The RMF reform efforts noted above are not about lowering the security bar. They are about changing how compliance is achieved, evidenced, and sustained. Across all current reform initiatives, several fundamentals appear stable:

• The underlying control catalog will continue to be derived from NIST SP 800-53 (and, for national security systems, CNSSI 1253).

• Authorizing Official (AO) risk acceptance remains mandatory. What may change is how that acceptance is expressed; we’re seeing a shift from episodic signatures to a continuous service model.

• The expectation of traceable evidence will persist, but evidence is likely to become machine-readable and continuously generated, rather than assembled manually into static documents. This shift is already visible in modern DevSecOps pipelines, where tools automatically emit SBOMs, vulnerability scan results, test artifacts, and configuration data as part of each build. Reform initiatives like SWFT are formalizing these artifacts as primary evidence for authorization.

​

This is the state of specific current reform efforts:

• Cybersecurity Risk Management Construct (CSRMC), announced by DoW in September 2025, reflects former DoW CIO Katie Arrington’s ambition to “blow up” the RMF. It introduces a five-phase model intended to eventually replace the traditional RMF with a continuous, DevSecOps-aligned framework. CSRMC emphasizes real-time monitoring, automated control assessment, and persistent authorization status over static documentation. It is arguably the most promising reform effort to date. However, it remains a conceptual framework; it has not superseded RMF in policy, and there has been little visible implementation activity since its initial announcement.

• Software Acquisition Pathway (SWP), established by DoDI 5000.87 in 2020, creates a fast-track acquisition process for software systems using agile and DevSecOps practices. It replaces traditional acquisition gates (how you fund, build, and test software). However, SWP does not replace RMF, which is still required under DoDI 8510.01. What SWP enables is better integration of RMF into the software lifecycle: security engineers and AOs engage early, DevSecOps pipelines supply continuous evidence, and systems are positioned to support continuous ATO models. In this way, SWP serves as a modern delivery framework within which RMF can be executed as originally intended, rather than treated as a separate, waterfall-style compliance phase.

• Software Fast Track Initiative (SWFT), announced in May 2025, is a DoW-wide effort to accelerate software authorization by replacing static ATO packages with a model built on standardized developer attestations and automated, machine-readable evidence. SWFT proposes that systems continuously submit security artifacts (SBOMs, scan results, logs) from their DevSecOps toolchains, eliminating the need for episodic documentation. AOs would make risk decisions based on live data rather than static packages. As of early 2026, SWFT has completed its initial framework and collected extensive industry input, and early pilot programs are underway. It does not formally replace RMF, but it provides the mechanisms that make continuous authorization operationally feasible at scale.