for our internally development apps should be one of our first stops. Not sure if same applies to OSS, or how we'd do that properly.

I think we will be rebuilding the software engineering process and procedures from scratch, but we are a bit out of our depth. Other than the high level TTPs, we are having a difficult time getting started. Can anyone point us to resources that can assist in this and make sure we get this as close to right as possible the first time around.