The Department of Defense is making a bold push to overhaul its outdated software procurement processes. Katie Arrington's recent interview with DefenseScoop reveals just how aggressively the Pentagon is embracing automation, continuous monitoring, and AI to streamline acquisition and security authorization. 

While her comments focus primarily on software procurement under the new Software Fast Track (SWFT) initiative, they also hint at broader cultural and procedural shifts that could reshape how cybersecurity compliance frameworks like CMMC are implemented in the near future.

Traditional compliance models can’t keep pace with dynamic software environments

At the heart of Arrington's vision is a simple but profound observation: traditional compliance models built around static, point-in-time certifications no longer align with the pace of modern technology. Software evolves rapidly. Security threats change daily. Yet legacy processes like the Risk Management Framework (RMF) and Authority to Operate (ATO) approvals are still rooted in snapshots of a system's security posture at a single moment in time conducted via a manual, time-consuming, and expensive audit.

Arrington is clear: "An ATO is granted at a very specific time ... but software is dynamic. It changes." This same logic applies directly to CMMC. Under the current CMMC model, organizations undergo a rigorous C3PAO assessment — but once certified, they are essentially 'frozen in time' until the next assessment cycle. This creates a gap between an organization’s compliance status and its actual security posture.

In contrast, SWFT is aiming to move beyond these static snapshots by introducing real-time, AI-assisted analysis, third-party continuous monitoring via compliance automation, and dynamic risk scoring based on evolving factors such as SBOM integrity, vendor financial health, and cybersecurity posture.

How SWFT could inform the evolution of CMMC

While CMMC 2.0 was itself a major step forward in simplifying and streamlining earlier requirements, the framework still largely follows the traditional audit-prep model. But as initiatives like FedRAMP 20x, GovRAMP, CORE, and SWFT gain traction within the DoD and the federal government, it's not hard to envision a scenario where CMMC evolves along a similar path.

In fact, many of the foundational elements Arrington describes are directly applicable to the CMMC ecosystem:

• Third-party assessments remain essential, but move to a more continuous validation model.
• AI and automation assist assessors and OSCs (Organizations Seeking Certification) in identifying risks and validating control effectiveness in real time.
• Supply chain transparency improves through standardized use of SBOMs and automated supply chain risk scoring.
• The cultural shift moves from "prove you're compliant" to "demonstrate you're secure and resilient every day."

Early adoption of automation is already happening within the CMMC ecosystem

We are already seeing early signs that CMMC could follow this direction. The Cyber AB has openly discussed the role of automation in helping both assessors and OSCs streamline audit preparation, reduce time-to-certification, and simplify ongoing compliance maintenance. Tools that can continuously collect evidence, map controls, and flag issues as they emerge are becoming increasingly central to the CMMC marketplace.

Moreover, many of the DoD's key stakeholders in SWFT (the CIO office, CISO teams, acquisition directorates, and service branches) are the same offices with influence over the ongoing CMMC rulemaking and implementation process.

Why the Defense Industrial Base should pay attention to these trends now

For companies in the defense industrial base (DIB), these signals are worth paying close attention to. Even if CMMC remains rooted in formal certification cycles for the near-term, the long-term trajectory is clear: automation and continuous monitoring will likely become not just helpful, but expected.

Companies that invest today in compliance automation platforms, continuous control monitoring, automated evidence collection, and AI-assisted risk management will be better positioned to adapt as these federal compliance programs continue to modernize.

A cultural shift within the DoD is signaling change

Perhaps most telling is Arrington's candid acknowledgment of the cultural shift that this modernization requires. The Pentagon must become more comfortable with "a 90% solution," recognizing that absolute risk elimination is impossible in a dynamic environment. This echoes the broader shift we're seeing across federal cybersecurity: a growing recognition that agility, visibility, and continuous monitoring and improvement are more valuable than rigid, bureaucratic perfection.

CMMC may not officially enforce continuous monitoring tomorrow, but the building blocks are being laid right now. Organizations that start aligning their compliance programs to this emerging reality will be far ahead of the curve when the shift inevitably comes.