The Cybersecurity Maturity Model Certification has been divisive throughout its creation over the last decade-plus, but especially since its implementation in 2017 as a requirement for defense industrial base organizations. As part of the initiative, contracting companies working with the Department of Defense must have their cyber protection systems evaluated against a framework developed by the National Institute of Standards and Technology. Some critics have wondered whether the process impedes innovation or slows down mission operations that need to be swift.
John Sherman, chief information officer of DOD and a 2023 Wash100 winner, said the Pentagon is hard at work on the second iteration of CMMC, but stipulated that they are being thorough about their work so as to make the process functional and helpful for DOD vendors. He acknowledged its “highly controversial” nature while still making clear his support of the program.
“We still don’t have CMMC 2.0 out of the building yet because we’re working to get it right. It’s going to go to the Small Business Administration first and then into [the Office of Management and Budget] here in the hopefully very near future…rest assured we want to get this right,” Sherman told an audience at the Potomac Officers Club’s 4th Annual CIO Summit at the Hilton-McLean on Tuesday.
Don’t miss out on the next amazing POC event! Browse the slate of upcoming events here and register now.
Sherman went on to state his firm belief in the CMMC as a necessity to ensure that the U.S. protects its sensitive data and information as carefully as possible. Noting the frequency with which American weapons and technologies are copied and replicated by the country’s adversaries, he said he refuses to help steer an organization like the DOD in a way that compromises safety and security. Therefore, Sherman suggested, undertakings like the CMMC must be utilized, though he assures the department is constructing CMMC 2.0 in “an empathetic way but in a way that that holds the broader ecosystem accountable.”
This was a recurring theme of Sherman’s remarks — a call for “firm measures” over “anecdotes,” imploring the DIB to “think differently about how we harden our weapon systems, our networks” in the face of the “pacing threats” of China and Russia as well as nations like Iran and North Korea. Sherman asserted this should be done by remediating technical debt that has been accrued by “key weapon systems.”
He also said the DOD is putting an emphasis on software modernization.
“Moving from a hardware defined enterprise to a software defined enterprise is going to be critical in our ability to put the PRC back on their heels. Not to have legacy types of architectures, but adaptable software defined architectures that we can update, be more cyber secure and move to DevSecOps at the speed of mission,” Sherman outlined.
Reimagining and retooling the Pentagon’s applications will be a central topic of the ExecutiveBiz 2023 Defense Software Modernization Forum on June 7. Register here to gain insights from government representatives like DOD Chief Software Officer for DCIO Information Enterprise Rob Vietmeyer, Department of the Army Enterprise Cloud Management Agency Data and Software Services Chief Lauren Pavlik and more!
During his keynote, the DOD CIO strongly endorsed the Joint Warfighting Cloud Capability contract as the next logical step after the Joint Enterprise Defense Infrastructure contract, the aborted commercial off-the-shelf technology acquisition effort which Sherman nonetheless said was “the right decision at the time.”
He made sure to carve out time to highlight what he sees as the under-discussed Resources and Analysis office of the DOD, who handle important tasks such as budget certification and putting together the CIO Planning Guidance. Sherman was fastidious about giving credit where it was due throughout the speech, citing numerous particular program heads. He described the DOD as a “team of teams” and also advised the audience — in which there were several private and public sector CIOs — to “be flexible” if they want to someday be a CIO at his level.