DoD's SWFT Initiative: Revolutionizing Military Software Security with SBOMs

The Pentagon is about to flip the script on military software acquisition. Starting June 1, 2025, the Department of Defense's Software Fast Track (SWFT) initiative will fundamentally change how software gets approved for military use—and Software Bills of Materials (SBOMs) are taking center stage.

If you missed our deep dive on SBOMs last month, catch the replay here: 

During the AFCEA TechNet Cyber conference in Baltimore on May 7, Acting DoD Chief Information Officer Katie Arrington announced: "That program will be implemented starting June 1, 2025, so that we in the government can get to software faster," as reported by MeriTalk.

The initiative intends on replacing the slow moving Risk Management Framework (RMF) with an AI-powered system that evaluates software against 12 distinct risk characteristics. Instead of mountains of paperwork and human reviews, software vendors will submit their SBOMs—including sandbox and production environments—into the DoD's Enterprise Mission Assurance Support Service system.

"AI tools on the back end will analyze the data," Arrington explained during the AFCEA TechNet Cyber conference in Baltimore. "If everything meets the requirements for a digital ATO, we won't have to wait on a human to review it."

This shift marks the Pentagon's most ambitious attempt yet to modernize its software approval process while enhancing security.

An SBOM is essentially your software's ingredient list—a comprehensive inventory of every component used in your application. Think of it as a nutrition label for code.

Under SWFT, vendors must provide three critical elements:

• Production environment SBOM
• Sandbox environment SBOM
• Third-party verified SBOM

This triple-verification approach creates unprecedented transparency into what's inside software used by US military programs.

SBOMs have become essential security tools because they:

1. Expose vulnerabilities instantly: When the next Log4j-style vulnerability emerges, organizations with SBOMs can immediately identify affected systems.
2. Illuminate the supply chain: Modern applications often contain hundreds of components from various sources. SBOMs reveal exactly what's in your software and where it came from.
3. Support federal standards: While the original 2021 Biden Executive Order on cybersecurity that emphasized SBOMs is no longer in effect under the Trump administration, the core principles and SBOM requirements have become industry standards that will outlast Trump 2.0. This includes the importance of SBOMs within the new SWFT initiative.

If you sell software to the DoD, June 1 is your deadline. The message is clear: get your SBOM capabilities in order.

Companies with mature DevSecOps practices and automated SBOM generation will enjoy a significant competitive advantage. Those still relying on manual processes may find themselves scrambling to catch up.

The DoD recently issued three Requests for Information seeking industry input on risk criteria, assessment methodologies, and AI automation—signaling their commitment to getting this right.

The Pentagon's move signals a broader shift in how organizations approach software security. What starts as a DoD requirement today often becomes a commercial standard tomorrow.

In a world where software supply chain attacks are skyrocketing, the emphasis on SBOMs, automated verification, and AI-powered risk assessment will likely influence security practices across all industries.

Whether you're a defense contractor or not, now's the time to:

1. Automate SBOM generation: Integrate it into your CI/CD pipeline. Manual processes will not scale.
2. Standardize your format: Adopt widely-used SBOM standards like SPDX or CycloneDX.
3. Verify your supply chain: Third-party verification of SBOMs will become increasingly important.
4. Prepare for automated assessment: The future of software security lies in continuous, AI-powered evaluation.

The clock is ticking toward June 1. Organizations that embrace these changes now won't just be ready for DoD contracts—they'll be positioned for success in the new era of software supply chain security.

Do not get left behind on June 1. When the SWFT gates open, vendors will split into two camps: those who sail through the new AI-powered approvals with mature SBOM capabilities—and those scrambling to catch up as competitors win contracts.

SIE delivers smart, efficient, IT solutions that reduce costs and optimize performance in asset management, sourcing, and cloud migration. Our team of experts delivers professional services that help organizations maximize the value of their technology investments while maintaining security and compliance.

As evidenced by our recent SBOM webinar, we're committed to helping clients navigate complex security requirements like the DoD's SWFT initiative. We understand the challenges defense contractors face in today's rapidly evolving security landscape and provide practical solutions that transform compliance requirements into business advantages.

Visit thesiegroup.com to explore our webinars, workshops, and resources designed to elevate your IT expertise and strengthen your cybersecurity posture.

This blog post was created based on information from DoD announcements and public statements regarding the Software Fast Track initiative. For the most current requirements, please consult official DoD documentation.