Pentagon SWFT Responses Back Shift to Continuous Software Authorization

The War Department’s new software acquisition modernization plan backs “fundamental regime change” in military acquisition, according to its December RFI summary it released from its initial launch in the spring.

“[Industry] input is critical to understanding how the department can transform software security through risk-based decision making when introducing new capabilities to the DOW and putting the nation on a glide path to maintaining our battlefield dominance well into the future,” DOW CISO and former Acting CIO Katie Arrington wrote in the document.

The plan, called the Pentagon’s Software Fast Track (SWFT), is shifting from an experimental “90-day sprint” into a permanent, enterprise-wide ecosystem designed to replace the military’s historically sluggish processes with a high-velocity, automated pipeline.

The initiative, spearheaded by the CIO office in alignment with War Secretary Pete Hegseth’s directive to “Maximize Lethality through Modern Software,” aims to close the “valley of death” between software development and battlefield deployment.

From Static Checklists to Continuous Combat Power

The plan includes using methods like continuous authority to operate (ATO) in contrast to historical waterfall development models where security was often an afterthought.

“Using these new capabilities like continuous ATOs … unlocks the ability to do innovation,” Marine Corps Community Services Chief Digital Business Officer David Raley told GovCIO Media & Research in December.

The document includes more than 400 industry responses that contributed to the DOW codifying three pillars:

• Standardized tooling: Defining a common set of cybersecurity and supply chain risk management requirements
• External assessment: Utilizing third-party audit functions to verify NIST 800-218 (Secure Software Development Framework) compliance
• AI-driven automation: Implementing machine learning to handle repetitive compliance tasks and monitor software “health” in real-time

“We need to change our thought process,” Arrington said in April during the SWFT rollout. “Having software in an ATO that is a static environment doesn’t help the warfighter. Our job is to ensure that we have lethality, and that requires software that evolves at the speed of the threat.”

Director of DOD Information Networks Capabilities George Lamb said at the Carahsoft DevSecOps Conference last July, that the program builds on lessons from Platform One’s Iron Bank, which shifted the focus from a “pass/fail” model to a continuous risk evaluation.

“SWFT is basically scaling the authorization process by which software can get evaluated and into our infinity loops faster,” Lamb said. “When you run through SWFT, we’re going to be outsourcing the authority. We’re going to drive the requirements and the capabilities necessary for commercial software to protect.”

Development speed and security assurance need to work in concert, according to DOW Chief Software Officer Rob Vietmeyer. He said that continuous integration/continuous delivery (CI/CD) pipelines — key in the SWFT environment — help automate security checks and provide “real-time dashboards” of cyber posture and risk.

“We want to move from paper-based to real-time dashboards on what’s my current cyber posture? What is the current risk of this next software update? Am I ready to push deploy on it or not?” Vietmeyer said.

What Industry Said

The combined RFI summary brings forward concerns and suggestions from within the Defense Industrial Base for SWFT implementation. Industry leaders emphasized that for SWFT to succeed, the DOW must move beyond “checking boxes” and toward a data-driven trust model, echoing DOW sentiment.

A significant portion of the feedback focused on software bills of materials (SBOMs). Respondents noted that while SBOMs are essential for visibility, the sheer volume of data is unmanageable without automation. The SWFT initiative is now looking to establish a “clearinghouse” for SBOM data.

“What does a good SBOM look like, and what does a bad SBOM look like? If you have software that’s a problem, we need to give you a pathway,” Arrington told GovCIO Media & Research in May.

Scaling Software, Eliminating Redundant Systems

The memo outlines the need to update legacy systems with the SWFT environment. While “born-in-the-cloud” programs like Kessel Run and Platform One have pioneered these methods, older programs — some still running on code written in the 1990s — struggle to meet the rigorous verification standards required for a “Fast Track” designation, according to the feedback.

“Respondents also noted they have legacy environments or other technical debt that would further challenge integration with the tooling required to implement a NIST SP 800-218 framework,” the SWFT RFI memo reads. “Legacy systems often feature outdated or poorly supported software and hardware components, lack modular design, and present software incompatibilities, all of which complicate integration and require time-consuming development.”

“We’ve shut down 84 redundant systems this year alone,” Arrington said in August about the program’s progress.

The RFI summary acknowledged that a “high degree of independence” is required for external assessments to be valid. Ensuring that third-party auditors have both the technical bandwidth and the security clearances to evaluate classified software remains a logistical bottleneck.

The transition to SWFT also requires a workforce that understands both tactical military needs and modern DevSecOps. The Pentagon is engaged in a massive upskilling effort to create new AI career fields and software engineering pathways for officers, according to officials.

“Success hinges on continued leadership engagement, department-wide collaboration, and a shared commitment to a software-empowered [department],” officials wrote in the DOD Software Modernization Implementation Plan released over the summer in connection to SWFT.