BALTIMORE — The Pentagon’s top IT officer is pushing for a more forceful and aggressive “foundational cybersecurity” posture, not just for the military, but for the contracting community as well, she said today.
“Our posture extends beyond our own digital networks into yours, our defense industrial base,” Department of Defense Chief Information Officer Kirsten Davie said at the TechNet Cyber conference here today. “A compromise at a small supplier can jeopardize a war fighter making a real time decision, and I don’t think that’s acceptable for any one of us in this room. That should make us all very uncomfortable, that that small of a compromise can impact a war fighter out at the edge. Let’s put a greater focus on our foundational cybersecurity.”
She noted that the security of the defense industrial base, the contractors and suppliers that provide the equipment for the department, is warfighter security as well because any compromise to those networks means the capabilities at the edge are affected as well. As a result, she expressed a desire to move beyond compliance.
“Compliance does not equal security. It did not when I was in industry, and it does not from my seat where I am today. We must pursue a relentless focus on operational resilience, which is a byproduct, a dynamic fit for purpose cybersecurity posture,” she said.
In fact, the department has been looking to move away from a compliance focus for years, unveiling in 2019 the Cybersecurity Maturity Model Certification (CMMC), a framework mandating companies that do business with the Pentagon must achieve a base level of cybersecurity. The program has undergone several changes since being announced.
Davies told a small group of reporters last week that she will be talking a bit more about CMMC “at a later time.”
Overall, she told the TechNet audience today that the department is taking a paradigm shift in cybersecurity by transforming its cybersecurity program into a “unified, holistic, and risk-driven function,” with a bias for action.
She also announced there are changes coming to the office of the CIO in the coming months “driven by a singular, unyielding focus operationalizing our programs to better serve the war fighters.” She did not, however, offer specifics on what those changes will be.