The U.S. Department of Defense is set to implement a dramatic overhaul of its cybersecurity approval process for software vendors, replacing the decades-old Risk Management Framework (RMF) and the Authorization to Operate (ATO) system with a streamlined, AI-driven process. Acting Pentagon Chief Information Officer Katie Arrington announced the change on April 23 at an AFCEA DC luncheon, where she introduced the new Software Fast Track (SWIFT) initiative.
Arrington emphasized that the current RMF and ATO procedures are outdated and overly reliant on burdensome documentation. “I’m blowing up the RMF, blowing up the ATOs. They’re stupid. They’re archaic,” she said bluntly, advocating for a more efficient, modernized system that leverages artificial intelligence to automate much of the current manual review process.
Under SWIFT, cybersecurity assessments and software certifications will now be conducted using data gathered through government applications like eMASS, with results stored in the Supplier Performance Risk System (SPRS). This system will utilize third-party data about software security and the architecture of vendor products, eliminating delays associated with traditional approval pathways.
Building on Past Innovations with a Forward-Looking Approach
SWIFT builds upon earlier efforts such as the Air Force’s “Fast Track ATO” pilot from 2019, which aimed to accelerate the deployment of software across military networks. However, SWIFT introduces significant advancements by not just changing how authorization is granted, but also redefining what security requirements must be met.
Software vendors will now be required to submit a Software Bill of Materials (SBOM) for both their test (sandbox) and live (production) environments. An SBOM serves as a comprehensive inventory of all components, including open-source code, that a software program uses. This move is seen as essential for identifying hidden vulnerabilities in widely used code libraries that could compromise military systems.
These SBOMs must be verified by an independent third party and uploaded to eMASS for review. AI tools will then assess the submissions automatically, allowing for immediate provisional authorization if all conditions are satisfied. “I will have AI tools on the back end to review the data instead of waiting for a human,” Arrington explained, signaling a major efficiency gain.
A New Era of Cybersecurity Governance : Pentagon
The new process will be formalized with a policy memo signed by Arrington, which is being distributed across the Pentagon’s IT leadership. In the coming weeks, a Request for Information (RFI) will be issued to industry partners to refine the system’s structure and implementation.
Arrington outlined five core principles that will guide SWIFT: secure-by-design development, validation methods for security frameworks like zero trust, and continuous monitoring. “I only have five things that I really care about,” she said, pointing to a more focused, results-driven approach to cybersecurity compliance.
This transformative shift signals the Pentagon’s commitment to adapting rapidly in the face of modern cyber threats. By integrating AI into the heart of its cybersecurity infrastructure, the Department of Defense aims to boost agility, reduce bureaucratic delays, and ensure more robust protection of its digital assets in a high-risk global environment.
Also Read :- What is Transport Layer Security (TLS), and Why is it Important?