The DOD CIO published a request for information Wednesday on Sam.gov calling for industry’s input on emerging technologies, solutions and business practices that can support the department’s attempt to revamp the Risk Management Framework (RMF). The initiative largely seeks to replace the legacy framework with a multi-phased construct that will be demanding for cyber and acquisition professionals. Officials are hoping to speed up capability delivery to warfighters.

“Although RMF enhances security through continuous monitoring and risk-based decision-making, it’s often seen as slow and cumbersome,” the RFI stated. “To meet the urgent demands of modern cyber threats and accelerate innovation, the DoD is working to streamline the RMF process — aiming for greater efficiency without compromising on security.”

While the framework has guided the Defense Department’s acquisition process for its military networks, weapon systems and other critical IT infrastructure for decades, the RMF has come under scrutiny in recent months by senior leadership. Since returning to the department in March to perform the duties of Pentagon CIO, Katie Arrington has repeatedly stated in public forums that she is “blowing up the RMF” and other bureaucratic processes known to stifle innovation.

“The RMF is archaic, it’s a bunch of paperwork,” Arrington said in April at the UiPath on Tour Public Sector event. Along with the RMF Revamp, she recently initiated a related effort called the Software Fast Track (SWFT) program that aims to streamline acquisition of on-premises software capabilities.

The RMF was designed to let the department integrate controls throughout a system’s lifecycle, including cybersecurity, operational resilience and supply chain risk management. Ensuring a system is RMF compliant is a seven-step process that results in receiving an authorization to operate (ATO) on Pentagon networks.

However, the entire framework can take weeks to over a year to complete. Even then, a military system with an ATO is required to have it renewed every three years.

According to the request for information, the CIO is considering a new “Risk Management Construct” that outlines specific actions to take across five phases of a system’s development cycle — design; build, or initial operational capability; test, or full operational capability; onboarding; and operations. The first four phases also include recommendations on where to use automation, such as by integrating a continuous-integration/continuous-delivery pipeline in the build phase or automatic vulnerability remediation during onboarding.

The document also asks industry to answer a series of questions regarding technologies and best practices the Pentagon could employ to enhance the RMF process, limit redundant compliance efforts and improve reciprocity across the department.

“Key areas of interest include [artificial intelligence-driven] cybersecurity tools, security control inheritance, artifact reuse, continuous monitoring solutions, proactive cyber defense mechanisms, security testing frameworks, and risk assessment models that support rapid integration of automation, monitoring, and active threat mitigation within cybersecurity programs,” the RFI stated.

Responses — due by July 24 — will inform the CIO’s strategy moving forward.

The post DOD CIO solicits industry to inform revamp of ‘cumbersome’ cybersecurity risk framework appeared first on DefenseScoop.

“We’re using technology to help reduce the time, because that’s been the real problem with software,” Katie Arrington, the senior official performing the duties of Pentagon chief information officer, said Friday in an exclusive interview with DefenseScoop. “When we bring it into the building, we have to find a lab, we have to find a person, we have to get it resourced. And what we should be doing is accepting as much as possible and looking at it rapidly, because software is only as good as it is relevant.”

Since returning to the Pentagon in March to perform the duties of DOD CIO, Arrington has waged war on the legacy processes used by the department to buy software capabilities — namely the lengthy Risk Management Framework (RMF) and beleaguered authority to operate (ATO) approvals. 

“I’m blowing up the RMF. The RMF is archaic,” Arrington told a crowd of defense industry representatives at the UiPath on Tour Public Sector event in April. She later added that by next year, she hopes that ATOs are “something I never hear about again.”

Both the RMF and the ATO process have guided the Pentagon’s acquisition process for all of its systems for more than a decade. The RMF is a structured set of guidelines used to identify and manage cybersecurity risks on the Defense Department’s networks. After a system goes through the RMF process, it must receive an ATO that gives the final approval to operate on the network.

Many of the military departments have done some disparate work to automate the RMF process and embrace continuous ATOs, which use automated monitoring and security controls to approve software without need for reauthorization. But recently, Arrington initiated a Pentagon-wide effort to overhaul the RMF.

She told DefenseScoop that the “old school” processes are obsolete and no longer representative of the modern technologies the Pentagon needs.

“Why I say an old school ATO doesn’t really hold any validity anymore is because an ATO is granted at a very specific time in the network, the architecture of the network, the iteration of the software. Everything is like a snapshot in time, it’s a static moment,” she said. “But software is dynamic, it changes — every patch, every iteration, every version. So why wouldn’t we move to a continuous ATO and look at the RMF process as the building blocks?”

The RMF revamp will focus on how the process can be integrated with automation and continuous monitoring capabilities for an entire program’s lifecycle, a Pentagon spokesperson told DefenseScoop. They added that the framework will remain “a structured process which integrates security, resilience, zero-trust and related cybersecurity considerations to design, build and monitor DoD technology.”

To help the department move away from cumbersome checklist-based authorizations, Arrington also created the Software Fast Track (SWFT) program that she said is designed to allow the Pentagon to integrate software capabilities much faster than currently possible. SWFT is separate to CIO’s effort to reform the RMF, but the program looks to optimize the RMF’s software assessment process and streamline capability delivery.”

SWFT will have companies receive a third-party assessment based on 12 risk factors outlined by the Pentagon, ranging from a company’s cybersecurity posture to its financial health. Vendors will also be required to submit their own software bill of materials (SBOM), as well as an SBOM from a third-party assessor to see if there are any differences in the evaluations, Arrington explained. 

“When that information comes into the department, we’re going to have AI and large language modeling on the backside so that we can detect anomalies,” she said. “If there’s a variant between one SBOM and another SBOM, we’re going to validate all of the data.”

