The DOD CIO published a request for information Wednesday on Sam.gov calling for industry’s input on emerging technologies, solutions and business practices that can support the department’s attempt to revamp the Risk Management Framework (RMF). The initiative largely seeks to replace the legacy framework with a multi-phased construct that will be demanding for cyber and acquisition professionals. Officials are hoping to speed up capability delivery to warfighters.

“Although RMF enhances security through continuous monitoring and risk-based decision-making, it’s often seen as slow and cumbersome,” the RFI stated. “To meet the urgent demands of modern cyber threats and accelerate innovation, the DoD is working to streamline the RMF process — aiming for greater efficiency without compromising on security.”

While the framework has guided the Defense Department’s acquisition process for its military networks, weapon systems and other critical IT infrastructure for decades, the RMF has come under scrutiny in recent months by senior leadership. Since returning to the department in March to perform the duties of Pentagon CIO, Katie Arrington has repeatedly stated in public forums that she is “blowing up the RMF” and other bureaucratic processes known to stifle innovation.

“The RMF is archaic, it’s a bunch of paperwork,” Arrington said in April at the UiPath on Tour Public Sector event. Along with the RMF Revamp, she recently initiated a related effort called the Software Fast Track (SWFT) program that aims to streamline acquisition of on-premises software capabilities.

The RMF was designed to let the department integrate controls throughout a system’s lifecycle, including cybersecurity, operational resilience and supply chain risk management. Ensuring a system is RMF compliant is a seven-step process that results in receiving an authorization to operate (ATO) on Pentagon networks.

However, the entire framework can take weeks to over a year to complete. Even then, a military system with an ATO is required to have it renewed every three years.

According to the request for information, the CIO is considering a new “Risk Management Construct” that outlines specific actions to take across five phases of a system’s development cycle — design; build, or initial operational capability; test, or full operational capability; onboarding; and operations. The first four phases also include recommendations on where to use automation, such as by integrating a continuous-integration/continuous-delivery pipeline in the build phase or automatic vulnerability remediation during onboarding.

The document also asks industry to answer a series of questions regarding technologies and best practices the Pentagon could employ to enhance the RMF process, limit redundant compliance efforts and improve reciprocity across the department.

“Key areas of interest include [artificial intelligence-driven] cybersecurity tools, security control inheritance, artifact reuse, continuous monitoring solutions, proactive cyber defense mechanisms, security testing frameworks, and risk assessment models that support rapid integration of automation, monitoring, and active threat mitigation within cybersecurity programs,” the RFI stated.

Responses — due by July 24 — will inform the CIO’s strategy moving forward.

The post DOD CIO solicits industry to inform revamp of ‘cumbersome’ cybersecurity risk framework appeared first on DefenseScoop.

“We’re using technology to help reduce the time, because that’s been the real problem with software,” Katie Arrington, the senior official performing the duties of Pentagon chief information officer, said Friday in an exclusive interview with DefenseScoop. “When we bring it into the building, we have to find a lab, we have to find a person, we have to get it resourced. And what we should be doing is accepting as much as possible and looking at it rapidly, because software is only as good as it is relevant.”

Since returning to the Pentagon in March to perform the duties of DOD CIO, Arrington has waged war on the legacy processes used by the department to buy software capabilities — namely the lengthy Risk Management Framework (RMF) and beleaguered authority to operate (ATO) approvals. 

“I’m blowing up the RMF. The RMF is archaic,” Arrington told a crowd of defense industry representatives at the UiPath on Tour Public Sector event in April. She later added that by next year, she hopes that ATOs are “something I never hear about again.”

Both the RMF and the ATO process have guided the Pentagon’s acquisition process for all of its systems for more than a decade. The RMF is a structured set of guidelines used to identify and manage cybersecurity risks on the Defense Department’s networks. After a system goes through the RMF process, it must receive an ATO that gives the final approval to operate on the network.

Many of the military departments have done some disparate work to automate the RMF process and embrace continuous ATOs, which use automated monitoring and security controls to approve software without need for reauthorization. But recently, Arrington initiated a Pentagon-wide effort to overhaul the RMF.

She told DefenseScoop that the “old school” processes are obsolete and no longer representative of the modern technologies the Pentagon needs.

