It would be fair to say that MOSA has been very well studied in the Defense Science & Technology world. The Defense Technical Information Center (DTIC) has a searchable database for unclassified S&T reports available to the public, a quick search for MOSA yields 800+ results! Many of those are briefings, white papers, and presentations such as from the National Defense Industrial Association (NDIA).

What I was looking for, specifically, in this treasure trove was a paper on MOSA and Cybersecurity, “Using Modular Open Systems Approach (MOSA) to Address System Survivability in Army Weapon Systems,” published in 2019. I was interested in this because of an incorrect assumption made by many program managers, echoed in the 2025 GAO MOSA Report, that cyber security was somehow lowered with MOSA and that obscure, incompletely documented, and closed proprietary systems were somehow magically safer from being hacked. The report highlights the incorrect assumption this way (emphasis mine):

Acquisition program officials noted there are some potential disadvantages to pursuing a MOSA. For example, publicly available open interfaces may help adversaries identify and exploit cyber vulnerabilities. Thus, using a MOSA may require additional planning to ensure cybersecurity needs are addressed.

Whenever you hear someone say “that may require more planning” it typically means they are not doing enough planning. The reality is far different – clearly defined interfaces with well documented separation of concerns is the correct pattern for cyber security and MOSA directly supports that. Part of the misunderstanding is that MOSA does not mean open source (e.g. code developed by thousands of anonymous people from all over the world), it focuses on modularization of software with clearly defend open interfaces, which is akin to good design patterns and not the vulnerability of the code within those modules. This makes the identification and replacement of modules with vulnerabilities much easier since the system is designed to allow for replacement of individual severable parts. An “Open Interface” means that it is open to the ACQUISITION agency, not to the general public. The interface can be ITAR, CUI, or even classified as examples abound for MOSA being used on programs that have no publicly available information! The author, after an exhaustive review of the subject, of summarizes the results of this incorrect thinking about open architecture and cyber this way on page 59:

In a proprietary system, the Army has no straightforward means of determining where the components originated or how crucial data is handled. Unfortunately, the Army typically discovers the origins after the system has been exploited and an investigation is conducted. The proprietary nature of the system thwarts our ability to rapidly adapt and counter cyber threats, making a vulnerability more exploitable and severely impacting mission effectiveness or readiness. Army leaders and engineers must break the paradigm that feeds this approach and move to partnerships focused on the use of open systems (Clinton, 2015).

This is supported by not only the literature review and examination of other industry discoveries, but also through analysis of various DoD specific studies and experiments. It is followed in the paper by a clear set of recommendations that every program manager should read, especially when their OEM tells them “Don’t do MOSA, that will increase your cyber risk!”

Here’s the paper directly for download, reposted from DTIC.

There is so much more knowledge available to anyone who wants to actually dig in to validate or support their assumptions. Of course, if you dig in a stack this large, you can find something to support whatever argument you are trying to make, so just access to reports and data does not make one an expert on MOSA. That said, in the hands of any expert, a good library is always useful!

Here is a link to the DTIC search results:
https://discover.dtic.mil/results/?q=MOSA#gsc.tab=0&gsc.q=MOSA&gsc.page=1

Some of the interesting observations from the search of these documents that encompass a wide range of information, which can be categorized in a few broad areas:

1. Policy and Guidance Documents: These include official directives, memoranda, and instructions that mandate or guide the implementation of MOSA within defense acquisition programs.
2. Technical Frameworks and Standards: Documents in this category provide detailed frameworks and standards to guide the technical implementation of MOSA. 
3. Implementation Case Studies and Best Practices: These papers present analyses of MOSA implementations, highlighting lessons learned and best practices.
4. Technical Papers and Research Studies: This category includes in-depth research on specific aspects of MOSA, such as system architecture, integration challenges, and technological advancements.
5. Acquisition and Contracting Guidance: Documents here focus on the business and contractual aspects of adopting MOSA, providing guidance on acquisition strategies, contracting approaches, and compliance with statutory requirements.

Collectively, these documents offer a comprehensive resource for understanding, implementing, and managing MOSA in defense acquisition programs, covering both technical and managerial perspectives. While there are many other places around the internet where you can find bits and bytes of MOSA documentation, this volume of information has a whole library of resources for you to explore.