Hire a good Cybersecurity Engineer that can run all of the scans and make reports to submit up the IA chain. If you can prove that your IS or application is secure it really becomes hard(er) for the ISSM to say "no, can't, and I don't know"
We don't have a good cyber security person in-house, so we are relying on guidance from a very good and trusted cyber security engineer from a research institution that is under contract with us. I've been lobbying for money to hire a good cyber security person but haven't had luck (yet).
I work around the outside of the DoD world myself and I wish you the best of luck. The office of no in the DoD is extra strict and their (government) actual security is awful. Without getting into the details some of the stuff I have seen employees do is shocking. Another hoop you have to jump through is that it is such a pain to get hired by the DoD or IC and a lot of the better security people have a culture which clashes with IA and OPM to say the least so even if someone wants to get hired by them there is a good chance they will get rejected off of a culture fit or they smoked pot once in college half a decade ago.
