Under the Software Fast Track (SWIFT) program, the Pentagon will use artificial intelligence to replace legacy authority to operate (ATO) and Risk Management Framework (RMF) processes when buying new software. Acting DOD CIO Katie Arrington signed a memo authorizing the new effort, and it will officially launch May 1, she said.

“We need to change our thought process, because having software in an ATO that is a static environment doesn’t help the warfighter,” Arrington said Tuesday during a keynote at the UiPath on Tour Public Sector event, produced by FedScoop. “What changes every single day is the network, the software [and] the environment. Why are we so structured to stay in a static position when our adversaries are always dynamic?”

As the Pentagon becomes more dependent on software-based capabilities, leaders have looked to pivot away from traditional ATO frameworks encumbered by lengthy administrative processes and manual paperwork that can stifle modernization. Some organizations have begun exploring continuous authority to operate (cATO) methods, which use automated monitoring and security controls to approve software without need for reauthorization.

Instead, SWIFT will do a third-party assessment of companies’ cybersecurity postures based on 12 risk characteristics. Vendors will also be required to provide a software bill of materials (SBOM) “from production and sandbox” that is certified by a third party, Arrington said. 

“I have AI on the backside — large language modeling — that will determine if there are any anomalies, if there’s something in your source code that’s bad. If not, you get a provisional ATO,” she said.

Arrington added that SWIFT will allow the department to pivot away from the current RMF, a structured set of guidelines used to identify and manage potential cybersecurity risks on networks. For more than a decade, the framework has guided the Pentagon’s acquisition process for all of its systems — from development to sustainment.

“I’m blowing up the RMF. The RMF is archaic, it’s a bunch of paperwork,” Arrington said. She added that in the next year, she hopes that ATOs are “something I never hear about again.”

SWIFT comes as Secretary of Defense Pete Hegseth is pushing the entire department to speed up procurement and delivery of digital and software-based capabilities. In March, Hegseth issued a memo that calls on Pentagon leaders to use innovative acquisition authorities — from the Software Acquisition Policy to commercial solutions openings — to rapidly buy software.

“We need more innovation. The [secretary of defense] has told us, bring software, bring [commercial-off-the-shelf] into the building faster, at a more rapid rate,” Arrington said. “And our job is to ensure that we are doing the best to ensure that we have lethality, that we’re ready and that we’re efficient.”

When the program launches, Arrington said she plans to bring together all of the department’s CIOs, chief information security officers, the acquisition and sustainment directorate and other stakeholders at the Pentagon. In the near future, the department plans to release a request for information (RFI) to gather industry input.

The post New Pentagon program to speed up software acquisition set to launch May 1 appeared first on DefenseScoop.

After developing close relationships with Army Combat Capabilities Development Command Aviation and Missile Center (AvMC) and additional offices based in Huntsville, Alabama, officials are in early stages of developing a plan that will allow hardware-centric programs to leverage continuous integration and continuous deployment (CI/CD) pipelines, Army CIO Leonel Garciga told DefenseScoop. The goal is to have a firm idea of how the service can approve the frameworks and have a testing infrastructure developed within the next 12 to 18 months.

“We’re moving down that path and in very nascent conversations, starting with the ground system folks who have a very similar requirement,” Garciga said recently in an exclusive interview. “They’re [saying], ‘Hey, if you guys could do this for the aviation guys and for the missile folks, why can’t you do this for us?’”

The effort is part of a larger ongoing initiative to streamline the Army’s cATO processes and improve how the service deploys software onto its networks, first outlined in the Army’s software directive published in 2024. The service kick-started work last fall with two pilot efforts intended to inform eventual service-wide guidance to approving cATO frameworks. 

As the Pentagon becomes increasingly dependent on software-based capabilities, organizations have sought to transition away from traditional ATO frameworks encumbered by administrative processes and manual paperwork that can take months to complete. In comparison, a continuous ATO leverages automated monitoring and security controls to ensure that CI/CD pipelines deploying software onto networks remain compliant.

