211129_pentagon_code_gfx

(Pentagon graphic by Breaking Defense; computer code image by Sabrina Gelbart via Pexels)

WASHINGTON — The Defense Department is considering extending a “secure pipeline” to small businesses to help them protect the department’s controlled unclassified information (CUI) while also speeding up their software deliveries, according to an official in the DoD Chief Information Office (CIO).

“One of the challenges we’re finding dealing with the smaller industries and others that haven’t worked in the defense space is our adversaries will attack our weakest links, and if folks aren’t ready for nation-state advanced persistent threat attacks, our sensitive information can be compromised,” Robert Vietmeyer, director for cloud and software modernization, said at a virtual Potomac Officers Club event today. 

To that point, the DoD CIO is working with the deputy under secretary of defense and the under secretary of defense for acquisition and sustainment “make investments” to help small businesses in the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, which aims to strengthen the cybersecurity of the defense industrial base by holding contractors accountable for following best practices to protect their network.

“I’d like to see us expand beyond just the protection, but how do we give a development pipeline, a software factory capability that can enable the small business not just to safeguard DoD CUI but actually give them… a secure pipeline that would enable them to accelerate their potential delivery into the DoD environment as well as protecting that software through its development cycles?” Vietmeyer said. 

While that last part is just a concept right now, DoD is already trying to work on helping businesses protect its information, as the White House’s National Cyber Strategy called “industry and government to pick up a greater share because of the challenges we’re facing from a cyber defense perspective,” he said.

“In my mind, these are some of these avenues that we’re looking at at an idea phase now to see if we can put resources behind it,” he added.

The National Cyber Strategy, released in March, seeks to “rebalance” the responsibility of defending cybersecurity to the “most capable and best positioned actors” in the US. According to the strategy, the “burden” of responsibility would be shifted to larger businesses and the government in the face of threats from state actors like Russia and China.

Meanwhile, DoD last month submitted its own long-awaited cyber strategy to Congress. In a March interview with Breaking Defense, DoD CIO John Sherman said the strategy would “directly align” with the National Cyber Strategy. 

While the strategy is classified, a public fact sheet laid out the main themes, including maximizing “cyber capabilities in support of integrated deterrence,” countering adversaries and partnering with allies and partners to defend the cyber domain.”