WASHINGTON: The Pentagon will release a new IT modernization strategy later this summer, acting DoD CIO John Sherman told the House Armed Services subcommittee on cyber, innovative technologies, and information systems.

The new strategy will based on existing guidance, such as the DevSecOps 2.0 guidance released last month, Sherman said during the subcommittee’s first hearing on the 2022 defense budget.

Sherman provided few specifics on the strategy. The DoD CIO oversees an array of the department’s technologies, including cyber, networks, communications, information systems, and enterprise IT, such as cloud computing.

Speaking on the 2022 defense budget, Sherman said it reflects President Biden’s and Defense Secretary Lloyd Austin’s IT priorities, to include the department’s cloud computing; software and network modernization; cybersecurity workforce; command, control, and communications (C3); and data, which Sherman characterized as “the ammunition of the future” and key to achieving the advantage in All Domain Operations.

Sherman said the 2022 budget maintains “enhanced funding levels” for key enterprise cybersecurity capabilities “that will allow us to advance our focus on zero trust and risk management and drive new investments to enhance resiliency and cyber defenses.”

Rep. Jim Langevin, subcommittee chair, set the tone for the hearing in his opening remarks, in which he returned to questions he’s raised about the roles, responsibilities, and overall structure of DoD’s top cyber and EMSO leadership.

“If the secretary of defense is asked who is responsible for buying weapons for the department, the answer is unequivocal. It is the undersecretary of defense for acquisition and sustainment. Conversely, if the secretary is asked who is in charge for keeping DoD networks safe, the fact that there isn’t a single correct answer is troubling. The secretary could respond with the [DoD] CIO or the commander of Cyber Command [Gen. Paul Nakasone] or even the chiefs of the military services, and [the secretary] wouldn’t technically be wrong in any of these responses. So, if we can teach every one of our new officers about the criticality of clear command and control, why can’t we apply this to the highest levels of the department?” he mused.

Langevin also raised issues about the department’s funding priorities for areas like IT and cyber. “Year after year, we have leaders from across the department tell us that they consider IT to be a priority, before immediately pivoting to discuss how much funding they need for more flight hours, or more aircraft, or more tanks. Quite frankly, I’d like to think that technology will truly be a priority when, for example, the Chief of Naval Operations says that the Navy can live with one less fighter aircraft in favor of greater IT investment.”

Langevin was particularly critical of the 2022 budget overview put out by the DoD comptroller last month. He noted the document’s much shorter length than in previous years, while also noting the 2022 overview is “nearly a carbon copy” of the 2021 overview.

“If the DoD were a high school student, I would have called this plagiarism,” Langevin said. How can we trust the department with money if it can’t provide the necessary information for congressional oversight, he asked Sherman.

Sherman attributed the length to its “controlled unclassified information designation,” which “perhaps restricted the number of the pages. But to your point, sir, about the carbon copy,” Sherman said, “It’s something I take very seriously. And I will own this and ensure we get it better next time.”

Langevin did not sound terribly impressed with that answer: “Without that level of detail, we can’t fulfill our oversight responsibilities. We’re in the dark otherwise. That’s unacceptable going forward.”

Langevin then turned to criticizing “inconsistent categorizations of IT and cyber spending,” noting, for instance, that the Navy does not categorize endpoint device management as cybersecurity funding, yet the Air Force does: “As a result, it is nearly impossible to get a comprehensive picture of how resources are being spent.”

Sherman conceded Langevin’s point, noting that the $5.5 billion for cybersecurity “doesn’t indeed represent the totality of cybersecurity throughout the department. Cybersecurity is my top priority as CIO, along with the other modernization activities, but to be able to reflect the totality of that is something we need to do a better job of.”

Langevin later returned to the status of the implementation plan for the 2020 Spectrum Superiority Strategy for electronic warfare capabilities.

Sherman said, “We expect the implementation plan to be signed very soon by the secretary. I don’t have an exact date, but we’ve got this teed up and ready to go.”

As to the question of its success, compared to the two other strategies released over the past eight years, Sherman said the commitment from leadership has been “very strong, so we’re confident we’re going to have what we need.”

He noted Joint Chiefs Vice Chairman Gen. John Hyten is currently leading a cross-functional team on spectrum issues. “We’re going to take the baton as the implementing office for this,” he said. Sherman added that DoD has the “commitments and seriousness” needed to implement the strategy.

Meanwhile, Rep. Scott Franklin asked Sherman why the department allows unpatched software to remain on DoD networks for 120 days before being removed. As Breaking Defense readers know, running unpatched software is one of CISA’s newly published list of cyber bad practices.

Sherman replied, “120 days is probably too long. We need to take a look at that.”

The status of DoD’s Cloud Strategy is another topic that came up multiple times. As Breaking Defense readers know, there have been widespread reports of delays to cloud migration.

Sherman outlined some successes in cloud computing, but added, “We still also have an urgent, unmet need for an enterprise cloud capability at all three security levels — unclassified, secret, and top secret — that extends all the way from headquarters all the way to the tactical edge, and that has not gone away at this time.”

Part of the problem stems from ongoing legal disputes over the DoD’s JEDI cloud program.

Langevin also asked how DoD is thinking about industrial control system (ICS) and operational technologies (OT) security. Sherman said ICS/OT security is a priority and that work is underway to prevent “gaps” in cybersecurity that could allow adversaries to slip by the department’s cyber defenses.

Asked what keeps him at night, Sherman said, “The kind of cyber threats we’re seeing across the country, not only against the government, but against the private sector. This is the main reason I am so committed to moving out with the zero-trust implementation at the [DoD]. I want DoD to be a leader in this space.”

“I know what the Chinese and Russians want to do to our networks,” Sherman continued, “and [cybersecurity] is the most important role I have as CIO, along with other types of modernization for our warfighters. Right now, the offensive side has all the capabilities, and we have to run a better defense.”