“It takes this idea of paper shuffling and moving it around to experts and makes it readily available for folks to make decisions as new software is developed, … just based on the tools that are out there and what the threat position of the network they’re falling on looks like,” Garciga said.

The Army is initially focusing on accelerating programs and systems that are more mature than others, meaning their cybersecurity professionals, processes and technologies are aligned so that it’s easier to approve a CI/CD pipeline tailored for that specific program, Garciga explained. That means those programs can serve as a leading edge for the service, allowing for others to leverage that work and build their own maturity.

“We’re in the maturing stage, and we’re really focused around some small pilot programs — both programs of record within a program executive office and some commands — that have some maturity, so that we can build out that foundational approach,” he said.

But programs with hardware-in-the-middle present a number of extra challenges to getting a cATO, as many Army systems operate using customized software that doesn’t have an existing parallel in the commercial sector the service can work off of, Garciga noted.

Approving a CI/CD pipeline for those systems would require the Army to inject themselves at the vendor’s site or purchase all of the equipment again so officials can test and integrate it somewhere else, he said.

“We’re really focused on tackling the hard model first, which has been — I have it all at the vendor site, how do I share data back and forth as software gets built to validate it and test it before I put it on a kit?” Garciga said. “That’s been one that we’ve been spending quite a bit of time on, because that has been truly one of the bigger challenges and one of the big rocks that we want to slay.”

Another issue the CIO pointed to is that hardware-centric platforms often integrate with several other internal and external systems, and updating that enabling software would require either physical or simulated testing to ensure interoperability.

“There’s a technical integration between two systems that software is written on,” he said. “We have to have a way to write that software fast, put it in there and still test that maneuverability piece without having to physically go on a tank and do it every single time.”

To that end, Garciga’s team has been working alongside personnel from the office of the assistant secretary of the Army for acquisition, logistics and technology to develop a comprehensive, cloud-based test harness where different programs can validate their software. The service wants to have that platform up and running by the third quarter of 2025.

As for the service’s two ongoing pilot cATO efforts, Garciga said they’ve shown promise and that the Army is still capturing lessons learned as it moves to work with other programs. He noted that offices have come forward with a higher maturity than they initially expected, and he anticipates a continued growth of people approved for CI/CD pipelines.

“What we’re working on right now is we have about seven folks in the hopper that we’re going to walk the dog and certify their CI/CD approach,” Garciga said. “We really want to focus on having teams come and be able to explain how they have their cybersecurity people integrated into the process, and evaluate the skillset and maturity level so, as they’re developing code on these systems, we have a firm understanding that the people, process [and] technology piece is mature enough to get to what is a cATO.”

The post Army developing plans to improve cATO pipelines for weapon systems appeared first on DefenseScoop.

Speaking during a panel Wednesday at the annual AUSA conference, Army CIO Leonel Garciga said the upcoming memo — set to release in the next two weeks — will approve two continuous integration and continuous deployment (CI/CD) pipelines. One will be for the Army’s Nett Warrior program of record at program executive office soldier, and a second will be for the defensive cyber operations (DCO) under PEO intelligence, electronic warfare and sensors, which develops capabilities for Army Cyber Command.

“So, two different views and two different operating models, but the intent here is to get their CI/CD pipelines approved,” Garciga said, adding that around eight more programs have expressed interest in getting the green light for similar frameworks. 

The memo comes on the heels of the Army’s new focus on implementing modern software development and acquisition practices via its new software directive, published in March. Along with overarching guidance to improve the service’s approach to developing and delivering software, the directive calls on the Army to transition to continuous ATO processes. 

“One of the tasks in the software directive — besides just more generalized risk management framework and cybersecurity reform — was really like, can we get to this point to put out guidance for cATO?” Garciga said. “There hasn’t really been any guidance, right? It’s still the traditional checklist. So we’re taking the new digital process and using our great industrial-age processes to overlay on top of them. [That] doesn’t end well for most of us.”

