David McKeown speaks at the 2025 Cyber Summit. Photo: Charles McClanahan
Here’s What DOD CIOs Need From Industry
David McKeown has lots of IT challenges at the Department of Defense and he wants industry to help him.
McKeown, performing the duties of the DOD deputy chief information officer for cybersecurity and chief information security officer, expects requests for information to be issued for continuous monitoring and automation in the Risk Management Framework as DOD has long struggled with these. DOD specifically needs help in automating continuous monitoring, dashboarding it and presenting it to cybersecurity service providers, a.k.a. CSSPs, system owners and combatant commanders.
McKeown said DOD still believes in secure by design and secure by default in maintaining systems in a secure manner. But it found that the RMF became a compliance drill and was not achieving cybersecurity in the way it wanted. So McKeown is looking to automation for help.
“How do we do things by taking humans out of the loop and doing them in a consistent manner,” McKeown said at the Potomac Officers Club’s 2025 Cyber Summit on May 15. “Humans have errors, some are very draconian in the way they implement RMF. Others are very laissez-faire. How do we get consistency in automation?”
Get the scoop on defense IT research opportunities at the Potomac Officers Club’s 2026 Defense R&D Summit on Jan. 29! Be the first to learn about new requirements and spending priorities at the “Innovating for Advantage: Advancing Secure, Interoperable IT for Space Defense” panel discussion. Sign up today!
Automation in IT Modernization
McKeown said DOD CIOs and CISOs recently had a big meeting where they agreed automation would be a key focus area as they want to automate as many things as possible. Another was continuous monitoring. A third was enterprise services and inheritance as McKeown said DOD can get faster by inheriting things offered to it by cloud service providers and CSSPs.
DOD is implementing Software Fast Track, a.k.a SWFT, to reform the way it acquires, tests and authorizes secure software. SWFT will define clear and specific cyber and supply chain risk management requirements and stringent software security verification processes. It will also define secure information-sharing procedures and federal government-led risk determinations to accelerate cyber authorizations for faster software adoption.
McKeown said DOD is implementing SWFT because it hadn’t performed software security or software supply chain risk management very well. DOD, he said, previously required contractors to perform laborious steps through a software development framework requirement. SWFT, he said, will be an advancement in cybersecurity that should also streamline DOD’s ability to get authority to operate these products.
Software Fast Track RFIs
DOD has issued three different RFIs for SWFT that all had response dates of May 20. One for SWFT tools, another for a SWFT external assessment and a third for SWFT AI. McKeown said he wants the best supply chain risk management report possible through these.
McKeown said additional RFIs could be issued on best practices for automating, monitoring and displaying RMF controls. “MoSCoW” prioritization, a popular technique for managing requirements, seems to be popular with authority to operate packages, he observed..
The MoSCoW method is commonly used in project management and software development. It stands for: Must have, should have, could have and won’t have. McKeown asked if there was a MoSCoW type of format that DOD could use with continuous monitoring data to examine risks to a particular system.
DOD & Zero Trust
DOD also needs continual help with zero trust.
“We have been since day one,” McKeown said. “We’re looking for even more. Keep pushing forward on that.”
Operational technology is another big opportunity area with McKeown. DOD, he said, wants to do automation checks in weapon systems, but doesn’t want a human to be in the loop and risk messing up the weapon system while it is in operation.
Instead, McKeown seeks passive automation checks. DOD is also exploring what kind of sensing it can perform to better understand the weapon system and make sure it wasn’t compromised during a mission.
Hear directly from top federal IT officials and industry experts at the Potomac Officers Club’s 2026 Defense R&D Summit on Jan. 29! Strike collaborations with other GovCon titans and score that big contract. Engage in the valuable face-to-face conversations that only take place at live events. Secure your seat today!
Category: Articles
