...
DoD acquisition programs are specifying The specifying the Application Security and Development Security Technical Implementation Guide (STIG), Version 4, Release 1 [DISA 2016] in requests for proposal (RFPs). Section 2.1 of the Application Security and Development Security Technical Implementation Guide (STIG) Overview, "Security Assessment Information", requires that "...coding standards... , application vulnerability scan reports, and automated code review results are all part of the suite of system documentation that is expected to be available for review when conducting a security assessment of an application."
...