The US Department of Defense (DoD) is overhauling its “outdated” software procurement systems, and insists it’s putting security at the forefront of decision-making processes.
Katie Arrington, CIO at the DoD, established the department’s Software Fast Track (SWFT) initiative via a Monday memo [PDF], which promised to reform how software is acquired, tested, and authorized.
“Department of Defense Cybersecurity and Supply Chain Risk Management (SCRM) practices within the Department must adapt and keep pace with software development and the increasing complexity and evolution of supply chain risk,” Arrington wrote.
Widespread use of open source software, with contributions from developers worldwide, presents a significant and ongoing challenge
“Lengthy, outdated cybersecurity authorization processes frustrate agile, continuous delivery. Additionally, widespread use of open source software, with contributions from developers worldwide, presents a significant and ongoing challenge.
“The fact that the department currently lacks visibility into the origins and security of software code hampers software security assurance.”
A public statement from Arrington went on to say that current software procurement processes are “outdated and slow, with little to no supply chain visibility.”
The SWFT initiative will define clear cybersecurity and SCRM requirements, although these are not yet final.
The DoD currently has multiple requests for information (RFI) running until late May that seek industry input for various matters of the initiative, such as how best to use AI to authorize secure software and what effective SCRM requirements would look like.
SWFT will also establish exactly how the DoD will verify the security of any given software product, secure information-sharing systems, and expedite the process of authorizing the adoption of software.
Within 90 days, Arrington’s office aims to have developed a framework and the implementation plan for the SWFT initiative.
A DoD statement reads: “Improving our ability to bring high-quality secure software to the Warfighter rapidly will greatly increase the lethality and resilience of the Joint Force.”
“It is absolutely mission one that we arm our Warfighters with the best cutting-edge weapons available, but we don’t need duplicative and wasteful processes to do that,” it went on to say.
“This is just one example of how we are going to deliver on the President’s promise to rebuild the military and restore the Warrior Ethos throughout the Department.”
The DoD’s security has been tested in recent times, from malware campaigns targeting procurement systems to defense partners leaking sensitive information for almost two years.
In various other cases across local and national government, and the aforementioned case of a sensitive partner breach, software vulnerabilities were singled out as the initial intrusion vector. It’s likely that one of the main goals of the SWFT initiative is to ensure fewer and fewer of these stories become reality.
Also campaigning for more secure government software is the Cybersecurity and Infrastructure Security Agency (CISA), which remains under sustained attack from the Trump administration.
Previous efforts from the agency have included campaigns for secure by design software practices, raising awareness of memory safety issues in widely used programs, and of course the Known Exploited Vulnerability (KEV) program which mandates that all federal agencies must patch the most dangerous vulnerabilities in just a few weeks.
However, while it is all well and good to insist on security and supply chain visibility within DoD software procurement, it might help if the department stopped sharing confidential Pentagon business insecurely.
Just yesterday, The Register reported how TeleMessage, a messaging and archiving app based on the open source Signal app and used by ousted national security advisor Michael Waltz, is “investigating a potential security incident” in which an unidentified miscreant is said to have obtained US government communications.
This follows revelations that Waltz hosted a Signal group about military operations in Yemen that inadvertently included the Atlantic’s editor-in-chief, who dutifully leaked the chat.
Reports now suggest that Secretary of Defense Peter Hegseth is a prolific user of the encrypted messaging app for Pentagon matters, allegedly discussing department business in no less than 12 separate chats.
As Marc Polymeropoulos, a former senior US intelligence officer, told the Wall Street Journal: “The use of personal phones and commercial apps introduces unnecessary risk. Signal is considered unclassified by the government for a reason. It’s clear that US government systems are having a hard time keeping up with the required pace of business.” ®