SWFT—or is it SWIFT? The DoD’s New Approach to Software Acquisitions

If you're like many DoD suppliers, you've heard people talking about SWFT and new software ATO processes, but have no idea what to expect. If so, you're not alone. The recently-announced Software Fast Track (SWFT) initiative—referred to by some as SWIFT—aims to streamline DoD software acquisition while making it more secure. Here’s a closer look at what SWFT means for your organization.

SWFT and the Kessel Run Legacy

No, not Han Solo’s legendary smuggling record. Kessel Run is an Air Force "software factory," established in 2017, which pioneered the continuous Authority to Operate (cATO) model by embedding security validations and testing within its pipelines. This approach allowed Kessel Run to evolve beyond traditional waterfall RMF approaches, setting a new standard for DoD software.

Unlike the waterfall method rooted in RMF—which treated software as a linear, staged endeavor—SWFT builds upon Kessel Run's agile approach, making continuous compliance and rapid deployment core tenets across the services. By extending the principles pioneered by Kessel Run, SWFT aims to enable agility and resilience for all branches of the military, regardless of their existing software development and deployment paradigms.

The Backbone: DevSecOps & Automated Validation

SWFT emphasizes the critical role of DevSecOps, which promotes close collaboration between development, security, and operations teams by aligning incentives and embedding security & compliance into every phase of the software lifecycle. By shifting compliance "to the left," SWFT ensures that every piece of code is vetted in real-time through processes such as continuous integration and continuous delivery (CI/CD) pipelines.

Automated security scans, vulnerability assessments, and container hardening occur as part of the build process, yielding higher quality and more resilient deployments. This approach allows for continuous compliance reporting and significantly reduces delays in gaining or maintaining ATO status.

SBOMs: What's in This Thing, Anyway?

SWFT introduces a mandatory requirement for certified Software Bills of Materials (SBOMs), making them central to the security and risk management process. Contractors will need to produce and validate SBOMs for both sandbox and production environments.

These documents must include information about third-party products which are built into software delivered to the DoD (e.g., open-source libraries and “dependencies”). Doing so enables greater transparency across the software supply chain, allowing stakeholders to quickly identify, review, and mitigate vulnerabilities.

AI/LLM in Code Validation: Powerful, But Not Magical

SWFT aims to harness AI and large language models (LLMs) to aid in automated vulnerability detection and provisional ATO assessments. Yet it's critical to understand that while LLMs can spot anomalies and highlight potential risks, they're not a substitute for deep engineering review. They serve as assistants, complementing traditional CI/CD testing and manual code review, ensuring mission-grade reliability.

Third-Party Reviews & Certifications for SWFT

To ensure adequate security and supply chain integrity, SWFT emphasizes the role of independent third‑party review and certification. In remarks by Katie Arrington and in the DoD RFIs, external review bodies were identified as critical stakeholders for verifying cybersecurity practices, SBOM generation, and vulnerability assessments. These assessors will play a pivotal role in achieving and maintaining SWFT compliance for suppliers and engineering firms, providing authoritative review and facilitating trust between suppliers and the DoD.

Swiftly Aligning with SWFT for DoD Software Acquisitions

In order to stay abreast of these emerging requirements, DoD software suppliers and engineering firms should consider the following:

1. Adopt DevSecOps with automation: Re-orienting for DevSecOps means including security at every stage of the software development process, including automated checks through things like CI/CD pipelines. “Baking in” security require additional upfront effort through requirements specification, but will make long-term maintenance much more manageable.

2. Implement third-party SBOM certification: If you aren’t already, start tracking third-party libraries, plug-ins, and utilities included within your software products—as well as those used for testing and deployment. Ensure those products are appropriately updated as part of your development cycle to reduce the possibility of inadvertently introducing vulnerabilities in your end product.

3. Integrate AI-assisted validation responsibly: How exactly the DoD intends to implement AI validation within their processes remains to be seen, but reports of LLMs struggling to develop and validate functional code mean organizations shouldn’t become overdependent on AI systems for ensuring a secure and efficient codebase. Manual code review and static/dynamic testing through CI/CD pipelines will remain critical aspects of software development and deployment.

4. Monitor for updates about SWFT rollout from the DoD: With the SWFT being such a new program and the DoD’s stated goal of a 90-day sprint to develop the framework & implementation plan, changes are likely to come quickly. We’re already almost two-thirds of the way through the sprint timeframe, so keep an eye out for guidance from the DoD over the coming weeks and months!

5. Ensure you’re ready for CMMC: The DoD’s Cybersecurity Maturity Model Certification (CMMC) program is also expected to go into effect in the second half of 2025, marking another significant change in the DoD’s approach towards security within the defense industrial base. Wherever you are on the path to certification, implementing the required controls is another crucial step in maintaining eligibility for DoD contracts. Learn more by diving into the posts in our CMMC Getting Started series!

Closing Thoughts

The SWFT initiative marks a pivotal shift in DoD software acquisition practices from slow, manual ATOs rooted in the RMF to dynamic, automated, and resilient software deliveries using agile and DevSecOps practices. Firms that adapt early, integrate automated pipelines and appropriate AI tools, and adopt robust SBOM practices will stand out as trusted partners in this evolving landscape.

As a CyberAB RPO, Triumvirate Cybersecurity helps defense contractors develop robust security and compliance practices to support the DoD’s evolving requirements. Contact us to learn how we can help you prepare for the future of defense contracting.

SWFT SWIFT DoD software acquisition