The Department of Defense's Digital Transformation: Transitioning from RMF to SWIFT

Anyone who has navigated the Department of Defense's Risk Management Framework (RMF) understands the unique blend of frustration, paperwork, and seemingly endless waiting that has characterized the process.

Defense contractors have long joked that RMF stands for "Really More Forms" or "Request More Funding," as programs find themselves stuck in authorization limbo for months or even years. Program managers watch helplessly as technology becomes nearly obsolete before receiving approval, while warfighters wonder why commercial software they could download on their personal devices in seconds requires a small forest worth of documentation before deployment on military networks. It's a process that has come to symbolize the Pentagon's struggle to keep pace with commercial innovation.

The Department of Defense (DoD) has launched a revolutionary initiative to overhaul its software acquisition and authorization processes, transitioning from the longstanding Risk Management Framework (RMF) to a new approach called Software Fast Track (SWIFT). This transition represents one of the most significant changes to DoD's cybersecurity and software approval processes in over a decade, with far-reaching implications for both the defense establishment and its contractors.

The Evolution of DoD Software Authorization

The RMF Legacy

The Risk Management Framework has been the cornerstone of DoD's cybersecurity strategy since 2014, when it replaced the earlier DoD Information Assurance Certification and Accreditation Process (DIACAP). RMF provided a structured, risk-based approach to security assessment that integrated security and privacy activities into the system development lifecycle.

RMF followed a six-step process:

1. Categorization of information systems
2. Selection of security controls
3. Implementation of security controls
4. Assessment of security controls
5. Authorization of information systems
6. Continuous monitoring

While comprehensive in its approach, the RMF process has increasingly been criticized for its lengthy timelines, extensive documentation requirements, and inability to keep pace with rapidly evolving technology and threat landscapes. The authorization process, which resulted in an Authority to Operate (ATO), often took months or even years to complete—a timeline incompatible with modern software development cycles and the DoD's need for technological agility.

The Need for Change

In today's digital battlespace, software capabilities are crucial to maintaining military advantage. However, the traditional RMF-based Authorization to Operate (ATO) process has become a significant bottleneck. Acting DoD Chief Information Officer Katie Arrington has been particularly vocal about the limitations of the existing framework, referring to the RMF as "archaic" and "a bunch of paperwork" that impedes the rapid deployment of mission-critical software.

The transition to SWIFT aligns with Defense Secretary Pete Hegseth's March 2025 directive titled "Directing Modern Software Acquisition to Maximize Lethality," which emphasized software-first strategies to keep pace with private sector innovation. This directive highlighted the critical need for faster, more agile processes to deliver software capabilities to warfighters.

The SWIFT Approach

Launch and Implementation

On April 24, 2025, Katie Arrington signed a memo titled "Accelerating Secure Software," officially launching the Software Fast Track Initiative. The program officially began on May 1, 2025, marking the start of a significant transition in how the DoD evaluates, approves, and deploys software.

The initiative kicked off with a 90-day sprint to develop the SWIFT Framework and Implementation Plan. Three Requests for Information (RFIs) were simultaneously issued to gather industry input on tools, external assessment methodologies, and the potential use of automation and artificial intelligence in risk assessment processes.

Key Components of SWIFT

SWIFT represents a fundamental shift in approach to software security assessment. Rather than relying on extensive paperwork and manual processes, SWIFT introduces:

1. AI-Enabled Assessment: SWIFT leverages artificial intelligence to assess software security based on a standardized set of cybersecurity risk indicators, automating much of what was previously a manual review process.
2. Third-Party Certification: Software vendors must provide a Software Bill of Materials (SBOM) for both their products and production environments, certified by an independent third party. This provides transparency into software components and supply chains.
3. Streamlined Authorization: The new process aims to provide provisional Authorization to Operate (ATO) much faster than the traditional RMF process, in some cases potentially reducing timelines from months to days.
4. Continuous Monitoring: Rather than point-in-time assessments, SWIFT emphasizes ongoing verification of security posture, aligning with modern DevSecOps practices.
5. Unified Framework: SWIFT seeks to establish clear, specific cybersecurity and Supply Chain Risk Management (SCRM) requirements, along with rigorous software security verification processes and secure information sharing mechanisms.

Simplified Security Focus

Under SWIFT, the DoD is narrowing its security focus to what Arrington describes as "five things that I really care about," including secure-by-design development practices, zero trust implementation, and continuous monitoring. This represents a significant departure from the comprehensive but unwieldy RMF approach.

Implications for Defense Contractors

For defense contractors and software vendors, SWIFT represents both an opportunity and a challenge. On one hand, the streamlined process could dramatically reduce the time required to deploy software into operational DoD environments, opening doors for commercial companies and startups that have historically struggled with navigating the traditional RMF-based ATO process.

On the other hand, vendors will need to adapt to new requirements, particularly around software supply chain transparency and security. Companies with strong DevSecOps processes and transparent software supply chains may be particularly well-positioned in this new environment.

The Path Forward

As the DoD continues its 90-day sprint to develop the full SWIFT Framework and Implementation Plan, the defense community is closely watching how this initiative will unfold. Key questions remain about the specific implementation details, the transition period from RMF to SWIFT, and how existing authorizations will be handled.

What is clear is that SWIFT represents a major milestone in the DoD's broader digital modernization strategy. By addressing longstanding inefficiencies in the software authorization process, it supports the department's commitment to fielding digital capabilities at speed and scale—ultimately strengthening the lethality and resilience of the Joint Force in an increasingly contested digital battlespace.

Conclusion

The transition from RMF to SWIFT signals a new era in DoD software acquisition and security. By embracing automation, artificial intelligence, and modern security practices, the DoD is positioning itself to more rapidly harness software innovation while maintaining necessary security standards.

For an organization often criticized for bureaucratic processes, this shift represents a bold step toward digital transformation—one that may well serve as a model for security and procurement modernization across the federal government.

As the DoD embarks on this transformation, one must wonder: In a world where software increasingly defines military advantage, will this cultural and procedural revolution fundamentally redefine America's defense posture, or will institutional inertia ultimately limit SWIFT to being merely a faster version of the same risk-averse approach? The answer may determine not just the success of military technology programs, but potentially the outcome of future conflicts where digital capability deployment speed could mean the difference between victory and defeat.