“Why I say an old school ATO doesn’t really hold any validity anymore is because an ATO is granted at a very specific time in the network, the architecture of the network, the iteration of the software. Everything is like a snapshot in time, it’s a static moment,” she said. “But software is dynamic, it changes — every patch, every iteration, every version. So why wouldn’t we move to a continuous ATO and look at the RMF process as the building blocks?”

The RMF revamp will focus on how the process can be integrated with automation and continuous monitoring capabilities for an entire program’s lifecycle, a Pentagon spokesperson told DefenseScoop. They added that the framework will remain “a structured process which integrates security, resilience, zero-trust and related cybersecurity considerations to design, build and monitor DoD technology.”

To help the department move away from cumbersome checklist-based authorizations, Arrington also created the Software Fast Track (SWFT) program that she said is designed to allow the Pentagon to integrate software capabilities much faster than currently possible. SWFT is separate to CIO’s effort to reform the RMF, but the program looks to optimize the RMF’s software assessment process and streamline capability delivery.”

SWFT will have companies receive a third-party assessment based on 12 risk factors outlined by the Pentagon, ranging from a company’s cybersecurity posture to its financial health. Vendors will also be required to submit their own software bill of materials (SBOM), as well as an SBOM from a third-party assessor to see if there are any differences in the evaluations, Arrington explained. 

“When that information comes into the department, we’re going to have AI and large language modeling on the backside so that we can detect anomalies,” she said. “If there’s a variant between one SBOM and another SBOM, we’re going to validate all of the data.”

And while replacing institutional processes like the RMF and ATO is an arduous task, the Office of the DOD CIO is moving as quickly as it can. After Arrington announced SWFT in an April memo, the program officially began on June 1. Concurrently, the office is conducting a 90-day sprint to develop a framework and implementation plan that defines specific requirements, security verification processes, information-sharing mechanisms and risk determinations “to expedite the cybersecurity authorizations for secure, rapid software adoption,” according to the Pentagon.

Meanwhile, the office is reviewing responses it received for a trio of SWFT requests for information published in May that asked for industry’s input on specific tools, external assessments, and automation and AI-enabled capabilities, respectively. The CIO received over 500 responses across all three RFIs, demonstrating that industry is onboard with SWFT and eager to get the ball rolling, Arrington noted.

“I’ve committed to reading through all of them to really understand what [are] the best practices in industry,” she said. “What does real continuous monitoring look like? Do we need commercial red teams? What are risk factors if you’re doing continuous monitoring or you have a disruption in software? What are the proper and right risk mitigation processes? All of this is wrapped into acquisition, how we’re really approaching this modernization effort.”

Arrington noted that SWFT’s implementation is being done strategically and in partnership with other key stakeholders across the Defense Department, including the service CIOs, chief information security officers, the acquisition and sustainment directorate and Pentagon directorates that support command, control, communications, computers and cyber.

Before the end of June, the DOD CIO plans to release another RFI to industry that outlines five tenets for how the Pentagon plans to execute SWFT, Arrington said. Some ideas her team is considering include a tiered approach for the roles and responsibilities of cybersecurity service providers and different aspects of continuous monitoring.

“Industry’s part of this is going to be over the summer, and then hopefully I can get those responses [and] we can come together and start with a fundamental, new approach in early August or early fall,” she said.

Moving fast on SWFT will be integral for other reasons, as well. Arrington will exit her CIO role once President Donald Trump’s nominee for the position is approved by Congress. In May, the administration tapped Kirsten Davies — an IT and cybersecurity professional from the private sector — to serve as DOD CIO, but her confirmation hearing has not yet been scheduled.

And although the program’s attempt to reform the Pentagon’s software acquisition process has been met with positive reception — while also being in line with broader efforts by Secretary of Defense Pete Hegseth aimed at increasing use of innovative procurement authorities — Arrington acknowledged that SWFT’s success will depend on how well the department can adapt to the cultural shift it requires.

“We’re so risk adverse that to be relevant, we have to assume a little bit of risk in moving forward. And I think that’s going to be the biggest challenge set for the department, is culturally learning how to operate within that little bit of risk factor. I’ll take a 90 percent solution and work on remediating the 10 percent while we’re developing it,” she said.

