The Cybersecurity Maturity Model Certification program is moving from the Pentagon's acquisition arm to direct oversight by Defense Department Chief Information Officer John Sherman, according to a memorandum obtained by Inside Cybersecurity.
“Effective immediately, the Chief Information Security Office in the Office of the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)) and the position of Chief Information Security Officer established pursuant to the Assistant Secretary of Defense for Acquisition memorandum, ‘Establishment of the Chief Information Security Office,’ July 24, 2019, are disestablished, and that memorandum is cancelled,” the Feb. 2 memo states.
On CMMC, it says, “Additionally, I hereby assign responsibility for the Cybersecurity Maturity Model Certification program and those aspects of DOD's Supply Chain Risk Management (SCRM) program related to telecommunication infrastructure to the Chief Information Officer of the Department of Defense (DOD CIO). These responsibilities will augment and align with responsibilities already assigned to, and being performed by, the DOD CIO.”
Jesse Salazar, deputy assistant secretary of defense for industrial policy, assumed responsibility over the CMMC program in 2021, while the program was under an internal review. Defense Deputy Secretary Kathleen Hicks signed the memo.
The memo also cancels the USD(A&S) 2021 memorandum, “Responsibilities for the Chief Information Security Officer for Acquisition and Sustainment.”
Hicks wrote:
The USD(A&S) shall retain responsibility for the following activities:
1. The Strategic Cybersecurity Program established by section 1640 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 20 18, as amended by section 1712(b) of the William M. (Mac) Thornberry NDAA for FY 2021.
2. The SCRM program responsibilities, except those related to telecommunications, to include those associated with title 10, U.S.C., sections 2339a and 2509.
3. The responsibilities for evaluation of cyber vulnerabilities of major weapon systems of the DoD required by section 1647 of the DAA for FY 2017, as amended by section 1633 of the NDAA for FY 2020 and by section 17 I2(a) of the William M. (Mac) Thornberry NDAA for FY 2021.
The DOD CIO office has played an active role in the development of CMMC as the holder of the CMMC standard.
DOD announced a substantial overhaul on Nov. 4 of the cyber certification program, now called CMMC 2.0, consolidating the number of maturity levels from five to three. The department also removed 20 additional practices and three processes originally in level three to make the standard identical to NIST Special Publication 800-171 and making other substantial changes.
“We are still committed to [defense industrial base] cybersecurity and you will see that in the changes that we have made,” David McKeown, deputy DOD CIO for cybersecurity, said at a November meeting hosted by the CMMC Accreditation Body. “We feel that maybe the first go-around we cast too wide a net and attempted to enforce some cybersecurity practices on companies that may have not needed to have them because the data they possess wasn’t sensitive DOD data.”
The new approach is “more risk-based,” McKeown said, with a focus on the types of data. By aligning “very strictly” with NIST standards, he said, DOD is showing it is committed to “not invent[ing] a whole bunch of extra controls on our own. If additional controls are needed, we are going to work with NIST to get those added in.”