Case Study: United States Federal Agency achieves nearly zero open-source risk management time with CAST Highlight

US federal agency cuts open source risk management process time to almost zero

A U.S. federal agency that provides services to most branches of government manages a portfolio of 50+ custom applications maintained by 50+ outsourced developers and relying on thousands of open‑source components. After discovering security vulnerabilities tied to OSS, the agency was running manual audits with spreadsheets and public vulnerability databases—a time‑consuming process that took dozens of hours per month and was difficult to coordinate across multiple contractors.

The agency deployed CAST Highlight as an open‑source “control tower,” onboarding all 50+ applications in a few weeks and automating Software Composition Analysis and SBOM generation within their CI/CD pipeline. The centralized, automated view cut OSS risk management time to almost zero (requiring only a part‑time operator instead of 1–2 FTEs), improved incident response (e.g., log4j), and simplified compliance with the presidential SBOM requirement.