Updated on June 12, 2025, at 4:15 PM: This story has been updated to add comment from a Pentagon spokesperson and to clarify that SWFT is separate from the CIO’s effort to reform the RMF.

The post Inside the Pentagon CIO’s push to overhaul antiquated software acquisition practices appeared first on DefenseScoop.

Speaking during a panel Wednesday at the annual AUSA conference, Army CIO Leonel Garciga said the upcoming memo — set to release in the next two weeks — will approve two continuous integration and continuous deployment (CI/CD) pipelines. One will be for the Army’s Nett Warrior program of record at program executive office soldier, and a second will be for the defensive cyber operations (DCO) under PEO intelligence, electronic warfare and sensors, which develops capabilities for Army Cyber Command.

“So, two different views and two different operating models, but the intent here is to get their CI/CD pipelines approved,” Garciga said, adding that around eight more programs have expressed interest in getting the green light for similar frameworks. 

The memo comes on the heels of the Army’s new focus on implementing modern software development and acquisition practices via its new software directive, published in March. Along with overarching guidance to improve the service’s approach to developing and delivering software, the directive calls on the Army to transition to continuous ATO processes. 

“One of the tasks in the software directive — besides just more generalized risk management framework and cybersecurity reform — was really like, can we get to this point to put out guidance for cATO?” Garciga said. “There hasn’t really been any guidance, right? It’s still the traditional checklist. So we’re taking the new digital process and using our great industrial-age processes to overlay on top of them. [That] doesn’t end well for most of us.”

Organizations across the Pentagon have been looking to implement continuous ATO frameworks due to a growing reliance on software-based warfighting systems. By using automated monitoring and security controls to ensure compliance, a continuous ATO grants IT systems permission to operate on a network without the need for reauthorization — an often lengthy process that can stifle modernization.

Along with the two CI/CD pipeline pilots, the upcoming memo will lay the initial foundation for the Army’s transition to cATO processes and establish requirements for accredited frameworks, Garciga said.

“The first level is identifying and saying, ‘Hey look, if you meet these requirements — whether you’re a department asset, an Army asset or even a commercial asset — if you meet these requirements, we’ll approve these platforms to be used,’” he said. “We got to make sure that they’re platforms that are safe to operate on, they got to meet the minimum requirements break.”

The goal is to work with different Army program offices and ensure they can have new code for their systems delivered securely, and in a manner that is tailored for their specific programs.

“Some programs may just not need to have a full CI/CD pipeline, and we’ve got to acknowledge that, right? So the plan is … as folks come in, we walk through what their pipeline is. And it’s not a checklist, it’s about [concept of operations],” Garciga said.

As the service works through the first two pilot efforts, the Army CIO will begin looking at how to integrate cATO processes for larger weapon systems programs, such as the High Mobility Artillery Rocket System (HIMARS), Garciga noted.

“Because that’s where we’re talking major dollars and major effects, right? Getting a new firing table out there in a couple of hours is a big deal. So, how do we get that? That is our next pilot effort, is working with the program over there to work on some of these problems, to have a hardware-in-the-middle approach,” he said.

The post Army set to release new guidance to improve cATO processes through new pilot efforts appeared first on DefenseScoop.

He entered the role in December 2021, a tumultuous era marked by controversy over the Joint Enterprise Defense Infrastructure (JEDI) cloud effort. In the midst of the fallout, Sherman recognized that the department needed to pivot.

“I truly felt we were figuratively fighting and dying on a hill not worth fighting and dying on,” Sherman told DefenseScoop. “All this litigation that we were stuck in and back-and-forth between the several cloud service providers, I felt we were all expending energy against the wrong goals.”

Six months into his tenure as DOD CIO, he made the recommendation to cancel JEDI — a program that sought a single vendor for the Pentagon’s first enterprise cloud capability — and pivot to a multi-vendor acquisition process under what is now known as the Joint Warfighting Cloud Capability (JWCC).

“That, to me, has been the flagship or one of the top achievements I’ve had as CIO,” Sherman said.

Sherman announced June 6 that he would be departing as Pentagon CIO by the end of the month, moving into a new role at Texas A&M University, his alma mater, as the Dean of the Bush School of Government and Public Service.

During an exit interview with DefenseScoop on Monday, Sherman reflected on his nearly three-decade career in government where he often campaigned for novel approaches and technologies to accomplish missions.

