I know of no DOD requirement for use of specific Version of software.. People confuse Local Security (SSO's) rules with DoD Wide. I would like to know which document they are reading. When you get your system accredited you have to list software and versions in the SSP/SSAA and if you upgrade you also have to do a change to the SSP/SSAA.
as for back ports.. They are fine as long as you can test and show that they do what they say, and contain nothing else.. No patch is to be put on a DoD system with out vetting. the patch. your ISSO or SSO will give you guidance. if you are the admin you should have a contact for them.
also DoD rules all depend on who you report to, DoDIIS, US Army, SSO Navy? DISA they all have there own rules, a lot matches. Then you have your local accrediter, or better known as the person who is responsible if your system is compermised. this person is the only one who sets version numbers, and a lot of them just say the newest with no knowledge.
Disclaimer, I am a government contractor who does System Design and System Accredidation.