In this case the certification program is extremely onerous, having experienced it myself. A government testing agency will not give you an authorization to operate on a given network or given data impact level until they can independently verify you meet very specific standards, including keeping data at different impact levels physically separate and encrypted at rest at specific encryption standards, keeping processes that access such data on different machines, allowing only one way data transfer across specialized hardware, having a physically separate network from the internet, etc.
Just getting a well-known Python package authorized for install on a single machine can take multiple years. People are used to corporations engaging in security theater, but in the DoD world it's much the opposite: the security apparatus is so paranoid and strict that nobody can get anything done.
Just getting a well-known Python package authorized for install on a single machine can take multiple years. People are used to corporations engaging in security theater, but in the DoD world it's much the opposite: the security apparatus is so paranoid and strict that nobody can get anything done.