The Department of Defense (DoD) is launching a new program to overhaul how it buys software – prioritizing speed, agility, and security, a senior Pentagon tech official said today.
“Instead of going through the arduous process of finding a program manager to review your software, send it to a lab, and wait for testing … I’m of a modern age,” Katie Arrington, performing the duties of the DoD chief information officer, said during an AFCEA Luncheon.
The “Swift Software Fast Track” program aims to create a fast-track authority to operate (ATO) process for software that will give the services and defense agencies a level of assurance that applications are secure.
Arrington explained that under the new program, the department would assess software security based on 12 risk characteristics – ranging from financial operations to cybersecurity.
“If you’re a software provider, you’ll need to submit your [Software Bill of Materials (SBOM)] in both your sandbox and production environments, along with a third-party SBOM. You’ll upload those artifacts into [Enterprise Mission Assurance Support Service system],” she said. “AI tools on the back end will analyze the data. If everything meets the requirements for a digital ATO, we won’t have to wait on a human to review it.”
The new software approval framework is part of the Pentagon’s broader push to modernize how it acquires technology – aimed at fast-tracking the ATO process while still ensuring applications are secure.
To inform the criteria for this “fast-track” program, Arrington explained that the DoD plans to release a request for information (RFI) soon.
Part of the plan, according to Arrington, includes determining how to move away from the traditional risk management framework (RMF) while still ensuring security and compliance.
The RMF, established in 2022 by then-CIO John Sherman, has played a key role in guiding the acquisition processes for all DoD systems, including development, procurement, testing, and sustainment requirements.
Arrington didn’t mince words about the need for change. “I’m blowing up the [risk management framework], blowing up the ATOs. They’re archaic,” she said. However, she clarified that while the DoD’s new “fast track” program aims to modernize the process, it won’t completely discard the RMF – just adapt it to fit the new approach.
“It could be the framework we base it on, but I only have five things I really care about. Could you develop what you’re doing in secure by design? How do I validate that? Are you working with zero trust? How do I validate that? Continuous monitoring, how do I do that? That’s what you’ll be seeing,” Arrington said.