“Anytime you’re doing something new, you’re gonna break some glass doing it,” he said.

A ‘digitally focused’ IC

After serving in the Army as an air defense officer in the 24th Infantry Division, Sherman said he was interested in working in the intelligence community and initially applied to be an all-source analyst at the Central Intelligence Agency.

But when he received his interview package, he was sent to Building 213 in Washington, D.C.’s Navy Yard where the DOD was standing up the new National Imagery and Mapping Agency — now known as the National Geospatial-Intelligence Agency (NGA). Sherman was hired as an imagery analyst in 1997, investigating and distributing geospatial intelligence on the Iraqi Republican Guard.

“Working that Republican Guard account for several years will, and continues to be, one of my fondest memories in the IC — working with some amazing teammates in Building 213 supporting U.S. Central Command and other entities with what I thought was insightful analysis during the no-fly-zone days, and then moving to the start of Operation Iraqi Freedom and onward,” Sherman said.

He would spend the next 23 years in the intelligence community, including as the CIA duty officer in the White House Situation Room, an all-source analyst on the National Intelligence Council and a role at the NGA Office of the Americas.

Notably, Sherman was part of the small team that was present in the White House Situation Room on the morning of the September 11 attacks on the World Trade Center.

“It was a sobering experience, but also we were honored to be there to support crisis operations on that day,” he said.

In 2014, the CIA was looking to become more “digitally focused,” and Sherman became one of two deputy directors of the CIA’s Open Source Enterprise (OSE) managing the tradecraft of open source intelligence. He led the Middle East and Asia portfolios, as well as the portfolio for emerging technologies where he first began experimenting with commercial cloud capabilities, he noted.

While at OSE, Sherman helped stand up a low-side cloud capability called the Open Source Data Layer and Services (OSPLS). The effort leveraged Amazon Web Services and other capabilities provided by the IC’s Commercial Cloud Services (C2S) program to provide a cloud-based environment for less sensitive and non-critical information.

He detailed how he also took part in the Eyesight Mission Users Group. Although the group’s focus is classified, Sherman said the experience taught him critical lessons on data standards and exactly how cloud technology works.

“What I was able to do was, as one of the initiative leaders, use open-source gathered information to feed into NSA’s gov cloud — which was their part of the classified capability — to then run the compute against this open-source information and find new things that we would not have been able to discover otherwise,” he said.

Sherman was later tapped to serve as the intelligence community’s CIO in 2017, and during his time he initiated several innovative changes that allowed the IC’s IT enterprise to evolve. 

One of those was shifting focus on a program known as the Common IC Desktop Enterprise, which initially looked to create a unified architecture that would allow analysts and officers to move between agencies without the hassle of transferring their data. Despite all of the money and time the IC had already invested into the effort, Sherman said he recognized it wasn’t working.

“It was never going to scale out to being this IC-level capability that it was envisioned to be, and so we pivoted to a federated architecture where we would have standards and then be able to accomplish some of the same interfaces — but not with this unified overall architecture that we were first going along,” he said. 

Another accomplishment as IC CIO was the creation of the Commercial Cloud Enterprise (C2E) program. The intelligence community had been using a single-vendor approach under C2S since 2014, and Sherman initiated the follow-on C2E effort to bring a multi-vendor, multi-cloud capability to the IC in 2020, with Amazon Web Services, Microsoft, Google, Oracle and IBM serving as vendors.

“I’ll also admit this freely — C2E was the model for what became JWCC at DOD,” he said.

Leaning into hard decisions

Sherman was brought into the Defense Department as the principal deputy CIO in 2020, later replacing then-CIO Dana Deasy when he left his position in 2021. Although the department was grappling with many problems with its IT enterprise then, there are still a number of other issues the new CIO who replaces him will face in the future, he said.

“I don’t know what the next hard decision is going to be, but be ready to lean into that,” he said. 

Still, Sherman touted the accomplishments he made during his time at the Pentagon, especially related to the department’s pivot to JWCC and the awards made to Google, Oracle, Amazon Web Services and Microsoft for the program at the end of 2022.

He noted that over $700 million worth of task orders across all three security classifications have been awarded through JWCC to date, with organizations like the F-35 Joint Program Office, defense agencies and combatant commands all on board with the program.

