John Sherman, then Acting Department of Defense Chief Information Officer participates in a virtual panel with Billington Cybersecurity at the Pentagon, April 15, 2021 (DoD photo by Chad J. McNeeley)
GEOINT — The Pentagon has rolled out new cybersecurity guidance, with the intent of resolving what Chief Information Officer John Sherman has characterized as sluggish, duplicative processes that hinder technology and software innovation.
The plan, according to a one-pager signed by Deputy Defense Secretary Kathleen Hicks last week and released on Wednesday, revolves around enforcing the concept of “reciprocity,” which essentially means if one office certifies that a system is cyber secure, then all offices can accept it instead of having to redo the certification process.
Sherman announced the new guidance during a keynote at the annual GEOINT symposium in Orlando, Fla. on Wednesday, telling the crowd that, “Immediately after I get done talking we’re about to publish new guidance the Deputy Secretary signed out that is going to direct reciprocity by default within the Department of Defense.”
Sherman explained that this move will assure “that folks don’t have to check each other’s homework over and over again,” unless an official has “bona fide reasons” to perform rechecks.
“We’re gonna move to reciprocity by default and start to dynamite through this,” he added.
The move comes after a multitude of complaints within the department and industry heads surfaced over authority to process (ATO) procedures. ATO procedures have been viewed as a problem because they’re not just slow and bureaucratic, but they can be redundant as different organizations often each have their own Authorizing Officer (AO) who has to give a piece of software an ATO before it can be implemented.
AOs often have different criteria, so the software company going through this process has to operate a little differently each time, dragging the process down when the office next door may already have been cleared to use the same software.
“We’ve heard you loud and clear on this within the DoD. I’m not going to say this is going to solve every bit of it, but it’s going to help us a bit,” Sherman said.
Though Sherman made clear that this initiative is dedicated to cutting down time, he emphasized that the process can be more complicated and might require another step, which he said his office is prepared to assist with.
“There’s going to be a second major aspect of this. It’s going to be, if an authorizing official feels like they’re being hindered in some way, they can elevate it directly to my office working with our chief information security officer,” Sherman said.
In addition to saving time, reciprocity also saves money, as it lets federal entities reuse other organization’s internal and external findings which in turn reduces costs in investments from approving IT systems that operate on various networks.
“This is coming from the deputy secretary on down that reciprocity should be a default. It should be the first choice as opposed to having to redo all the due diligence again,” Sherman told DefenseScoop in an interview Wednesday.
The guidance published Wednesday, formally titled “Resolving Risk Management Framework and Cybersecurity Reciprocity Issues,” states that the “Department implements the Risk Management Framework (RMF), in accordance with DoD Instruction 8510.01, to guide how we build, field, and maintain cyber secure and survivable capabilities.”
While the RMF is guidance for the Pentagon, the CIO also plans to provide similar direction for the breadth of the intelligence community, Sherman told DefenseScoop.
“That’s kind of our next hill to climb later, because of different classifications and where those bodies of evidence are kept on secret or top secret, versus unclassified databases and so on,” he told the outlet.
Theresa Hitchens in Orlando contributed to this report.
