The U.S. Department of Defense (DoD) released on Monday details of an initiative, ‘Accelerating Secure Software,’ and kicked off a 90-day sprint to develop the Software Fast Track (SWFT) framework and implementation plan. The move will lead the Department’s adoption of best practices to obtain, develop, and field secure software. The SWFT Initiative will define clear, specific cybersecurity and Supply Chain Risk Management (SCRM) requirements; rigorous software security verification processes; secure information sharing mechanisms; and federal government-led risk determinations to expedite the cybersecurity authorizations for rapid software adoption.
Signed by Katie Arrington, performing the duties of the DoD Chief Information Officer (CIO), the framework fulfills Defense Secretary Pete Hegseth’s commitment to transform how the Department develops, authorizes, and deploys the software that underpins the U.S. Joint Force’s unmatched lethality. Aligned with Secretary Hegseth’s directive, ‘Modern Software Acquisition to Maximize Lethality,’ the initiative will fundamentally reform the Department’s approach to acquiring, testing, and authorizing secure software.
Arrington detailed that current systems for software procurement were developed for a different environment and use processes that are outdated and slow, with little to no supply chain visibility.
In a memo issued to senior Pentagon leadership, commanders of combatant commands, the Defense Agency, and DoD Field Activity directors, Arrington said that lengthy, outdated cybersecurity authorization processes frustrate agile, continuous delivery. Additionally, widespread use of open-source software, with contributions from developers worldwide, presents a significant and ongoing challenge. The fact that the Department currently lacks visibility into the origins and security of software code hampers software security assurance.
She added that her office, in coordination with the Under Secretaries of Defense for Acquisition and Sustainment, Intelligence and Security, and Research and Engineering, will develop and submit the SWFT Framework and Implementation Plan within 90 days. Enhancing the Department’s ability to rapidly deliver high-quality, secure software to the Warfighter will significantly strengthen the lethality and resilience of the Joint Force.
The DoD announced three Requests for Information (RFI) to gather market information and capabilities in accelerating secure software delivery to the federal government. This is an important step forward in transforming how the federal government verifies software security and informs risk-based decisions when introducing new capabilities to the DoD, putting the nation on a path to rebuild military capabilities.
In the first RFI covering SWFT tools, the government requests industry input on several topics related to the objectives of this RFI. These topics include identifying specific references or industry standards leveraged when considering secure software development and addressing software supply chain threats and vulnerabilities that affect both companies and their software products. Also, SWFT may assess how organizations implement secure software development practices as outlined in NIST Special Publication (SP) 800-218. Any obstacles encountered in implementing this guidance or in producing an attestation of such implementation should be described.
For commercial software products, it should be indicated whether a Software Bill of Materials (SBOM) is provided that includes component-level (artifact-level) details. If an SBOM is not provided, the obstacles preventing this should be explained. If SBOMs are provided, the tools supporting this process should be identified. The types of artifacts produced to perform risk assessments of software should be described, along with whether automated tools are used to generate these artifacts.
The extent to which these software risk assessment artifacts can be shared with the Department of Defense to support consistent and secure DoD-led risk assessments should be stated. If they cannot be shared, recommendations should be provided regarding the types of artifacts the DoD should require to equip authorization officials with adequate risk information. Methods by which organizations can support secure and automated information sharing to accelerate rigorous software security verification processes should also be explained.
All responses to this RFI are to be submitted by noon Eastern Standard Time (EST) on May 20, and responses will be accepted via electronic means only.
In the second RFI covering SWFT External Assessment Methodologies, the government requests industry input regarding whether the organization currently maintains an audit function that assesses software security. If such a function exists, specify whether it is internal or external, and whether the assessment is performed as part of another compliance regime, including which one(s). It also seeks to identify the specific organizational and personnel qualifications and requirements recommended for executing external assessment functions within the SWFT Initiative.
It also describes how a SWFT external assessment could demonstrate technical expertise, cybersecurity capability, and SCRM experience, including protection of sensitive data, impartiality, and independence. It outlines the collaboration required among suppliers, external assessors, and the DoD, and provide recommendations for secure information sharing mechanisms, and explains how an external assessment could support the evaluation of SWFT artifacts, including a supplier’s SBOM, as well as DoD-led risk assessments and automated information sharing to accelerate and maintain rigorous software security verification processes.
All responses to this RFI are to be submitted by noon Eastern Daylight Time (EDT) on May 20, and responses will be accepted electronically.
In the third RFI covering SWFT Automation and Artificial Intelligence (AI), the government requests industry input on certain topics as they pertain to the objectives of this RFI. These include identifying possible ways in which automation or AI could assist in streamlining DoD-led SWFT risk assessments within the DoD-defined Risk Management Framework (RMF). It also describes potential challenges associated with implementing automation or AI in high-trust environments, particularly in relation to cybersecurity authorization and official responsibilities.
Furthermore, it specifies the data requirements necessary to support SWFT automation and AI capabilities, including data from supplier SBOMs, DoD sources, or third-party providers, and outlines key considerations that the DoD should prioritize when evaluating automation and AI solutions intended for use in DoD-led SWFT risk assessments and determinations.
All responses to this RFI are to be submitted by noon EST on May. 20, and responses will be accepted via electronic means only.
Earlier this year, an audit report from the DoD revealed that the defense agency did not properly implement the process for authorizing third-party organizations to conduct Level 2 Cybersecurity Maturity Model Certification (CMMC) 2.0 assessments. The DoD audit report provided a review of 11 CMMC third-party organizations (C3PAOs) that showed that the DoD and Cyber Accreditation Body (AB) officials ensured compliance with 10 out of 12 requirements before authorizing C3PAOs to perform CMMC Level 2 assessments.
link