Pentagon CIO hopes CMMC 2.0 will ‘raise’ cybersecurity ‘waterline’

WASHINGTON: Now under an upgraded cyber certification program, the Defense Department’s chief information officer said he wants to focus on clarifying requirements and increasing engagements with small to medium-sized companies in hopes of raising the overall “waterline” of the Pentagon’s cybersecurity defenses.  

“I can tell you what it means to me,” DOD CIO John Sherman said about Cybersecurity Maturity Model Certification version 2.0 at the AFCEA Space Force IT Day conference last week. “It means raising the waterline of cybersecurity across the DoD to keep the Chinese and Russians and other potential adversaries away from our critical data.

“This is basic hygiene to raise the water level to make sure we can protect our sensitive data so that when our service members have to go into action, they’re not going to have an unfair position because our adversary’s already stolen key data and technologies that’ll put them at an advantage.”

Earlier this month, in a Feb. 2 memo, Deputy Defense Secretary Kathleen Hicks announced CMMC would be moved under Sherman’s purview as CIO and out of the office of undersecretary of defense for acquisition and sustainment. The Pentagon has also rolled out a 2.0 version of the program intended to strengthen the cybersecurity of the defense industrial base. 

In another memo, DoD said the enhanced program aims to simplify the CMMC standard by clarifying requirements, increase department oversight in the assessment ecosystem and “focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs.”

RELATED: Pentagon Rolls Out V2.0 Of Controversial CMMC Program

Sherman said he’s interested in hearing how companies with “a couple hundred people or fewer” are going to be impacted by the new CMMC and emphasized the importance of the program for DoD. He wants the private sector to know that “there’s a cost to not doing something like this.” 

“There’s a cost to your IP, there’s a cost to the US government and there’s a benefit to our adversaries if we don’t do something like this,” he said. 

It’s not the first time the Pentagon has zeroed in on small businesses when it comes to CMMC. In June, DoD pledged to reduce costs on small businesses as part of its internal review of the program, which began earlier that year in March. 

Sherman added DoD is trying to make requirements clearer for contractors to comply with CMMC requirements. 

Bob Metzger, a lawyer with Rogers Joseph O’Donnell, told Breaking Defense realigning the program under the CIO’s office is a good move that improves the probability of success of the CMMC initiative. 

“CMMC was announced in July 2019 and here we are, [two and a half] years later, without a single third party assessment accomplished or certification earned,” said Metzger, a government contracts specialist with expertise in cybersecurity regulations. “So it is time to move this project forward. … While some may disagree, I have high confidence that the CIO’s office has the expertise, knows the threat, and will act swiftly to bring CMMC to operational status. That benefits DoD by improving the ability of the DIB [defense industrial base] to resist cyber exfiltration and, if necessary, recover from attacks. And it benefits industry to know sooner what is sought or will be required of it.”

He added that although DoD CIO now assumes the lead of CMMC, A&S will still have a key role. 

“The CMMC program always will be connected to acquisition,” he said. “It will be defined by regulation and implemented through acquisition measures — contract clauses. … I believe the CIO can bring to bear its greater technical understanding both of adversary tactics, techniques and procedures, and its expertise on how enterprises best can defend, respond and recover. It’s a net positive, I think.”