Organizations across the Pentagon have been looking to implement continuous ATO frameworks due to a growing reliance on software-based warfighting systems. By using automated monitoring and security controls to ensure compliance, a continuous ATO grants IT systems permission to operate on a network without the need for reauthorization — an often lengthy process that can stifle modernization.

Along with the two CI/CD pipeline pilots, the upcoming memo will lay the initial foundation for the Army’s transition to cATO processes and establish requirements for accredited frameworks, Garciga said.

“The first level is identifying and saying, ‘Hey look, if you meet these requirements — whether you’re a department asset, an Army asset or even a commercial asset — if you meet these requirements, we’ll approve these platforms to be used,’” he said. “We got to make sure that they’re platforms that are safe to operate on, they got to meet the minimum requirements break.”

The goal is to work with different Army program offices and ensure they can have new code for their systems delivered securely, and in a manner that is tailored for their specific programs.

“Some programs may just not need to have a full CI/CD pipeline, and we’ve got to acknowledge that, right? So the plan is … as folks come in, we walk through what their pipeline is. And it’s not a checklist, it’s about [concept of operations],” Garciga said.

As the service works through the first two pilot efforts, the Army CIO will begin looking at how to integrate cATO processes for larger weapon systems programs, such as the High Mobility Artillery Rocket System (HIMARS), Garciga noted.

“Because that’s where we’re talking major dollars and major effects, right? Getting a new firing table out there in a couple of hours is a big deal. So, how do we get that? That is our next pilot effort, is working with the program over there to work on some of these problems, to have a hardware-in-the-middle approach,” he said.

The post Army set to release new guidance to improve cATO processes through new pilot efforts appeared first on DefenseScoop.

The service has identified two existing Army programs that will be the first to receive cATOs, Army Chief Information Officer Leonel Garciga told DefenseScoop on Tuesday during a roundtable with reporters. The goal is to execute a four-step implementation plan over the next few months, and for the two pilots to receive cATOs by the end of the summer, he said. 

While he was unable to detail which Army programs would be part of the pilot effort, Garciga said both “are production-level systems and they are delivering to production right now. They are mature, these are not [research-and-development] programs. They’re not training, they’re not testing, these are programs that are up and running and operational today.”

Due to the growing reliance on software-based systems, organizations across the Pentagon have sought to improve the ATO process without slowing down innovation. A continuous ATO grants IT systems permission to operate without needing to be reauthorized — an often lengthy process that has been known to stifle modernization efforts — by implementing automated monitoring and security controls to ensure compliance from the early stages of development.

Much like others at the Defense Department, the Army is still at the beginning stages of reforming how it uses cATOs, Garciga said. The two pilots will be used to inform the service’s larger policy guidance on cATOs that is underway.

Overall, the Army is tracking seven programs doing DevSecOps that could be a good pool of candidates to receive a continuous ATO, Garciga said.

“I feel very confident that by the end of this year, we could potentially have up to seven programs that have certified [continuous integration and continuous deployment] pipelines,” he said.

The pilots come as the Army looks to implement modern software development and acquisition practices through its new software directive, published in March. The guidance implements a number of changes aimed at improving its approach to software, including a directive that calls on the Army to transition from the traditional ATO to a continuous ATO process.

As part of the four-step plan, the Army will first provide guidance that outlines what the accredited framework will need to look like — a document that will be out in “the next two weeks” for its first two pilot programs, Garciga said. Then, the service will provide additional guidance to the force on configuration management and release management for DevSecOps, he added.

“Once you have the first two, that builds the foundation for you to say, ‘Hey, this is what a [DevSecOps] pipeline looks like, and this is the bare minimum that you need to get it certified.’ Once that’s done and you have all that together, then we’re going to put out guidance that says, ‘This is how you get your cATO,’” Garciga explained.

