How a key Pentagon tech leader plans on ‘blowing up’ outdated software risk framework

Katie Arrington discusses the Cybersecurity Maturity Model Certification with the Norwegian National Defense and Security Industries Association, the Pentagon, Washington, D.C., Jan. 13, 2021. (DoD photo by Air Force Staff Sgt. Brittany A. Chase)

TECHNET CYBER 2025 — When Katie Arrington walked back into the Pentagon in her role to perform the duties of the DoD’s Chief Information Officer, she was determined to pick up where she left off during the first Trump administration. That meant a laser-focus on trying to shift the Pentagon toward a culture of “secure by design,” she told Breaking Defense in an exclusive interview.

That includes, she said, “blowing up” what she called an outdated Pentagon Risk Management Framework (RMF).

“We need to have a better, faster way with the tools that we have to evaluate software rapidly to get it to the warfighters so that they can be ready and lethal,” she said. “We needed to find a way to make it efficient, and this was a simple task, right? You ask a room full of software people, CISOs [Chief Information Security Officers], how to make it more efficient, they had the answer.”

Arrington, who will serve in the acting role until the newly named nominee Kristen Davis can take over, said the answer is captured in the new Software Fast Track (SWFT) program. Announced last week, SWFT aims to replace legacy processes such as authority to operate (ATO) approvals and the Risk Management Framework (RMF) with updated automation features and existing features like continuous ATOs and the Cybersecurity Maturity Model Certification program (CMMC). The move, she said, aligns with Defense Secretary Pete Hegseth’s March 7 memo that called on the department to modernize the way the Pentagon acquires software.

ATOs have often been viewed as a thorn in the side of defense contractors due to what critics say are their slow bureaucratic, and redundant natures. The same is true, Arrington said, for the RMF, which is a lengthy, structured collection of guidelines that help identify and manage potential cyber threats on networks. 

That’s why she said she’s “blowing up the RMF.”

Instead of the RMFs, SWFT will mandate third-party assessments of vendor’s cybersecurity status based on 12 risk characteristics. Additionally, vendors will have to obtain a software bill of materials certified by a third party, Arrington said. Continuous ATOs, coupled with other to-be-determined automation processes will likely replace the standard ATO process, she said. (A continuous ATO involves real-time monitoring to ensure companies are up-to-date on requirements, rather than the stop-and-start process that comes if standard ATOs have to be repeatedly updated.)

She added that her office will make decisions surrounding how companies can find third party assessors and what other automation processes will replace ATOs based on three requests for information her office released last week. One RFI was for SWFT tools, another was for SWFT external assessment methodologies, and another for SWFT automation and artificial intelligence. 

Industry partners have until May 20 to respond to the solicitations — not far from when the SWFT program is set to begin on June 1, Arrington said. She added that companies should act quickly if they want to sell software to the DoD. (But they do have longer than the June 1 deadline to become compliant with SWFT; that’s just when the program begins, she clarified.) 

In accordance with a memo Arrington signed on April 24 that kickstarted the SWFT program, she directed her office to carry out a “90-day sprint” to develop an implementation plan that will define “clear” and “specific” cybersecurity and supply chain risk management requirements; “rigorous” software security verification processes, secure information sharing mechanisms; and “Federal Government-led risk determinations to expedite the cybersecurity authorizations for secure, rapid software adoption.” 

Though SWFT will officially start June 1, the 90 sprint will allow the DoD to iron out the kinks in the program, Arrington said. 

Companies should participate in the SWFT program not only if they “want to do business with the  Department of Defense,” but also because it will save them money, Arrington said.

“The ATO process costs companies upwards of half-a-million dollars,” she said. “Is it worth them paying $300 or $400 to get a third party risk assessment or an SBOM [software bill of materials] for $500? Is it really going to cost them money, or is it going to save them money?” 

She argued SWFT will also save the DoD money as it currently spends close to “hundreds of millions of dollars a year” evaluating ATOs, she said, which should not be the tax payer’s responsibility. 

“This is all about what the [Secretary of Defense] and the president have wanted and have requested of us to provide, which is efficiencies, deduction of duplication of effort, and to make our warfighter capabilities lethal and ready,” she added.

As for Arrington’s own future in the Pentagon, much is unclear. Breaking Defense conducted this interview before news broke that the administration had nominated Davies, who previously worked at major IT and cybersecurity firms in the private sector, to be the department’s new CIO. 

A spokesperson for Arrington told Breaking Defense that they “could not speculate” on future of her current role at the DoD by press time.