The Pentagon is officially moving responsibility for the Cybersecurity Maturity Model Certification program to the Defense Department chief information officer, while simultaneously disbanding the acquisition position that previously led the program.
The shift is laid out in a Feb. 2 memo signed by Deputy Defense Secretary Kathleen Hicks. The office of the under secretary for acquisition and sustainment has led CMMC since the program’s inception in 2019.
A team of six civilians from A&S, including CMMC Director Stacy Bostjanick, will move over to the CIO’s office, along with associated contract support, according to a statement from the Defense Department.
“I’d like to highlight the great work by A&S to establish the CMMC program,” John Sherman, DoD CIO, said in the statement. “As we realign responsibility for the program, it’s important to note that we will continue to work closely with A&S on this program.”
The A&S team will be aligned under David McKeown, the deputy CIO for cybersecurity, “to increase the program’s integration with other Defense Industrial Base Cybersecurity programs,” according to Sherman.
“We are moving out in the coming weeks on the rulemaking process and look forward to continuing critical collaboration with industry stakeholders,” he added.
The CIO’s office plans to submit “proposed changes to the Defense Federal Acquisition Regulation Supplement (DFARS) rule-making process to ensure maximum collaboration on these requirements,” according to DoD’s statement.
The shift of the high-profile contractor cybersecurity program had been anticipated for months. In responses he gave to advanced policy questions for his October confirmation hearing, DoD CIO John Sherman said CMMC “might” shift to his office.
But Sherman wrote that the Acquisition and Sustainment office would continue to lead engagements with the defense industrial base.
“If confirmed, I will continue to work with USD(A&S) to align acquisition and cybersecurity policy while identifying any gaps that may arise in our joint cyber assurance responsibilities,” he wrote.
Sherman, who previously served as acting CIO, was confirmed and sworn in in December.
The Pentagon overhauled the CMMC program late last year, significantly reducing the amount of companies who will need to achieve a certification to win defense contracts. Under “CMMC 2.0,” only companies who handle more sensitive unclassified information will need a CMMC certification.
The program was also delayed. In December, a Pentagon official said it could take anywhere from nine to 24 months for DoD to publish a rule that would lead to CMMC requirements showing up in contracts.
Hicks’ memo additionally directs the disestablishment of the chief information security officer role within the office of Acquisition and Sustainment.
That position was created in 2019 and held by Katie Arrington, who previously led the CMMC initiative. But Arrington was placed on administrative leave last May after the National Security Agency suspended her security clearance for allegedly disclosing classified information.
As for those who remain in the CISO office, Hicks wrote, “affected personnel will be reassigned as soon as practicable in the same grade and series, or equivalent, and on the same position descriptions to other positions in the Office of the Secretary of Defense, as appropriate.”
Bob Metzger, head of the Washington office for law firm Rogers Joseph O’Donnell, said the shift to the CIO’s office makes sense given the lack of Senate-confirmed leadership in the acquisition and sustainment directorate.
“It’s important to have leadership that can make decisions and implement them, especially as they are undertaking the the very significant challenge of recasting the program through two new rulemaking efforts,” Metzger said. “So one of the key reasons that this move was made, was to get it in the hands of officials who can be, and I understand, are decisive.”
Metzger also said industry is again becoming frustrated regarding a lack of information on DoD’s plans for implementing CMMC 2.0. Pentagon officials said very little about the program for most of last year during a lengthy review process that ultimately culminated in the revised plan for the program.
“There are some issues that are surfacing that are genuinely complex and merit discussion and then decision,” Metzger said. “It’s not going to be good to have another six months where DoD is working within a closed black box, and industry is waiting for smoke to emerge before it is told what it must do.
Meanwhile, the acquisition and sustainment office will continue to be responsible for the Pentagon’s “Strategic Cybersecurity Program,” according to Hicks’ memo. That program aims to negate cybersecurity risks to high priority DoD missions like nuclear deterrence and offensive cyber operations.
The acquisition office will also maintain responsibility for supply chain risk management, except for telecommunications infrastructure, according to the memo. It will also continue to be responsible for evaluating cybersecurity vulnerabilities in major weapon systems.