WASHINGTON — The Department of Defense’s chief information officer will now oversee the department’s cybersecurity program aimed at securing the networks of hundreds of thousands of defense contractors.
Deputy Secretary of Defense Kathleen Hicks directed the realignment of the Cybersecurity Maturity Model Certification from the undersecretary of defense for acquisition and sustainment to the CIO Feb. 2.
CMMC seeks to create new standards and controls for defense contractors as a means of better protecting data from being exploited by foreign hackers. It is based upon a tiered cybersecurity framework that grades companies on a scale of one to five based on the level of classification and security necessary for their work. It was initially conceived of to fight contractor information being exploited by adversaries. Officials have previously said adversaries cost the country $600 billion a year in cyber theft.
“As we realign responsibility for the program, it’s important to note that we will continue to work closely with A&S on this program,” DoD CIO John Sherman said in a statement.
The realignment — which moves six DoD civilians along with contractor support — will increase CMMC’s integration with other defense industrial base cybersecurity programs, Sherman said. During the coming weeks, the CIO will begin submitting proposed changes to the Defense Federal Acquisition Regulation Supplement rule-making process to ensure proper collaboration on requirements with these other efforts.
DoD has sought to consolidate a variety of industry related cybersecurity programs under common leadership to maximize collaboration, the department noted in a statement.
This move follows a November 2020 decision to revamp CMMC, announcing CMMC 2.0. That initiative included enhancements to the initial program first developed during the Trump administration, such as simplifying the standard with additional clarity on regulatory, policy and contracting requirements, focusing the most advanced cybersecurity standards and third-party assessment requirements on contractors supporting the highest priority programs, and increasing oversight of professional and ethical standards.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.