The post Army planning 2 pilot efforts to streamline improvements in cATO processes appeared first on DefenseScoop.

A mark for the fiscal 2025 Servicemember Quality of Life Improvement and National Defense Authorization Act, released Monday, calls for the modernization of the Department of Defense’s ATO processes.

The proposal, put forth by the House Armed Services Subcommittee on Cyber Innovative Technologies and Information Systems (CITI), would require the DOD to institute the presumption of reciprocal software accrediting standards.

Reciprocity essentially enables federal entities to reuse another internal or external organization’s assessments to share information — and ultimately reduce associated costs in time and investments that accompany approving IT systems to operate on the information networks.

Section 1522 of the CITI subcommittee mark would require the chief information officers of the U.S. military departments to jointly develop and implement a policy and guidance — not later than 270 days after the enactment of the NDAA — “requiring authorizing officials in the military departments to presume the cybersecurity of a cloud-based platform, service, or application that has already been accredited by another authorizing official in a military department for the same or similar purposes and the same classification level when determining whether to approve or deny a request for an Authorization to Operate for such cloud-based platform, service, or application.”

The guidance would also require authorizing officials to consult with the current or planned mission owners of a cloud-based platform, service, or application when they’re making a determination whether to approve or deny an ATO request.

Additionally, officials who are making a determination to approve or deny an ATO request for a cloud-based platform, service, or application would have to ensure that documentation containing all of the relevant details of the cybersecurity, accreditation, performance and operational capabilities of such technology are “easily accessible and comprehensible to all relevant stakeholders with respect to such request,” according to the text of the mark.

The DOD would also have to develop and implement a system for the digital sharing of that type of documentation.

“The policy and guidance developed under this subsection shall apply with respect to all cloud-based platforms, services, and applications capabilities operating across accredited cloud environments of the military departments, to the extent practicable,” according to the mark.

The legislation comes as the Pentagon is forging ahead with various cloud initiatives as a key component of its IT modernization efforts.

Earlier this month, in response to industry complaints about the department’s ATO process, DOD leadership issued new guidance aimed at resolving risk management and cybersecurity reciprocity challenges.

The post Proposed legislation would push Pentagon to streamline ATO process for cloud-based capabilities appeared first on DefenseScoop.

Reciprocity essentially enables federal entities to reuse another internal or external organization’s assessments to share information — and ultimately reduce associated costs in time and investments that accompany approving IT systems to operate on the information networks.

During his keynote at the annual GEOINT Symposium on Wednesday, Pentagon Chief Information Officer John Sherman unveiled a new one-page memorandum signed by Deputy Defense Secretary Kathleen Hicks on May 2 that directs “testing re-use and reciprocity to be implemented [by DOD authorizing officials] except when the cybersecurity risk is too great.”

“This is coming from the deputy secretary on down that reciprocity should be a default. It should be the first choice as opposed to having to redo all the due diligence again. We’re trying to strike a balance in maintaining our [risk management framework-driven] cybersecurity, but to make sure that we are able to move more quickly and not have to basically check everyone’s homework,” Sherman told DefenseScoop in an interview after his keynote.

He provided a hypothetical scenario to help paint a picture of the key issues his team is trying to address and the type of acceleration they’re seeking to facilitate.

“If you have a company who’s already got a product that’s gone, say, through the Department of Air Force and got on an ATO there, then let’s say the Navy wanted to use it. By default, they should be willing to take the body of evidence of the authorizing official from the Air Force unless they look at it and there is a tangible, substantive reason why they don’t believe the ATO was done well enough — and then we have a bigger issue that we need to jump into. These Air Force and Navy examples are just hypothetical, but that’s what it does,” Sherman explained.

“If you have your company, you shouldn’t have to go through each different hoop and hurdle here. It should be more universally accepted,” he added.

Notably, Hicks’ memo also mandates that Pentagon components elevate any associated policy and implementation issues straight to Sherman and his team.

