In practice, the DoD right now uses something called AppGate, which downloads a script on-demand to check for device compliance, and it supports free software distributions, but the script isn't super sophisticated and relies heavily on being able to detect the OS flavor and assumes you're using the blessed package manager, so right now it only works for Debian and RedHat descended Linux flavors. It basically just goes down a checklist of STIG guidelines where they are practical to actually check, and doesn't go anywhere near the level of expecting you to have a signed bootloader and a TPM or checking that all of the binaries on your device have been signed.