Okay, I have no idea how to wrap my head around this one. The DoD’s Chief Software Officer, Rob Vietmeyer, took to a microphone and announced a brand new cybersecurity certification program, called the “Swift Process,” which will either compete with CMMC or sit alongside it. Frankly, it wasn’t clear at all.
When he blurted this out, Vietmeyer was speaking in front of the AFCEA Northern Virginia chapter at their annual Innovation IT Day event. No official announcement, no FAR or DFARS discussion, nothing. He just blurted it out. He also threw shade at CMMC, which I bet Katie Arrington and her bumbling sidekick Stacy Bostjanick must be loving. Per reporting by Air and Space Forces:
Despite being implemented more quickly, the Swift Process will also be more comprehensive than CMMC, he said, covering supply chain security and issues of foreign control or influence on the contractor and their suppliers, as well as incorporating the secure coding pipeline defined by the Cybersecurity and Infrastructure Security Agency (CISA). And it would apply, not to whole organizations, as CMMC does, but to specific products.
“So what we’re looking at is defining a set of controls, and if industry [partners] can demonstrate that their products and their pipelines meet those controls, that removes from us the burden from going through months and months of Risk Management Framework assessments. It can get us to understanding, yes, this software meets our risk posture. … Because we built that trust with industry that if we install this software, it will not bring unacceptable risk into our environment,” he said
He then said the launch of this latest made-up scheme is “imminent.”
I did some digging and found this 2023 interview where Vietmeyer hinted at this program, but discussed it as very much limited to DoD / DIB software developers. That interview said the scheme had been under development for a year earlier (in 2022), but again, it was more of an internal effort and intended only to be flowed down to the DoD’s software factories.
The 2025 event in Virginia blows that up. Yes, he seems to still be talking in the context of software, which is the limitation of his role at DoD. But he invoked DFARS 252.204-7012, which is not at all limited to software. That DFARS is regarding “Safeguarding Covered Defense Information and Cyber Incident Reporting,” and is parallel to -7021, which is the new CMMC DFARs. (Those numbers look similar, so don’t get them mixed up.) They both fall under the same master DFARS clause, and both apply to the entire DIB, including manufacturers of hardware.
Also, will this new program apply only to software developers? When Vietmeyer speaks of “adversaries going after the software supply chain with increasing frequency,” how far down does that go? He says it includes DIB companies that might “contractor’s own code,” meaning not just code they would develop for the DoD, but code they use internally for their own operations. A lot of DIB companies that sell hardware, not software, would fall under that category.
Clearly, Vietmeyer has no idea of the blast radius of the bomb he just threw into the middle of the Defense Industrial Base. According to his LinkedIn profile, Vietmeyer has never held a private sector job and has worked at the Pentagon since 1993. So it could be he had no idea at all how the private sector would receive this information because that’s not in his experience set.
But let’s unpack it. The DoD has, since 2019, beaten the drum that CMMC would be the One Thing governing DIB cybersecurity. They hosed up the rollout of CMMC so that it only became official this year — in 2025 — and are now insisting that companies scramble to get certified ASAP. Companies are in a panic, induced by the DoD’s own botched rollout and the CMMC ecosystem’s reliance on FUD to sell certifications, rather than winning over hearts and minds. The whole thing has been driven by terror and the threat of False Claims Act prosecutions. Even jail time for those who don’t bend the knee.
In the middle of that panic, Vietmeyer announces what sounds like a completely different, competing program and says its release is “imminent.” Good lord.
So, will this program be on top of CMMC? Will it be required instead of CMMC? Will it apply only to software developers? Will software developers have double the certification requirements, in the same time period? From what it appears Vietmeyer was saying, a DIB company that either sells software to the DoD or uses it somehow in its operations will not only have to buy a CMMC certificate, but also a Swift certificate for each software product involved. That can be multiple certificates.
The most important question that a lifetime government employee never seems to consider: just how much is this going to cost?
Right now, we don’t know. But, good job, DoD: you once again pulled an entirely avoidable unforced error and set your supply chain in a tizzy. China thanks you for your service.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
