White House pick for DOD CIO eyes tweaks to CMMC

The Biden administration's pick to be the Pentagon's tech chief wants to make it easier for small businesses to adhere to the Defense Department's cybersecurity standards and expand network optimization across the entire enterprise.

John Sherman, chief information officer of the intelligence community, leads off day two of the 2018 DoDIIS Worldwide Conference, Aug. 14, 2018, in Omaha, Nebraska.  Photo by Brian Murphy

John Sherman as CIO of the Intelligence Community in 2018. (Photo credit: Brian Murphy)

The Biden administration's pick to be the Pentagon's tech chief wants to make it easier for small businesses to adhere to the Defense Department's cybersecurity standards.

John Sherman, who was previously Defense Department's principal deputy CIO and acting CIO, told the Senate Armed Services Committee Oct. 28 that he would seek to update the Cybersecurity Maturity Model Certification (CMMC) program to be "not onerous" for small and medium-sized businesses, if confirmed.

Additionally, Sherman said he would work with the National Security Agency and U.S. Cyber Command to provide a "cybersecurity-as-a-service" model that would give businesses "templates and guides on how to do this so they don't have to reinvent the wheel."

A similar idea was floated in 2019 by then-Navy Undersecretary Thomas Modly where defense contractors would use an IT solution hosted by the Navy as an option for managing sensitive or controlled data. Modly said then that getting subcontractors and lower tier suppliers to adhere to strict cybersecurity standards was a key priority as foreign adversaries attempted to access vendor systems and gather sensitive, but not classified, information.

Sen. Tommy Tuberville (R-Ala.), who serves on SASC's Subcommittee on Emerging Threats and Capabilities, raised concerns during the Oct. 28 confirmation hearing about security among the defense industrial base, especially when DOD stands to spend around $116 billion research and development based on the committee's mark of the 2022 National Defense Authorization Act -- much of which will go to contractors.

"Many of them will be small businesses and for some it will be their first DOD contract. Unfortunately, for these contractors, cyberattacks against our homeland are growing, making their small businesses a target in the eyes of our adversaries," Tuberville said, noting that Alabama had 5,000 defense contractors. "It is self-defeating to spend billions a year on cutting edge technologies and critical research and then let China and Russia sneak through the back door. We cannot expect our DOD contractors, especially our small businesses, to fend for themselves."

FCW reached out to DOD for additional information on Sherman's comments but did not receive a response as of publication.

The Pentagon has been conducting reviews of the CMMC program for several months. But the former CIO for the intelligence community in the Office of the Director for National Intelligence also noted that oversight of CMMC is expected to be subsumed into the DOD's CIO office and led by the chief information security officer. The program is currently led by the undersecretary of defense for acquisition and sustainment.

"Cybersecurity is the paramount activity of the chief information officer," Sherman testified.

The shift in CMMC oversight would mean the "DOD CIO/CISO would provide the centralized cybersecurity oversight of the CMMC activities, with USD(A&S) maintaining the department's lead role for overall engagement with the defense industrial base," Sherman wrote in written responses to lawmaker questions submitted in advance of the hearing.

Sherman also testified that to reduce IT costs, he would expand the Fourth Estate Network Optimization effort for the 26 defense agencies and field activities led by the Defense Information Systems Agency and "scale that to the department level" while also building on what the military departments are doing, such as the Navy Department's CATTLE DRIVE to reduce duplicative systems.