“DOD Components can request DOD CIO assistance in resolving reciprocity and other RMF policy, guidance, and technical issues by contacting the RMF Technical Advisory Group secretariat, within DOD CIO, at osd.pentagon.dod-cio.mbx.rmf-tag-secretariat@mail.mil,” Hicks wrote in the guidance.

During his keynote, Sherman spotlighted that elevation.

“I saw on LinkedIn, as recently as this morning, some folks talking about this. And I want to let you all know: We’ve heard you loud and clear on this within the DOD. I’m not going to say this is going to solve every bit of it, but it’s going to help us a bit,” he told the audience.

During the interview with DefenseScoop, he wouldn’t disclose exactly which industry representatives he was pointing to in that call-out.

“We’ve heard enough anecdotes. We need actual examples of where this is gumming up the process, because ATOs — which are necessary, you don’t want to not do these — but they have gotten a bad name as an innovation- or speed-stifler. So we’re going to take a little more direct involvement in this from the DOD CIO office,” Sherman said.

While this initial guidance is for the Pentagon, the CIO’s team is also going to generate and release similar recommendations for the intelligence community.

“That’s kind of our next hill to climb later, because of different classifications and where those bodies of evidence are kept on secret or top secret, versus unclassified databases and so on,” Sherman told DefenseScoop.

Acknowledging that “the software community is a very passionate community — and the ATO process, frankly, has been cumbersome,” the Pentagon’s top IT official confirmed that he opted to bring this up to Hicks for support.

“I’ll be very honest. We often, as a principal staff assistant, kind of pick where we need the big bosses to sign off. And we did believe on this one, yes, a CIO can do this, but [we should] have the deputy secretary send a very clear signal that this isn’t just CIO stuff. This is a department priority,” Sherman said.

The post Pentagon issues new guidance to address industry gripes about ATO process appeared first on DefenseScoop.

The new study — “Six Questions Every DOD AI and Autonomy Program Manager Needs to Be Prepared to Answer” — takes aim at internal bureaucratic DOD functions, like the authority to operate (ATO) process, that stifle rapid AI innovation in the U.S. military and prompts a series of questions anyone involved in adopting the emerging technology for defense should ask themselves.

Released Tuesday and authored by Greg Allen — a former AI policy lead for DOD who is now director of CSIS’s brand new Wadhwani Center for AI and Advanced Technologies — the study marks the first in a series of two papers Allen and CSIS plan to publish on the Pentagon’s complex, evolving and sometimes secretive efforts to deploy AI. 

“I’ve been working on this since December. But, I mean, it’s informed by my three years at the Department of Defense,” Allen told DefenseScoop in an interview on Tuesday. 

Allen served in multiple positions in the Pentagon between 2019 and when he departed in April 2022. “When I left, I was the Director of Strategy and Policy at the JAIC,” or Joint Artificial Intelligence Center, he noted. That center was one of four DOD components that were realigned and rebranded into the Chief Digital and AI Office, which was fully operating by late 2022. 

“Honestly, my real mental model for a reader was somebody having their first day at the JAIC. What would be every topic that you wanted to prepare that person to wrestle with, as they embark upon some kind of AI capability development or other effort in the DOD? And now, as the military services, and the combatant commands, and just the whole DOD enterprise is becoming fixated upon AI modernization, this is really designed to be a document that is useful to them and doing their jobs,” Allen explained.

Via his months-long study, Allen ultimately identified six questions DOD AI officials should brace to answer:

1. Mission — What problem are you trying to solve, and why is AI the right solution?
2. Data — How are you going to get enough of the right kind of data to develop and operate your AI system?
3. Computing Infrastructure and Network Access — How will you get the AI system approved to reside on and interact with all of the DOD networks required for its development and use?
4. Technical Talent — How are you going to attract enough of the right kind of AI talent and put that talent to good use?
5. End-User Feedback — How are you going to ensure that the operational user community is a frequent source of feedback and insight during the development process?
6. Budgeting and Transition — Are the diverse DOD development, procurement, and operational organizations involved with your AI capability adequately budgeting for their involvement in the program?