JWCC’s growth has also initiated the Pentagon’s new Joint Operational Edge (JOE) initiative to provide cloud capabilities at the tactical edge — a concept he calls the “lily pad.” One JOE cloud has already been installed at Joint Base Pearl Harbor-Hickam in Hawaii, another is coming online next in Japan, and the Pentagon is currently looking at sites for a third one in Europe, he said.

“One of the big things that we talk about a lot with cloud tradecraft is procuring cloud is not the end of the story. You have to learn how to use it, you have to learn how to apply it to your mission,” Sherman noted.

As it prepares for the next phase of the program, dubbed JWCC 2.0, Sherman has directed the CIO’s team to conduct an after-action review of the entire effort. 

“While I’m a huge fan of it, I know it’s not perfect. Because like with C2E, we’re kind of figuring out how to walk and chew gum in a multi-vendor environment,” he said. “What can we do better for JWCC 2.0? Are there things we can put into place to make [software-as-a-service] offerings easier to manage?”

Along with cloud modernization, Sherman has led efforts to improve user experience at the department by creating a UX portfolio management office at the CIO, fix the lengthy authority to operate (ATO) process in response to complaints from industry, and move the Pentagon into adopting a zero-trust cybersecurity framework by 2027.

In a statement to DefenseScoop, Deputy Secretary of Defense Kathleen Hicks praised Sherman for positioning the department for success while he served as CIO.

“John tackled some of the most complex challenges in the Department during his tenure, advancing the Department’s information advantage and improving our decision superiority, from the combatant commander down to the platoon leader,” Hicks said. “His leadership on ground-breaking initiatives such as the Joint Warfighting Cloud Capability, Zero Trust Architecture, and the Emerging Mid-Band Spectrum Sharing assessment materially strengthened US national security.”

A key challenge for the department moving forward will be to ensure it is modernizing at the pace it needs to, all while leveraging industry capabilities when it can, he said.

“As we talk big thoughts about edge cloud and transport and zero trust, never forget that it comes down to a service member’s ability or civilian’s ability to do their job — not only at the Pentagon, but out at Osan Air Base in Korea, or onboard a ship in the Red Sea, or at a special forces detachment in Africa,” Sherman emphasized.

Another will be tackling the Pentagon’s growing tech debt, he added. Warfighters are still using a lot of outdated technology from previous conflicts in the Middle East, and Sherman noted that understanding that priority and leveraging the entire enterprise to address it quickly is crucial for the department.

“We’ve got to pay the piper on this because in the digital battlefield that we’ve seen in places like Ukraine and what we could have to face in the western Pacific, these digital IT capabilities are war-winning technologies,” Sherman said. “It’s not just blinky lights and data centers, this is the difference for decision capability for our commanders.”

When asked what advice he would give to the next DOD CIO, Sherman emphasized the importance of working as a team with all of the departments and components at the Pentagon, as well as collaborating with industry as much as possible.

Leslie Beavers, DOD’s principal deputy CIO, will serve as acting CIO as Sherman departs until the department makes a decision on a full-time replacement.

He also pointed to the importance of strong leadership when making hard decisions and setting a clear north star for some of the departments where change might be a heavy lift.

“This has been the greatest opportunity I’ve had professionally, but also I’d be lying if I didn’t say it’s the most challenging,” Sherman said. “So that would be my advice to the next CIO: Buckle your chin strap and get ready, because this is going to be a heck of a ride.”

The post From Building 213 to the Pentagon: John Sherman reflects on his legacy in government appeared first on DefenseScoop.

The service has identified two existing Army programs that will be the first to receive cATOs, Army Chief Information Officer Leonel Garciga told DefenseScoop on Tuesday during a roundtable with reporters. The goal is to execute a four-step implementation plan over the next few months, and for the two pilots to receive cATOs by the end of the summer, he said. 

While he was unable to detail which Army programs would be part of the pilot effort, Garciga said both “are production-level systems and they are delivering to production right now. They are mature, these are not [research-and-development] programs. They’re not training, they’re not testing, these are programs that are up and running and operational today.”

Due to the growing reliance on software-based systems, organizations across the Pentagon have sought to improve the ATO process without slowing down innovation. A continuous ATO grants IT systems permission to operate without needing to be reauthorized — an often lengthy process that has been known to stifle modernization efforts — by implementing automated monitoring and security controls to ensure compliance from the early stages of development.

