Here’s What DOD CIOs Need From Industry

David McKeown has lots of IT challenges at the Department of Defense and he wants industry to help him.

McKeown, performing the duties of the DOD deputy chief information officer for cybersecurity and chief information security officer, expects requests for information to be issued for continuous monitoring and automation in the Risk Management Framework as DOD has long struggled with these. DOD specifically needs help in automating continuous monitoring, dashboarding it and presenting it to cybersecurity service providers, a.k.a. CSSPs, system owners and combatant commanders.

McKeown said DOD still believes in secure by design and secure by default in maintaining systems in a secure manner. But it found that the RMF became a compliance drill and was not achieving cybersecurity in the way it wanted. So McKeown is looking to automation for help.

“How do we do things by taking humans out of the loop and doing them in a consistent manner,” McKeown said at the Potomac Officers Club’s 2025 Cyber Summit on May 15. “Humans have errors, some are very draconian in the way they implement RMF. Others are very laissez-faire. How do we get consistency in automation?”

Get the scoop on IT modernization business opportunities for each U.S. military service at the Potomac Officers Club’s service branch-focused series this summer! Attend the 2025 Army Summit in June, the 2025 Air and Space Summit in July and the 2025 Navy Summit in August. Attend all three for one massively discounted rate.

Automation in IT Modernization

McKeown said DOD CIOs and CISOs recently had a big meeting where they agreed automation would be a key focus area as they want to automate as many things as possible. Another was continuous monitoring. A third was enterprise services and inheritance as McKeown said DOD can get faster by inheriting things offered to it by cloud service providers and CSSPs.

DOD is implementing Software Fast Track, a.k.a SWFT, to reform the way it acquires, tests and authorizes secure software. SWFT will define clear and specific cyber and supply chain risk management requirements and stringent software security verification processes. It will also define secure information-sharing procedures and federal government-led risk determinations to accelerate cyber authorizations for faster software adoption.

McKeown said DOD is implementing SWFT because it hadn’t performed software security or software supply chain risk management very well. DOD, he said, previously required contractors to perform laborious steps through a software development framework requirement. SWFT, he said, will be an advancement in cybersecurity that should also streamline DOD’s ability to get authority to operate these products.

Software Fast Track RFIs

DOD has issued three different RFIs for SWFT that all had response dates of May 20. One for SWFT tools, another for a SWFT external assessment and a third for SWFT AI. McKeown said he wants the best supply chain risk management report possible through these.

McKeown said additional RFIs could be issued on best practices for automating, monitoring and displaying RMF controls. “MoSCoW” prioritization, a popular technique for managing requirements, seems to be popular with authority to operate packages, he observed..

The MoSCoW method is commonly used in project management and software development. It stands for: Must have, should have, could have and won’t have. McKeown asked if there was a MoSCoW type of format that DOD could use with continuous monitoring data to examine risks to a particular system.

DOD & Zero Trust

DOD also needs continual help with zero trust.

“We have been since day one,” McKeown said. “We’re looking for even more. Keep pushing forward on that.”

Operational technology is another big opportunity area with McKeown. DOD, he said, wants to do automation checks in weapon systems, but doesn’t want a human to be in the loop and risk messing up the weapon system while it is in operation.

Instead, McKeown seeks passive automation checks. DOD is also exploring what kind of sensing it can perform to better understand the weapon system and make sure it wasn’t compromised during a mission.

The Potomac Officers Club’s summer series of U.S. military branch-focused summits are the premier GovCon conferences in the capital area. These are your best chances to tailor your offerings for the unique requirements of each individual service and drum up new business. Sign up for the 2025 Army Summit in June, the 2025 Air and Space Summit in July and the 2025 Navy Summit in August and get a big discount by signing up for all three! Boost your bottom line this summer with the Potomac Officers Club.