To inform his 33-page paper and these overarching questions, Allen interviewed dozens of experts involved in driving AI and autonomous technologies and policies, including current and former members of the DOD, allied nations, and officials in the private sector. Among those many discussions were a number with “technology companies and individuals who have been supporting Ukraine” in the unfolding conflict since Russia’s invasion, he confirmed.

“I would say the first thing that really surprised me was just how rapidly the Ukrainian military has been able to apply AI — I mean there are cases where an AI model went from an idea in someone’s head to an AI-enabled military capability that warfighters are using and loving in a real war in a matter of weeks. From the perspective of the DOD, I knew that it’s really hard to do something that fast. And if the Ukrainians are doing it, that means that so much of what makes it hard to move that fast is not about AI. It’s about the DOD,” Allen explained. 

Parts of his paper present and interrogate cases where Ukraine’s military has effectively unleashed advanced AI capabilities in combat incredibly rapidly compared to the Pentagon’s pace.  

“So, I think one of the answers to the question of, ‘Why is it possible for Ukraine to move so much faster [than DOD]?,’ is because they don’t face these [Authority to Operate, or ATO] regulations,” Allen said.

Each and every software system that processes data and functions on the Department of Defense Information Network (DODIN) is required to first obtain an official ATO from a certified government authorizing official. Allen calls ATOs “a major barrier to accelerating AI adoption” within the department in his paper.  

 “‘These challenges with ATOs are eating us alive,’” one senior DOD official told him in his research.

The regulations were created to address cybersecurity concerns around the department’s software applications.

“It’s not that the ATO process was designed for no good reason. It’s just that it has all of these unintended consequences of slowing down DOD AI transformation and really just software development in general,” Allen told DefenseScoop.

“How so many of the successes of DOD AI look differently when you view them through the lens of ATO challenges, right? A lot of the success of Task Force 59, for example, is being undertaken under a data-as-a-service model, or a contractor-owned contractor-operated model,” he continued.

One of the benefits of that approach is that all the data that the system generates is unclassified and can therefore live on commercial networks — and move at the speed of commercial development. A primary challenge, however, is that all of that development is taking place without access to classified data sources, or any kind of consideration of what it would mean to integrate these systems into classified networks that have certain unique features.

“So what that means — and I don’t mean to diminish Task Force 59’s achievements at all because they are really significant, as I sort of detail in the paper — but it does illustrate that they will hit sort of a plateau in terms of, or a ceiling rather, in terms of what types of use cases they can go after, and how impactful their systems will be — because it’s going to be really tough to hook all of that good stuff up to DOD networks,” Allen said.

Among the multiple other challenges he highlights, Allen pointed to some around end-user feedback in AI-enabled combat. He cites an example in his paper associated with “a really intimate relationship between the warfighter and AI developer” defending Ukraine in the unfolding war. 

“Iterative development with the end-user is this sort of critical aspect of success — really in all software development, but especially in anything related to AI — and my point is that the DOD macro-organizational structure, requirements, process, budget process, all of it just makes that so much harder to do,” Allen said.

Over the next few months, Allen is preparing his next paper in this CSIS series. For it, he plans to review and outline lessons learned from DOD AI and autonomy efforts over the past six years — and develop tips for policymakers and department leaders regarding mitigating some of the barriers laid out in this initial study.

He aims to explore high-profile pursuits like Project Maven and organizations like the CDAO to ultimately determine some operational and organizational constructs that could be introduced to “break this cycle.”

“Even the most successful AI initiatives at DOD have opportunities for improvement — and so it’s really trying to survey the entire landscape and make recommendations in that regard,” Allen said.

The post ‘It’s about the DOD’ — New study explores obstacles hindering Pentagon’s AI adoption  appeared first on DefenseScoop.