Original broadcast 6/8/25
Presented by Synack
After years of debate, delay, and skepticism, the Department of Defense is sending a clear and unmistakable message: the Cybersecurity Maturity Model Certification (CMMC) framework is real, it’s moving forward, and it’s essential to national security. On this week’s Fed Gov Today, Stacy Bostjanick, Chief for Defense Industrial Base Cybersecurity in the Office of the Chief Information Officer at the Department of Defense, explains why the department is doubling down on cybersecurity compliance—and how a new initiative called SWFT could revolutionize the way software is approved for use across DoD.
While the regulatory process has been slow and at times frustrating, Bostjanick is candid about why CMMC is necessary. She cites past failures in compliance, like vendors copying and pasting generic system security plans or submitting remediation plans that stretched decades into the future. “We found companies with 25 people using a 500-page template with ‘insert name here,’ and POAMs that extended out to the year 2099,” she says. “By the letter of the law, they were compliant. But practically, they were nowhere close.”
Those compliance failures have had real consequences. Bostjanick points to past breaches where adversaries gained access to critical military technology, like F-35 and F-22 designs, through stolen contractor data. “They didn’t have to spend the billions of dollars we did to develop those systems—they just downloaded them,” she says. “And now, when our warfighters go into combat, they may face adversaries with the same weapons we built. That’s unacceptable.”
Beyond rulemaking and enforcement, Bostjanick outlines a broader strategy to speed up secure software adoption through a new initiative called SWFT—Software Fast Track. Designed to be voluntary and avoid regulatory red tape, SWFT allows vendors to prepare software packages for faster DoD evaluation by conducting key pre-assessment steps upfront. These include generating a Software Bill of Materials (SBOM), undergoing a third-party review, and compiling a “body of evidence” to support security claims.
Once submitted, DoD will validate the package using its own tools, including an AI-based system currently in development. “We released three RFIs recently—for third-party SBOM generation, third-party assessments, and the AI tool,” Bostjanick explains. “Our goal is to cut approval timelines in half, maybe more. Right now, it takes way too long to vet and approve software.”
The SWFT program is not just about speed—it’s about trust. Approved software packages will be listed in a searchable DoD database and flagged in the Supplier Performance Risk System (SPRS), allowing acquisition officials across the services to easily identify secure, vetted solutions.
What connects SWFT and CMMC is a larger vision: defending America’s innovation and intellectual property from adversaries who are aggressively and relentlessly trying to steal it. “We’re being barraged every day,” Bostjanick warns. “They want our data. They want our capabilities. They want to use the time, energy, and taxpayer money we spent to build advanced systems—and turn it against us.”
To fight back, DoD is not just updating policies. It’s rethinking how security is built into everything from software development to supply chain management. “This isn’t just compliance for compliance’s sake,” Bostjanick emphasizes. “It’s a national security imperative. We can’t afford to be lazy. We can’t afford to ignore the threat.”
With CMMC advancing and SWFT gaining momentum, DoD is creating a future in which cybersecurity is a foundation, not an afterthought. And that, Bostjanick says, is how we protect the warfighter, safeguard taxpayer investments, and maintain the technological edge that underpins American defense.
Key Takeaways:
CMMC is progressing through final rulemaking and is expected to be enforced starting later this year.
SWFT (Software Fast Track) offers a voluntary, AI-enhanced path for faster software approval within DoD.
Both initiatives aim to strengthen national security by enforcing real cybersecurity across the defense industrial base.