Much like others at the Defense Department, the Army is still at the beginning stages of reforming how it uses cATOs, Garciga said. The two pilots will be used to inform the service’s larger policy guidance on cATOs that is underway.

Overall, the Army is tracking seven programs doing DevSecOps that could be a good pool of candidates to receive a continuous ATO, Garciga said.

“I feel very confident that by the end of this year, we could potentially have up to seven programs that have certified [continuous integration and continuous deployment] pipelines,” he said.

The pilots come as the Army looks to implement modern software development and acquisition practices through its new software directive, published in March. The guidance implements a number of changes aimed at improving its approach to software, including a directive that calls on the Army to transition from the traditional ATO to a continuous ATO process.

As part of the four-step plan, the Army will first provide guidance that outlines what the accredited framework will need to look like — a document that will be out in “the next two weeks” for its first two pilot programs, Garciga said. Then, the service will provide additional guidance to the force on configuration management and release management for DevSecOps, he added.

“Once you have the first two, that builds the foundation for you to say, ‘Hey, this is what a [DevSecOps] pipeline looks like, and this is the bare minimum that you need to get it certified.’ Once that’s done and you have all that together, then we’re going to put out guidance that says, ‘This is how you get your cATO,’” Garciga explained.

The post Army planning 2 pilot efforts to streamline improvements in cATO processes appeared first on DefenseScoop.

The strategy, published Wednesday, was accompanied by recent memos on strengthening cybersecurity with a “continuous Authority to Operate” and another on the importance of open-source software.

Together, the documents aim to push software closer to the center of how DOD does business and wages war with a more collaborative approach to coding across software factories and services.

“We are approaching that apex point where we are going forward concretely, decisively and it’s really exciting,” Jason Weiss, the DOD’s chief software officer, told FedScoop in an interview about the documents.

Weiss added the timing on the three memos was simply “fortuitous.”

New strategy

The new Software Modernization Strategy calls for an enterprise approach to the services needed to build software. Its main goals include increasing migration to an enterprise cloud, establishing a departmentwide software factory ecosystem and transforming processes to enable faster and more resilient code deployment.

Weiss said a key enabler of achieving these goals will be a collaboration between the 29 software factories and creating “enterprise shared services.”

“Our ability to execute as a single team means we actually need to start sharing more,” he said.

How that sharing will work is still an unanswered question. Some collaboration will come down to the factories publishing reference designs, sharing tools they build and signing agreements like Platform One and Kessel Run recently did.

But the deployment of shared services cuts across budgetary and cultural silos that Weiss said will require a “hybrid model” of different military departments taking the lead on different aspects of services available to all.

“I am actually pretty bullish on our ability to solve this,” he said.

Making ATOs continuous

Often the longest part of deploying a new piece of software is getting it an authority to operate (ATO), which is typically given after a system is checked against a long list of security controls. But all that means is the system passed security checks at one point in time and there are few means to monitor how well the software is holding up to new forms of attack.

The DOD issued a separate memo Wednesday aimed at modernizing the ATO process, also by enhancing collaboration. The goal is to remake the ATO process into a “continuous” one by giving what Weiss calls a “shared language” to the services.

“They were coming along with languages that were ‘service proprietary,’” he said about talks on reciprocity and how to accredit systems from different services.

Now, the DOD chief information security officer has the ability to create cATOs, an authority Weiss said will only temporarily be unique to the CISO.

“He does not intend to retain that long-term,” Weiss said, citing the possibilities of creating new bottlenecks.

The basic principles come down to visibility of cybersecurity activities inside the system, active cyber defense and using a DevSecOps reference design to be able to continuously update code based on user feedback and security needs.

“We are starting to see some significant momentum behind DevSecOps,” Weiss said.

Collectivity, the memos and new strategy push the department to a more software-focused future. Yet another example of this is a Jan. 24 memo on open source software that pushes the DOD to use code from the public to the “maximum extent practical” as a means to get away from vendor lock and reduce cost.

“Collaboration is tantamount to success,” Weiss said of the new policies.

The post DOD publishes new software modernization strategy, memos on code appeared first on DefenseScoop.