The Pentagon is finalizing internal conversations on how it could overhaul its Risk Management Framework (RMF), with plans to issue a request for information (RFI) on that topic this summer, a senior official confirmed today.
The RMF implemented in 2022 under then-Chief Information Officer (CIO) John Sherman was designed to govern risk throughout the lifecycle of DoD technology systems – from development and acquisition to deployment and sustainment. The framework was meant to provide structure and consistency in securing defense IT systems, but in practice has drawn criticism for being overly bureaucratic and inflexible.
Katie Arrington, currently serving as the DoD’s acting CIO, reiterated her stance today that the RMF is no longer suited to meet the demands of today’s rapidly evolving digital battlespace.
“We’re blowing up the RMF,” Arrington said during a virtual INSA Coffee & Conversation session on June 5.
Since assuming the acting CIO role, Arrington has consistently signaled her intent to replace the RMF with a more agile, responsive approach – one that maintains rigorous security standards without slowing innovation or operational readiness.
“We have multiple redundancies in the RMF. We’re eliminating those,” she said.
Internal conversations on the RMF revamp began with DoD’s chief information security officers (CISOs) and have expanded to include multiple defense components, including the offices of Acquisition and Sustainment (A&S) and Research and Engineering (R&E).
DoD has identified five core tenets to guide the reformed approach, which will be shared with industry in the upcoming RFI to gather feedback and shape the path forward.
“We’re finishing our last leg. [And] by the end of June, we’ll have that wrapped up,” Arrington said, signaling a mid-July to August timeframe for an RFI.
“Industry, you’re critical to this, and we wouldn’t do it without you,” she said.
Software Fast Track Effort Also Underway
In parallel, the Pentagon is advancing another major initiative: the Software Fast Track (SWFT) program. The effort aims to develop a rapid “authority to operate” (ATO) process for software systems, streamlining accreditation while maintaining security standards.
Under SWFT, software vendors will be required to submit software bills of materials (SBOMs) for both sandbox and production environments, along with a third-party SBOM. These documents will be uploaded to the Enterprise Mission Assurance Support Service (eMASS) platform for automated review.
“AI tools on the back end will analyze the data,” Arrington explained. “If everything meets the requirements for a digital ATO, we won’t have to wait on a human to review it.”
Last month, the DoD released three RFIs in support of SWFT focused on cybersecurity, supply chain risk management, and secure information-sharing. The department received more than 500 detailed responses, many including full binders of documentation and real-world practices.
“It was amazing,” Arrington said today. “And we’re not talking one-page responses.”
Preliminary feedback from these RFIs indicates that the defense enterprise must become more comfortable with calculated risk in order to move faster and maintain an operational edge, according to Arrington.
“We have to assume some amount of risk to be ready, efficient, and lethal. There’s just no way around it,” she said.
According to Arrington, DoD plans to meet with industry stakeholders again after completing its review of the responses.