Citizen Cyber

Staff Sgt. Wendell Myler, a cyber warfare operations journeyman assigned to the 175th Cyberspace Operations Group of the Maryland Air National Guard monitors live cyber attacks on the operations floor of the 27th Cyberspace Squadron. (U.S. Air Force photo by J.M. Eddins Jr.)

WASHINGTON — Over the past year, the Department of Defense has set the stage for how it wants to strengthen cybersecurity and information technology infrastructure against adversarial threats, namely the People’s Republic of China. 

But with another Donald Trump presidency on the horizon, all eyes are on him to see if he keeps the existing programs afloat or scales them back. Simultaneously, some cybersecurity experts and lawmakers have predicted that the president-elect will stand up a new cyber service.

These are some of the programs and shifts to look out for in the next year. 

[This article is one of many in a series in which Breaking Defense reporters look back on the most significant (and entertaining) news stories of 2024 and look forward to what 2025 may hold.]

This year the Pentagon released its final rule for the long-awaited Cybersecurity Maturity Model Certification (CMMC) 2.0, which sets new standards for contractors who handle controlled unclassified information (CUI). The 32 Code of Federal Regulations (CFR) final rule, which lays the framework for CMMC 2.0, went into effect on Dec. 16, but the DoD won’t actually begin implementing the CMMC 2.0 requirement for contractors until the 48 CFR final rule is released — likely in the spring of 2025. 

However, in order to avoid a scramble to meet the new regulations with little notice, those requirements won’t become mandatory until after a three-year phase-in period.

The first official CMMC program was built under the first Trump presidency in 2020— one of the reasons why those in the cybersecurity realm believe the program won’t change under Trump. 

Stacy Bostjanick, the chief of defense industrial base cybersecurity in the DoD’s office of the chief information officer, told a panel in November that CMMC 2.0 is not “going anywhere.”

“CMMC was initially started under the first Trump administration,” she said. “We have made such progress, and so many people recognize the need for it. It endured, and we went through and did the proper rule making steps to make it, to memorialize it. I don’t see it going anywhere.”

Not everyone is so sure that CMMC 2.0 is sticking around. Quentin Hodgson, formerly the Pentagon’s director of Cyber Plans, told Breaking Defense that given the fact that Republican administrations tend to scale back on regulations, CMMC 2.0 requirements could be reduced. 

“It’s possible that the new administration could decide to relook at that and say this is too high a burden or not the right way to approach improving cybersecurity standards in the defense industrial base,” Hodgson said of CMMC 2.0. 

“I could see where there would be a relook at some of those things that were seen as maybe from a Republican or conservative point of view […] more heavy handed than it needed to be with respect to the private sector,” he added.

Though experts and Pentagon personnel may have an opinion on the fate of CMMC 2.0, its future is in the hands of the next administration, and since we don’t have a crystal ball, we will just have to wait and see what 2025 brings.

The Potential For A 7th Branch

In another effort to shore up cybersecurity protections and capabilities, some experts and lawmakers believe that with another Donald Trump presidency, an independent cyber service could be a real possibility. 

Though the idea of an individual cyber service has long been a point of contention within the Department of Defense, Hodgson told Breaking Defense that since Trump stood up the Space Force it’s possible that he could stand up a cyber force. 

“This change in administration potentially could give more impetus to the creation of a separate cyber service,” he said. “[Trump] did that with the Space Force. It was something that the Department of Defense didn’t want, but he decided he wanted it, and it’s possible that that could also happen with cyberspace.”

Separately, two Texas Republicans, Rep. Pat Fallon and Rep. Morgan Luttrell authored an amendment in a draft version of the 2025 National Defense Authorization Act that called for an independent third-party study to help lawmakers and DoD leaders determine if a separate cyber force is necessary. (The study is being conducted by the National Academies of Sciences, Engineering and Medicine.) 

However such plans seem to have been scaled back in the final version of the NDAA. The new language was vaguer, calling only for the assessment of “cyber organizations” instead of a separate cyber service — an important change, as advocates of a future cyber force had been hoping to hang their argument off of a report from the academies.  

Although the final NDAA language could be seen as a setback, Rep. Fallon told DefenseScoop that he’s still optimistic that the DoD could create a cyber force based on the study’s results. 

“I am sure that the incoming administration will take a hard look at everything within the cyber realm to ensure maximum protection, efficiency, and lethality. We in Congress will do the same and I am confident we’ll see changes based on the level of threats we are faced with,” he told the outlet.