A new fast-track approval process for software on Defense Department networks will use AI tools to radically shorten a process that currently takes months or years, Acting Pentagon Chief Information Officer Katie Arrington said April 23.
Arrington told an audience of industry executives at an AFCEA DC luncheon event that the new Software Fast Track (SWIFT) process will use “AI tools on the back end” to replace the Authorization To Operate (ATO) process, which governs the way software products are certified for use on military networks, and the venerable Risk Management Framework (RMF), which has guided decisions about cybersecurity in DOD for more than a decade.
“I’m blowing up the RMF, blowing up the ATOs. They’re stupid. They’re archaic,” she said, lambasting the extensive paper-based documentation ATOs require.
Instead, she said, SWIFT will collect third-party data about the cybersecurity of vendors and technical information about the makeup of their software, through a government web application called eMASS and keep it in the Supplier Performance Risk System (SPRS), a database where contractor performance and cybersecurity compliance information is stored.
SWIFT was first previewed by DOD Chief Software Officer Rob Veitmeyer earlier this month, but this is the first time it’s been suggested that the new process will eliminate the role of the RMF, which has been the veritable Bible of cybersecurity risk management in defense since its adoption in 2014.
SWIFT appears to build on a process developed at Kessel Run, the Air Force’s original software factory, and piloted service-wide in 2019, known as “Fast Track ATO.” But it will go even further, Arrington said, because the criteria for authorization themselves will change, not just the means used to assess them. Software vendors will have to provide a Software Bill of Materials (SBOM) for their products and their production environment—and get it certified by an independent third party, she said.
An SBOM is effectively an index of all the other pieces of software which are inside a computer program. Modern software makes extensive use of publicly available programs, called open source code libraries, to perform computing tasks. But this means that a vulnerability in one of those libraries can create a vulnerability in any program that uses it, making it important to document all the dependencies of a given piece of software.
Arrington said her direction to software providers will be: “Provide me your SBOM for both your sandbox and production [environments], along with a third-party SBOM,” by uploading them into eMASS.
“I will have AI tools on the back end to review the data instead of waiting for a human. If all of it passes the right requirements: Provisional ATO,” she declared
She said that her memo authorizing the new process was being signed out “today.” As acting CIO, Arrington sets department-wide policy for IT matters.
She said the memo would be briefed out to “all the CIOs and [chief information security officers] in the building. It would be followed “in the next week or two,” by a Request For Information to industry to help build out the details.
“I want the RMF eliminated,” she said. “I only have five things that I really care about. Did you develop what you’re doing in [a] secure by design [process]? How do I validate that? Are you working with zero trust? How do I validate that? [And, how are you doing] continuous monitoring?”