I am an A&A analyst (800-53) for a Software developer. Can't get agile development leads to update their products until the very end of the process. Our product is the OS image with the application.

Despite my predecessor's and my best attempts, some of our development teams do not understand the importance of applying IA patches and maintaining STIG compliance throughout the development cycle. Don't get me wrong, before the software/OS image leaves us, patches are created, but my understanding IAW FISMA we need to stay on top of IA updates from day 0 instead of scrambling to bolt it on as we kick it out the door. The answer we usually get is something along the lines of "We don't have time for that new requirement." This hasn't been new in years if that.

Unfortunately my supervisor (Who has been in the C&A/A&A game for awhile so he familiar with this), does not agree that we have any say in this. He prefers status quo over being proactive, but will listen if pushed hard enough. I'm not asking them to jump when I say so, I just don't think it is too much to ask to simply install vendor patches throughout the process. I think if I was the product owner I would consider taking this work elsewhere or at least taking some sort of action against the company.

My client counterpart is aware and we are both at a loss on how to fix this process. Are we off the reservation here or does anyone have any suggestions as to how I can approach this?