And while replacing institutional processes like the RMF and ATO is an arduous task, the Office of the DOD CIO is moving as quickly as it can. After Arrington announced SWFT in an April memo, the program officially began on June 1. Concurrently, the office is conducting a 90-day sprint to develop a framework and implementation plan that defines specific requirements, security verification processes, information-sharing mechanisms and risk determinations “to expedite the cybersecurity authorizations for secure, rapid software adoption,” according to the Pentagon.

Meanwhile, the office is reviewing responses it received for a trio of SWFT requests for information published in May that asked for industry’s input on specific tools, external assessments, and automation and AI-enabled capabilities, respectively. The CIO received over 500 responses across all three RFIs, demonstrating that industry is onboard with SWFT and eager to get the ball rolling, Arrington noted.

“I’ve committed to reading through all of them to really understand what [are] the best practices in industry,” she said. “What does real continuous monitoring look like? Do we need commercial red teams? What are risk factors if you’re doing continuous monitoring or you have a disruption in software? What are the proper and right risk mitigation processes? All of this is wrapped into acquisition, how we’re really approaching this modernization effort.”

Arrington noted that SWFT’s implementation is being done strategically and in partnership with other key stakeholders across the Defense Department, including the service CIOs, chief information security officers, the acquisition and sustainment directorate and Pentagon directorates that support command, control, communications, computers and cyber.

Before the end of June, the DOD CIO plans to release another RFI to industry that outlines five tenets for how the Pentagon plans to execute SWFT, Arrington said. Some ideas her team is considering include a tiered approach for the roles and responsibilities of cybersecurity service providers and different aspects of continuous monitoring.

“Industry’s part of this is going to be over the summer, and then hopefully I can get those responses [and] we can come together and start with a fundamental, new approach in early August or early fall,” she said.

Moving fast on SWFT will be integral for other reasons, as well. Arrington will exit her CIO role once President Donald Trump’s nominee for the position is approved by Congress. In May, the administration tapped Kirsten Davies — an IT and cybersecurity professional from the private sector — to serve as DOD CIO, but her confirmation hearing has not yet been scheduled.

And although the program’s attempt to reform the Pentagon’s software acquisition process has been met with positive reception — while also being in line with broader efforts by Secretary of Defense Pete Hegseth aimed at increasing use of innovative procurement authorities — Arrington acknowledged that SWFT’s success will depend on how well the department can adapt to the cultural shift it requires.

“We’re so risk adverse that to be relevant, we have to assume a little bit of risk in moving forward. And I think that’s going to be the biggest challenge set for the department, is culturally learning how to operate within that little bit of risk factor. I’ll take a 90 percent solution and work on remediating the 10 percent while we’re developing it,” she said.

Updated on June 12, 2025, at 4:15 PM: This story has been updated to add comment from a Pentagon spokesperson and to clarify that SWFT is separate from the CIO’s effort to reform the RMF.

The post Inside the Pentagon CIO’s push to overhaul antiquated software acquisition practices appeared first on DefenseScoop.

Under the Software Fast Track (SWIFT) program, the Pentagon will use artificial intelligence to replace legacy authority to operate (ATO) and Risk Management Framework (RMF) processes when buying new software. Acting DOD CIO Katie Arrington signed a memo authorizing the new effort, and it will officially launch May 1, she said.

“We need to change our thought process, because having software in an ATO that is a static environment doesn’t help the warfighter,” Arrington said Tuesday during a keynote at the UiPath on Tour Public Sector event, produced by FedScoop. “What changes every single day is the network, the software [and] the environment. Why are we so structured to stay in a static position when our adversaries are always dynamic?”

As the Pentagon becomes more dependent on software-based capabilities, leaders have looked to pivot away from traditional ATO frameworks encumbered by lengthy administrative processes and manual paperwork that can stifle modernization. Some organizations have begun exploring continuous authority to operate (cATO) methods, which use automated monitoring and security controls to approve software without need for reauthorization.

Instead, SWIFT will do a third-party assessment of companies’ cybersecurity postures based on 12 risk characteristics. Vendors will also be required to provide a software bill of materials (SBOM) “from production and sandbox” that is certified by a third party, Arrington said. 

“I have AI on the backside — large language modeling — that will determine if there are any anomalies, if there’s something in your source code that’s bad. If not, you get a provisional ATO,” she said.

Arrington added that SWIFT will allow the department to pivot away from the current RMF, a structured set of guidelines used to identify and manage potential cybersecurity risks on networks. For more than a decade, the framework has guided the Pentagon’s acquisition process for all of its systems — from development to sustainment.

“I’m blowing up the RMF. The RMF is archaic, it’s a bunch of paperwork,” Arrington said. She added that in the next year, she hopes that ATOs are “something I never hear about again.”

SWIFT comes as Secretary of Defense Pete Hegseth is pushing the entire department to speed up procurement and delivery of digital and software-based capabilities. In March, Hegseth issued a memo that calls on Pentagon leaders to use innovative acquisition authorities — from the Software Acquisition Policy to commercial solutions openings — to rapidly buy software.

“We need more innovation. The [secretary of defense] has told us, bring software, bring [commercial-off-the-shelf] into the building faster, at a more rapid rate,” Arrington said. “And our job is to ensure that we are doing the best to ensure that we have lethality, that we’re ready and that we’re efficient.”

When the program launches, Arrington said she plans to bring together all of the department’s CIOs, chief information security officers, the acquisition and sustainment directorate and other stakeholders at the Pentagon. In the near future, the department plans to release a request for information (RFI) to gather industry input.

The post New Pentagon program to speed up software acquisition set to launch May 1 appeared first on DefenseScoop.