The Deputy CIO for Cybersecurity at the Defense Department (DoD) said on May 18 that the Pentagon is in the process of creating a Defense Industrial Base (DIB) Cybersecurity Strategy and estimated that it would be made available to the public later this year.
“We are working on a strategy – a DIB cybersecurity strategy – that we hope to have out later this year,” DoD’s David McKeown – who also serves as the agency’s CISO – said at GovExec’ s Cyber Summit in Washington, D.C.
McKeown explained that the Pentagon has been working on the strategy for the last six months and, plans to publicly release it in the next six months.
“If you’ve done business with us, you know that there’s a variety of folks within the DoD that provide a variety of different tools, and assessments, and things like that in support of the Defense Industrial Base,” McKeown said. “Our strategy is bringing all of the pieces and parts within the department together and laying it out who’s going to be doing what.”
The Pentagon official explained that the strategy was created and overlaid on top of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.
McKeown explained that the new strategy will consist of five phases: identify, protect, detection, response, and recovery.
“We will have the identify phase – what the government is going to do to help industry show that we can identify what needs to be protected. Then there’s the protect,” he explained. “So, what are the measures in place to protect the data?”
McKeown explained that the DIB Cybersecurity Strategy will also rationalize all of the tools that the DoD offers for industry that are “cheap,” “easy,” and “you don’t have to be the greatest cybersecurity wizard in the world to implement them.”
McKeown explained that Congress asked that the Pentagon develop a framework, so he formed a steering committee six months ago and there has been a “partnership amongst everybody in the department that does things for DIB.”
“We’re getting close. We have fleshed out the actual line items in each of those areas – the identify, protect, detect, respond, and recover – and I think we’re about one meeting away from nailing all those down,” he said. “Then we’ll take that and then put it into words and sign an actual document. So, I think we’re probably no more than six months away.”
CMMC Hitting Contracts Next Fall
The DCIO for Cybersecurity also said on Thursday that the Pentagon is “really focused on DIB cybersecurity, and we continue to work on the [Cybersecurity Maturity Model Certification] (CMMC) rule.”
“That’s progressing pretty well inside the building,” McKeown said. “We’re working through [Office of the General Counsel] (OGC) right now to get that out of the building, get it over to the Office of Small Business, and then follow up at [Office of Management and Budget] (OMB). We’re targeting late fall of next year, so that can start to be put into contracts.”
McKeown also said that the Pentagon is working with the private sector to streamline and do better business with industry. For example, the DoD is trying to work through pain points and reduce the barrier of entry for small and medium sized businesses through a pilot of a commercial cloud offering.
This, he said, will equip small and medium sized businesses to better work with the department in relation to CMMC compliance.
The CMMC 2.0 rulemaking process has been a lengthy one, with DoD officials originally stating that they expected the program to become a part of contracts this summer.