Pentagon Opening the Throttle on New Rules for Software 

The Department of Defense is pushing ahead with a plan to automate and streamline the system it uses to ensure that software running on military networks is secure, and will start implementation next month, acting Chief Information Officer Katie Arrington said May 7. 

Arrington signed a memo two weeks ago “directing the development of a Software Fast-Track , or SWFT, Initiative” to speed up the process by which the Department of Defense certifies software to run on its networks. Then last week, her office issued three Requests for Information, seeking industry input. 

“We have got to get software faster into the Department of Defense,” she told an audience of defense contractors at AFCEA International’s TechNet Cyber conference, underlining the pace at which her office was moving. “We put the SWFT memo out, and within, I think, four business days, the RFIs hit the ground.”

The program “will be implemented starting June 1, 2025 so that we in the government can get to software faster,” she added, joking “I will break glass and crawl through it for you, but you cannot whine, all right?”

Arrington pledged to seek industry input into what she promised would be a responsive and flexible process. 

“Over the summer, you people are going to tell us what works and what doesn’t work,” she told industry executives as she strode between tables, interrupting her remarks more than once to call out friends or colleagues by name. 

The two-page RFIs issued last week ask for advice and proposals from companies large and small in three overlapping areas: 

  • Ways in which “automation and artificial intelligence [could] assist DOD-led risk assessment for expedited cybersecurity authorizations,” using a third-party supplied Software Bill of Materials—effectively an ingredients list for the software—and third party certification of secure development practices. 
  • Tools and processes “for consistent, secure, and accelerated risk assessments” of software and software development practices, including supply chain risk management requirements. 
  • Ways that an “external assessment [could] demonstrate technical expertise, cybersecurity, and SCRM experience” and what documents, processes and artifacts it would need. 

Responses, which can each be a maximum of 30 pages, are due May 20.

Automating the process of granting an Authorization to Operate, or ATO, is designed to take a cumbersome, manual, paper documentation process that can drag out for months and compress it down to days or even hours, said Arrington. 

“Lengthy, outdated cybersecurity authorization processes frustrate agile, continuous delivery,” reads the memo she signed April 23. “Additionally, widespread use of open-source software, with contributions from developers worldwide, presents a significant and ongoing challenge. The fact that the Department currently lacks visibility into the origins and security of software code hampers software security assurance.” 

In response, she pledged SWFT will lay out clear and specific rules and procedures for “cybersecurity and [supply chain] requirements” and “rigorous software security verification processes.”  

Once SWFT is complete, “I’m not done yet,” she continued, “We’re going to blow up the [Risk Management Framework], who’s with me on that one?” 

The RMF is a veritable bible for Pentagon information security personnel and has guided decisions about cybersecurity in the department for more than a decade but many criticize it for being slow and cumbersome.