The Department of Defense’s Cybersecurity Maturity Model Certification program has been moved to the office of the chief information officer, according to a memo signed by the deputy secretary of defense.
The change comes as the office that created and oversaw CMMC from its outset, the chief information security officer for acquisition and sustainment, has been dissolved. Moving CMMC from acquisition and sustainment to the CIO’s office was first suggested during a top-down review of CMMC in the summer of 2021.
“These responsibilities will [now] augment and align with responsibilities already assigned to, and being performed by, the DoD CIO,” the memo, dated Feb. 2, states.
In a statement, DOD CIO John Sherman said: “I’d like to highlight the great work by A&S to establish the CMMC program.” He added: “As we realign responsibility for the program, it’s important to note that we will continue to work closely with A&S on this program.”
The CMMC program was created by acquisition and sustainment officials to ensure contractors complied with cybersecurity controls in order to protect controlled unclassified information. While an acquisition problem, the management of cybersecurity policy and controls drifted into the CIO’s traditional remit. When news of the move was first being discussed, not all agreed that CIO should take over the program management office overseeing the new regulations.
“While I think there should be collaboration with CIO, I do not support the moving of billets to CIO or handing of overall leadership,”former head of acquisition and sustainment Ellen Lord, told this publication in an interview last year.
The now-dissolved CISO for acquisition and sustainment position was only held by one official: Katie Arrington. She first held the job as a highly qualified expert and later as a senior executive, before being suspended from her role and her security clearance revoked. A lawsuit brought by Arrington against the DOD in relation to the suspension has been dismissed following a settlement, according to court documents dated Jan. 28.
Along with the CMMC PMO’s office, the Supply Chain Risk Management (SCRM) program and responsibilities for evaluating the cyber vulnerabilities of major weapon systems is also being moved to CIO.
CMMC policy was recently dramatically reduced in scope. In CMMC 2.0, the original five tiers of security have been collapsed into three, and far fewer contractors will be required to get a third-party verification of their cyber compliance. It’s unclear how the move to CIO might impact the rule-making process or policy decision from the department.
The CIO’s office did not return a request for comment before publication.
Speaking to FedScoop, government contracts specialist and Rogers Joseph O’Donnell attorney Bob Metzger said, “This is not unexpected and, in my opinion, is a positive step. We can expect the CIO Office to be more informed on the many technical issues that arise from NIST and CMMC requirements, and it is likely they will be more decisive and take more initiative than we’ve seen from A&S during 2021.
He added: “Without question, the CIO’s office knows the importance of protecting the DIB against cyber threats. Giving them the authority to lead, in my judgment, improves the prospects that CMMC will succeed.”
Editor’s note: This story was updated to include comments from DOD CIO John Sherman and attorney Bob Metzger.