The Department of Defense has been working on creating a Defense Industrial Base cybersecurity strategy that is expected to be released by the end of the year, according to DOD Acting Principal Deputy CIO David McKeown, a 2023 Wash100 Award winner.
“If you’ve done business with us, you know that there’s a variety of folks within the DoD that provide a variety of different tools, and assessments, and things like that in support of the Defense Industrial Base,” explained McKeown at a recent GovExec event. “Our strategy is bringing all of the pieces and parts within the department together and laying it out who’s going to be doing what.”
This strategy is the latest in a slew of cyber-focused strategies, principles and approaches — things like zero trust and CMMC — to be embraced by the DOD in recent years. Curious how they all fit together? Hear David McKeown, Zero Trust Portfolio Management Office Director Randy Resnick, Federal CISO Chris DeRusha and other cyber experts speak in-person on these topics during the 2023 Cyber Summit on June 8! Register here.
The new DIB cyber strategy consists of five phases — identify, protect, detection, response and recovery — and McKeown said the steering committee that has been working on this for the past six months has “fleshed out the actual line items in each of those areas.”
“I think we’re about one meeting away from nailing all those down,” he added.
McKeown’s Update on Zero Trust
In addition to working more closely with DIB partners, the DOD is focusing heavily on zero trust. At the start of 2022, the Office of Management and Budget released a memorandum requiring federal agencies to meet specific cybersecurity and zero trust standards by the end of fiscal year 2024.
Later that year, the DOD released a zero trust strategy and roadmap that outlines how the department aims to achieve targeted level zero trust implementation by 2027 and advanced zero trust implementation by 2032.
McKeown said recently that the department is on track to meet, and even possibly exceed that goal, especially given the DOD’s growing partnership with commercial cloud providers through the Joint Warfighting Cloud Capability contract.
“We think our partnership with these cloud providers may in fact accelerate our goal to get the zero trust earlier than 2027,” McKeown said at the ExecutiveBiz Cloud Security Forum. “We’re very optimistic about that and very happy that all of these cloud service providers are willing to partner with us.”
CMMC Coming in the Fall
The DOD’s Cybersecurity Maturity Model Certification program, which outlines and enforces information security requirements for the DOD’s DIB partners, has been in the works for years but is nearing its final stages of development before becoming a requirement in DOD contracts.
The DOD previously said this iteration of the program, dubbed CMMC 2.0, was expected to become part of contracts this summer, but McKeown said that target timeframe has slightly shifted.
“We’re targeting late fall of next year, so that can start to be put into contracts,” McKeown said.
“We still don’t have CMMC 2.0 out of the building yet because we’re working to get it right. It’s going to go to the Small Business Administration first and then into [the Office of Management and Budget] here in the hopefully very near future…rest assured we want to get this right,” Sherman shared.
Get the latest updates from DOD cyber officials this summer during the Potomac Officers Club’s 2023 Cyber Summit! Join us on June 8 for a unique opportunity to network with, learn from and forge partnerships with government and industry leaders. Register here.