CMMC and SWFT: Why the DIB Needs To Embrace Both

In late April, the U.S. Department of Defense (DOD) chief information officer signed a memo establishing a new initiative known as Software Fast Track (SWFT). The intent is to modernize the government’s authority-to-operate (ATO) process, which is the way the department acquires, tests and authorizes commercial software and services provided directly to the government.

Ask any vendor, and they will likely tell you the ATO process is outdated, cumbersome, expensive and far too lengthy—often taking up to years before authorization is granted. Some contractors need entire teams just to get through it. There can also be a cascade of ATO processes required if multiple components listed in a government request for proposal will connect to the department’s network, the Global Information Grid.

The new SWFT effort aims to streamline and update the ATO process, harness automation and artificial intelligence, and provide clearer guidance for participating companies.

Since the initiative is not yet finalized, it will take some time for the details and specific requirements to be known. However, information already available suggests that SWFT has similarities to the department’s Cybersecurity Maturity Model Certification (CMMC) program, which was initiated in 2019 and finally enacted late last year.

CMMC is designed to validate that Defense Industrial Base (DIB) contractors meet standards for protecting sensitive government data from cyber threats. While CMMC has generated valuable exposure around the need for consistent, proven defensive measures, it has also led to a fair amount of confusion and pushback, especially from smaller DIB companies.

With SWFT now on the horizon, more questions are developing, particularly around the need for two separate programs. But that need is very real and logical, as SWFT focuses on what will be utilized by internal DOD, and CMMC focuses on the protection of certain data provided to a contractor that is stored, processed or transmitted in non-DOD systems.

Two Programs—Similar but Different

CMMC and SWFT share some meaningful parallels. For instance, both emphasize a cultural shift toward continuous cybersecurity and proactive risk management. Both address what needs to be accomplished to ensure the security of a DOD program’s target.

However, the programs serve distinct purposes. While CMMC focuses on a DIB contractor’s internal cyber hygiene and how they protect controlled unclassified information, SWFT is about securing procurement and authorization processes for the software, services or capabilities prior to those being utilized on government networks, confirming that they meet DOD security requirements. Simply put, CMMC addresses the cybersecurity of the organization itself, and SWFT addresses cybersecurity for what the organization delivers.

These two frameworks could intersect if a DIB company wins a contract to deliver a product or capability that connects to the Global Information Grid. CMMC certification could be required even to bid on an acquisition opportunity, while SWFT compliance may govern how deliverables are authorized and fielded. The aims are complementary but separate.

What DIB Contractors Might Expect

A request for information inviting stakeholders to submit input on the SWFT framework was open from May 2 to May 20. The input gathered is helping to inform department decisions on how the SWFT process develops. It is likely there will not be any final details published until later this year at the earliest.

However, it is also likely those details will include references to the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 for information systems security and privacy controls, NIST SP 800-218 for secure software development and perhaps even the NIST AI Risk Management Framework for managing artificial intelligence risks—all of which are leading cybersecurity standards. These provide a good starting point for DIB companies to benchmark against, and they align to CMMC’s system and communications family of protection controls for securing software development.

While we wait for the SWFT framework to be finalized, it makes sense for DIB companies that have not yet been CMMC certified to focus there first, as the final 32 CFR part 170 rule took effect in late 2024. The requirement for CMMC certification is already starting to appear in contracts. Additionally, it is likely that to perform work under a SWFT-governed contract, a company will need to demonstrate compliance with the applicable CMMC level.

As with CMMC, it is fair to expect a requirement for a SWFT compliance assessment, possibly conducted by an authorized third party or contractors operating at the behest of the government, depending on the contract and what it entails. While this assessment may incur some additional cost for DIB members, the savings over the investment required for the current ATO process should offset or even reduce the total expense.

Given the constant evolution of the cybersecurity landscape, hardening the military’s ecosystem security is no longer optional. The department has realized this and is now enforcing what has long been known. With mandatory CMMC and soon SWFT obligations, it is essential for the DIB to maintain clarity around how these frameworks interact and reinforce one another. The adoption of SWFT technologies should complement, not replace, CMMC compliance efforts. DIB companies wanting to serve the department must embrace both.

Thomas Graham is the vice president and chief information security officer at Redspin.