SWFT Initiative Makes Progress, Collects Information From Industry

The Software Fast Track (SWFT) Initiative, proposed by Katie Arrington, who is performing the duties of the U.S. Department of Defense chief information officer (DOD CIO), was officially implemented June 1. Since then, the Office of the DOD CIO has provided updates on the status of the 90-day plan.

President Donald Trump nominated Kirsten Davies to be the next DOD CIO on May 7, but the nomination has not been confirmed by the Senate. Arrington is still performing the duties of the role.

The DOD spokesperson said the DOD can't discuss the matter until the Senate confirms.

The initiative is meant to reform and advance the way the DOD acquires, tests and authorizes secure software by defining clear cybersecurity and supply chain risk management requirements, rigorous software security verification processes, secure information sharing mechanisms and federal government-led risk determinations to expedite the cybersecurity authorizations for secure, rapid software adoption, according to the May DOD press release.

The CIO’s office published three requests for information (RFIs), asking defense contractors and industry experts for capabilities that could accelerate secure software delivery to the federal government, arming warfighters with cutting-edge weapons at a faster pace.

According to a DOD spokesperson, the RFI responses were due May 20, and the government has analyzed all 420 responses across the three requests, “gathering industry insights on how external assessment methodologies and organizations can support streamlining risk assessment and authorization processes for software-enabled products and services; what software supply chain security tools have already been developed and are in use; and how automation and artificial intelligence can support the government’s objective to accelerate secure software adoption.”

Between the three categories of tools to support SWFT supply chain risk management requirements, external assessment methodologies that support software security verification processes and the use of automation and artificial intelligence to assist DOD-led risk assessment for expedited cybersecurity authorizations, the RFI requesting insight into tools received the most responses at 162, the DOD spokesperson said.

According to the DOD spokesperson, the department will publicly release a market research analysis in the fall to highlight the industry trends on software supply chain tools designed to reduce third-party risks.

“The government is finding these tools approach software supply chain security chiefly through exploring and ensuring provenance and traceability throughout the software development life cycle; this includes software composition analysis and software bills of materials inspection,” the spokesperson shared. “Though mature tools exist for each of these aspects, interdependencies and embedding among identities, provenance and delivery pipelines create visibility gaps in software supply chain.”

As far as defining the SWFT risk criteria, the DOD spokesperson said that “initial foreign ownership, cybersecurity and other supply chain security threat and vulnerability criteria have been identified for companies and products.” The SWFT development team is in the process of determining which artifacts will be required to support risk determination.

Additionally, since the executive order titled “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 1694 and Executive Order 14144” was issued June 6, the DOD has been working with the National Institute of Standards and Technology to update the Secure Software Development Framework.

The SWFT framework and an associated implementation plan will be published at the end of July, the spokesperson said.