The Department of Defense is launching a new program to overhaul its software acquisition practices. The Software Fast Track (SWFT) program aims to replace outdated processes with a faster, modernized approach that uses artificial intelligence. Katie Arrington, the senior official performing the duties of Pentagon chief information officer, is leading the effort.
She wants to eliminate the lengthy Risk Management Framework (RMF) and the authority to operate (ATO) approvals. “I’m blowing up the RMF. The RMF is archaic,” Arrington said.
She hopes that by next year, ATOs are “something I never hear about again.”
The RMF and ATO processes have guided the Pentagon’s acquisition process for all of its systems for over a decade. The RMF identifies and manages cybersecurity risks on the Defense Department’s networks. After a system goes through the RMF process, it must receive an ATO that gives the final approval to operate on the network.
Arrington explained that the “old school” processes are obsolete and no longer representative of the modern technologies the Pentagon needs. “An ATO is granted at a very specific time in the network, the architecture of the network, the iteration of the software. Everything is like a snapshot in time, it’s a static moment,” she said.
Pentagon’s SWFT launch
“But software is dynamic, it changes — every patch, every iteration, every version. So why wouldn’t we move to a continuous ATO and look at the RMF process as the building blocks?”
The SWFT program officially began on June 1.
It will have companies receive a third-party assessment based on 12 risk factors outlined by the Pentagon, ranging from a company’s cybersecurity posture to its financial health. Vendors will also be required to submit their own software bill of materials (SBOM), as well as an SBOM from a third-party assessor. “When that information comes into the department, we’re going to have AI and large language modeling on the backside so that we can detect anomalies,” Arrington said.
“If there’s a variant between one SBOM and another SBOM, we’re going to validate all of the data.”
The Office of the DOD CIO is conducting a 90-day sprint to develop a framework and implementation plan for SWFT. It is reviewing responses it received for a trio of SWFT requests for information published in May that asked for industry’s input on specific tools, external assessments, and automation and AI-enabled capabilities. The CIO received over 500 responses, demonstrating that industry is onboard with SWFT.
Before the end of June, the DOD CIO plans to release another RFI to industry that outlines five tenets for how the Pentagon plans to execute SWFT. Some ideas being considered include a tiered approach for the roles and responsibilities of cybersecurity service providers and different aspects of continuous monitoring. Arrington acknowledged that SWFT’s success will depend on how well the department can adapt to the cultural shift it requires.
“We’re so risk adverse that to be relevant, we have to assume a little bit of risk in moving forward. And I think that’s going to be the biggest challenge set for the department is culturally learning how to operate within that little bit of risk factor,” she said.
Kirstie a technology news reporter at DevX. She reports on emerging technologies and startups waiting to skyrocket.
