I suspect that whether a given government software spec includes blacklists, whitelists or a combination of both depends largely on who wrote it. Unless someone can show me that exclusive whitelisting is enforced US policy, I would think there will often be documents detailing which versions of software are not to be used on a given contract, as well as which ones are.