The Department of Defense’s (DoD) Software Fast Track (SWFT) initiative – which marks a sweeping overhaul of how the Pentagon acquires and approves software used by the military – will officially launch on June 1, said acting DoD Chief Information Officer (CIO) Katie Arrington today.
“That program will be implemented starting June 1, 2025 so that we in the government can get to software faster,” Arrington said during the AFCEA TechNet Cyber conference in Baltimore on May 7.
SWFT – initially announced last month – aims to speed up software deployment across DoD while enhancing security and streamlining approvals. The new software approval framework is part of the Pentagon’s broader push to modernize how it acquires technology and is aimed at fast-tracking the ATO process while still ensuring applications are secure.
To prepare for the launch, the DoD CIO’s office is currently in the middle of a 90-day sprint to create a full framework for secure software delivery. As part of that sprint, the department has issued three separate requests for information from industry, focusing on cybersecurity, supply chain risk, security verification, and secure information-sharing practices.
Under SWFT, software will be evaluated using 12 distinct risk characteristics, encompassing everything from financial operations to cybersecurity standards.
A key part of the program will involve a more automated approval process: software vendors must submit their Software Bill of Materials (SBOMs) – including sandbox and production environments, as well as a third-party SBOM – into the DoD’s Enterprise Mission Assurance Support Service system.
“AI tools on the back end will analyze the data. If everything meets the requirements for a digital ATO, we won’t have to wait on a human to review it,” Arrington explained.
Blowing Up the RMF
SWFT is just the beginning. Arrington also announced plans today to fundamentally reform the Risk Management Framework (RMF), which is the current baseline structure guiding DoD acquisition since 2022.
“We are not stopping. We are not slowing down, not for a second. Just checking the box is not sufficient … I’m blowing up the [risk management framework],” she said bluntly.
The RMF, established under former CIO John Sherman, was designed to manage system risks across the lifecycle of DoD technology, from procurement to sustainment. But Arrington argued the framework has become too rigid, slow, and compliance-focused to meet the real-time demands of modern warfare.
Venice Goodwine, CIO for the Department of the Air Force, echoed the need for change in a separate panel at the AFCEA TechNet conference – though with a more tempered view. Goodwine does not advocate scrapping RMF entirely, but rather refining how it is applied.
“The problem is not the framework. The problem is our implementation,” Goodwine said, pointing out that the military services have layered unnecessary steps onto the original RMF design.
She emphasized that if industry partners present tools already developed using secure-by-design principles or existing certifications, the DoD should accept that evidence rather than requiring redundant processes.
Starting this summer, Arrington said she will begin meeting with industry stakeholders to evaluate what works – and what doesn’t – under the current RMF. The goal is to lay the foundation for a more responsive and efficient cybersecurity compliance system.