Recent statements from Katie Arrington, performing the duties of the Department of Defense (DoD) Chief Information Officer (CIO) and Rob Vietmeyer, the DoD Chief Software Officer (CSO) referenced a new Software Fast Track (SWIFT) process that is intended to significantly expedite the approval process for software to be used on military networks. An article by DefenseScoop on April 29th indicates that the start of the new process is expected to take place on May 1st, 2025. SWIFT will utilize Artificial Intelligence to address the current archaic, and often lengthy, approval process to expedite the delivery of software to warfighters so they can leverage the latest technological advancements expeditiously. What does that mean for contractors and how will it impact the Defense Industrial Base (DIB), software vendors, and existing programs? Although the process does not have any official documentation, we may be able to glean some insight based on additional statements and existing programs.
As reported by Air and Space Forces Magazine, Vietmeyer stated that the SWIFT process “will build on the work done over nearly 15 years to build required system security standards into DOD contracts under the 7012 provision of the Defense Federal Acquisition Regulation Supplement, and then to require contractors to certify compliance with those standards under the Cybersecurity Maturity Model Certification (CMMC) program, which will come into full force later this year.” He went on to say that it would also incorporate “the secure coding pipeline defined by the Cybersecurity and Infrastructure Security Agency (CISA).” A review of those statements identifies three separate components.
The first component recognizes the need to build off the DFARS 7012 process. The DFARS 7012 clause was published in October 2016 and added the requirement for DIB contractors to implement the security controls of NIST SP 800-171. It is important to note that NIST SP 800-171 did not exist prior to the development of DFARS 7012. Instead, it was derived from controls contained within NIST SP 800-53 that were applicable to the specific use case. If a look back to DFARS 7012 is guiding the development of the SWIFT process, it may be reasonable to assume that tailored controls from existing processes or publications may be used.
The second component requires the contractor to obtain a CMMC certification. At a minimum, this would certify that the software developer’s environment meets the security controls outlined in NIST SP 800-171. What is not clear is the scope of the assessment as it relates to software development. It may apply to the entire organization, an enclave, or specific software product. It is also not clear how those requirements will be incorporated into the existing CMMC requirements. Those still hesitant to buy into the CMMC process should take note of the fact that DoD leadership is discussing CMMC within the context of how to expand it and incorporate it into new processes. As stated by Matt Travis during the April Cyber AB Town Hall meeting, the final component of CMMC, CFR 48, is anticipated to be in place by early June 2025. This will allow the CMMC requirement to be placed in DoD contracts.
The third component identifies the need to enforce secure coding practices. As mentioned previously, development of the secure coding guidelines may follow the same path as the creation of NIST SP 800-171. The Secure Software Development Framework contained in NIST SP 800-218 and Secure Software Development Practices for Generative AI and Dual-Use Foundation Models contained in NIST SP 800-218A may serve as the foundation from which the SWIFT controls are created. We can conceive of that requirement then tying into CMMC control SC.L2-3.12.2 in order to enforce architectural designs, software development techniques, and systems engineering principles that promote effective information security. By combining those items with the DevSecOps Continuous Authorization Implementation Guide it may be possible to provide a mechanism that enforces the security of the software continuous integration/continuous delivery environment.
While there is currently much speculation, the introduction of SWIFT appears to be pointing towards a revamped and continually adapting process that is intended to strengthen the cybersecurity posture of the federal government and its supporting partners. The new process also further solidifies the use of the CMMC program to certify operating environments within the DIB. Despite any type of official publication appearing to be months away, recent statements indicate that the government recognizes the negative impact of poor cyber hygiene on multiple fronts and is diligently working toward expanding and unifying cyber protections.
While the revamping of cyber requirements for DoD suppliers is evolving, our understanding at this point, based on recent press releases and interviews, is that they intend for SWIFT to be a complimenting program to CMMC and FedRAMP where:
Daniel has worked in the IT industry for over 20 years, ultimately gaining a vast amount of experience and knowledge in all facets of information technology. He has Bachelor's degrees in Management and Organizational Leadership and Technology Management, and a Master's Degree in Information Technology from Florida State University.