The Defense Department’s latest effort to obtain secure software kicked off a 90-day sprint today to develop a framework and implementation plan under the Software Fast Track (SWFT) initiative.

Katie Arrington, who is performing the duties of the DoD chief information officer, officially launched the initiative in a much-anticipated memo signed on April 24. The Pentagon only made the memo public today.

At the same time, the DoD CIO’s office released three requests for information (RFIs) under SWFT asking vendors for insights around tools, external assessments and how to best use automation and artificial intelligence to assist DoD-led risk assessment for expedited cybersecurity authorizations.

Katie Arrington is performing the duties of the DoD CIO.

“Instead of going through the arduous process of finding a program manager who will look at your software, send it to a lab and test it, I’m of a modern age. In the Supplier Performance Risk System (SPRS), it is backed by a platform called Enterprise Mission Assurance Support Service (eMASS). eMASS is approved from [unclassified] all the way up to special access program (SAP). What I’m going to have software providers do is provide me with their base risk scores on the DoD’s 12 characteristics of risk that range from financial to foreign ownership, control or influence (FOCI) to cyber, including the Cybersecurity Maturity Model Certification (CMMC) and onward down,” Arrington said at the recent AFCEA DC lunch on April 23.

“I’m going to ask you, if you’re a software provider, to provide me your software bill of materials (SBOM) in both your sandbox and production, along with a third-party SBOM. You’re going to populate those artifacts into eMASS. I will have AI tools on the back end to review the data instead of waiting for a human and if all of it passes the right requirements, provisional authority to operate (ATO). Here’s the better part, because I’m blowing up the risk management framework (RMF) and I’m blowing up the ATOs. They’re stupid. They’re archaic,” she said.

As part of the dismantling of the RMF, Arrington brought together on May 1 all service and agency CIOs and chief information security officers to determine what are the security questions and answers that matter the most.

“I want the RMF eliminated. It can be the framework we base it on, but I only have five things I really care about. Did you develop what you’re doing in secure by design? How do I validate that? Are you working with zero trust? How do I validate that? What’s more important in ATO or continuous monitoring? Continuous monitoring, so how do I do that?” she said. “After the May event, we’ll come back and then I’m going to ask industry, ‘does it make sense?’ As we’re redoing acquisition reform, we’re re looking at how to do the far why shouldn’t we be looking at the RMF, which is the thing that holds everything together, and it’s the most archaic thing in the world.”

New attempt to move toward continuous ATO

DoD moved to the RMF in 2018 when it transitioned away from the DoD Information Assurance Certification and Accreditation Process (DIACAP). The RMF is a unified framework for assessing organizational risk posed by IT systems and managing that risk by selecting the appropriate security controls. The framework supports continuous assessment as the security status changes throughout the system lifecycle.

Over time, however, the RMF became too static and unable to guarantee the security of a system. DoD tried to promote the concept of continuous authority to operate (cATO) in a 2022 memo from the CIO. The concept focused on enabling system owners to show they’re capable of defending their systems in real-time and that they have a secure software supply chain.

The Navy, for example, has been moving away from the RMF for more than three years with the “Cyber Ready” approach, which focuses instead on continuous monitoring and ongoing risk assessments. Former Navy Secretary Carlos Del Toro announced the “Cyber Ready” initiative in August 2022 in a memo outlining its principles of pre-emptive cyber defense.

The SWFT initiative is Arrington’s attempt to finally move DoD, particularly software that the military buys to this cATO approach.

“I remember when we were going from DICAP to RMF, I wanted to pull my hair out. It’s still paper. Who reads it? What we do is a program protection plan? We write it, we put it inside the program. We say, ‘this is what we’ll be looking to protect the program.’ We put it in a file, and we don’t look at it for three years,” she said. “We have to get away from paperwork. We have to get away from the way we’ve done business to the way we need to do business, and it’s going to be painful, and they’re going to be a lot of things that we do, and mistakes will be made. I really hope that industry doesn’t do what industry tends to do is want to sue the federal government instead of working with us to fix the problems. I would really love that.”

Along with the memo, Arrington’s office released three RFIs to gauge industry insights and feedback for how to make the process work best.

The first RFI is for SWFT tools.

“DoD seeks industry perspectives for SWFT risk criteria for consistent, secure and accelerated risk assessments. The SWFT supply chain risk management (SCRM) requirements will equip DoD authorization officials with product-specific risk information throughout the software development life cycle,” DoD wrote in the RFI.

DoD seeks answer to six questions, including:

• What are the specific references or industry standards organizations rely on when considering secure software development and software supply chain threats and vulnerabilities to a company and its software products?
• What artifacts does your organization produce to perform risk assessments of software? Does your organization use automated tools to produce these artifacts?

The second RFI is for external assessments to streamline the processes.

“DoD seeks industry perspectives that utilize existing external assessment methodologies that can serve the SWFT initiative. These external assessment methodologies must support rigorous software security verification processes and enable DoD-led risk determinations,” DoD wrote.

DoD laid out five questions, including:

• Does your organization currently have an audit function that assesses software security? If so, internal or external? And is this assessment performed as part of another compliance regime? Which one(s)?
• How could a SWFT external assessment demonstrate technical expertise, cybersecurity, and supply chain risk management (SCRM) experience that is inclusive of sensitive data protection, impartiality, and independence?

The third RFI is how best to apply automation and AI tools to the assessments.

“DoD seeks industry perspectives for the use of automation and artificial intelligence to assist DoD-led risk assessment for expedited cybersecurity authorizations. Risk assessment assistance will utilize supplier SBOM, SWFT artifacts and attestations, and DoD-specific knowledge (e.g., mission impact determinations),” DoD wrote.

Industry has only four questions to answer in this RFI, including:

• What are the possible ways that automation or AI could assist to streamline DoD-led SWFT risk assessments under the DoD defined Risk Management Framework (RMF)?
•  What are the considerations that DoD should prioritize when evaluating automation and AI solutions for DoD-led SWFT risk assessments and determinations?

Responses to all three RFIs are due by May 20.

“This initiative will lead the department’s adoption in best practices to obtain, develop and field secure software,” Arrington wrote in the memo. “The SWFT initiative will define clear, specific cybersecurity and SCRM requirements, rigorous software security verification processes, secure information sharing mechanisms and federal government-led risk determinations to expedite the cybersecurity authorizations for rapid software adoption.”

The post Arrington kicks off effort to eliminate RMF for DoD software first appeared on Federal News Network.

Vicky