The secretary’s order, signed Friday but first made public Tuesday, came after an eye-opening investigation by ProPublica revealed Microsoft had been relying on China-based engineers to support DOD cloud computing systems.

Short on specific details, Hegseth’s order enlists the CIO — with the support of the department’s heads of acquisition and sustainment, intelligence and security, and research and engineering — to “take immediate actions to ensure to the maximum extent possible that all information technology capabilities, including cloud services, developed and procured for DoD are reviewed and validated as secure against supply chain attacks by adversaries such as China and Russia.”

Hegseth first referenced his order in a video posted to X on Friday, in which he said, “some tech companies have been using cheap Chinese labor to assist with DoD cloud services,” calling for a “two-week review” to make sure that isn’t happening anywhere else in the department’s tech supply chains.

The secretary, in both his video and the new memo, stopped short of calling out Microsoft specifically. However, a spokesperson for the company has since stated publicly that it has made changes to “assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.”

“This is obviously unacceptable, especially in today’s digital threat environment,” Hegseth said in the Friday video, claiming that the system at the center of the incident is “a legacy system created over a decade ago during the Obama administration.”

He added: “We have to ensure the digital systems that we use here at the Defense Department are ironclad and impenetrable, and that’s why today I’m announcing that China will no longer have any involvement whatsoever in our cloud services.”

The memo itself calls on the department to “fortify existing programs and processes utilized within the Defense Industrial Base (DIB) to ensure that adversarial foreign influence is appropriately eliminated or mitigated and determine what, if any, additional actions may be required to address these risks.” Specifically, it cites the Cybersecurity Maturity Model Certification (CMMC) — the final rule for which, as of Wednesday, is undergoing regulatory review with the Office of Management and Budget — acting CIO Katie Arrington’s new Software Fast Track program, and the FedRAMP process as existing efforts the Pentagon CIO should rely on to ensure the department’s tech is secure.

Within 15 days of the order’s signing, DOD’s Office of the CIO must issue additional implementing guidance on the matter, led by department CISO Dave McKeown.

On top of that, it taps the undersecretary of defense for intelligence and security to “review and validate personnel security practices and insider threat programs of the DIB and cloud service providers to the maximum extent possible.”

The post Hegseth calls on DOD CIO to protect tech supply chain from influence of China appeared first on DefenseScoop.

As part of the new role, McKeown will stand up and lead the CIO’s Cybersecurity Center of Excellence, which will focus on tackling long-range and complex innovation challenges for cybersecurity modernization. He will be responsible for a range of programs and operations that will ensure the Pentagon is prepared to meet emerging cybersecurity threats, the DOD CIO noted in a statement posted on LinkedIn.

“Establishing this new office divorces the day-to-day activities such as zero trust implementation, defense industrial base cybersecurity programs and policy development from the requirement to look over the horizon and take on the following cybersecurity threat,” the statement said. “With the Special Advisor for Cybersecurity Innovation, we are building an office to create transformational breakthroughs and drive strategic invention in cybersecurity.”

McKeown most recently served as both the deputy CIO for cybersecurity and chief information security officer since 2020 — a dual-hatted position where he led the department’s wide-ranging cybersecurity modernization efforts and associated policies. His tenure has seen the introduction of cutting-edge technologies and robust protocols to fortify the Pentagon’s cyber defenses.

He has been at the forefront of implementing the DOD’s zero trust strategy while overseeing adoption of the new cybersecurity standards at organizations across the Pentagon. McKeown has also worked to strengthen cybersecurity within the defense industrial base and helped the department revamp the Cybersecurity Maturity Model Certification (CMMC) standards. 

McKeown has over three decades of experience working in the Defense Department, including 27 years serving in the Air Force and 8 years as a government civilian employee. His prior roles include working as an Air Force cyberspace operations officer; the director of enterprise information and mission assurance for the Army’s Information Technology Agency; and the cybersecurity center chief and enterprise services center chief for the Defense Information Systems Agency’s Joint Service Provider.

Prior to joining the DOD CIO, McKeown also led the Department of Justice’s Service Delivery Staff. Prior to that role, he ran enterprise services and cybersecurity for the DOD’s Joint Service Provider.

Gurpreet Bhatia will assume the duties of acting deputy CIO for cybersecurity and CISO. He previously served as the DOD’s principal director for cybersecurity and deputy chief information security officer.

The post DOD taps McKeown to serve as new special assistant for cybersecurity innovation  appeared first on DefenseScoop.

In 2022, the Defense Department released its first strategy and a reference architecture for operating under zero trust — a cybersecurity concept that assumes networks are already compromised by adversaries, meaning the Pentagon must constantly monitor and authenticate users and their devices as they move through a network.

The strategy outlined what it considers “target levels” of zero trust, which are a minimum set of 91 capability outcomes that agencies and components at the department must meet to secure and protect networks. The Pentagon’s goal is to achieve those target levels no later than Sept. 30, 2027.

Despite the seemingly aggressive timeline for introducing an entirely new cybersecurity concept across the department, different IT officials at the Defense Department said this week that they are on track to meet the deadline.

“We’re clearly in the implementation phase,” Dave McKeown, DOD chief information security officer and deputy chief information officer for cybersecurity, said Wednesday at the Defense Acquisition University’s Zero Trust Symposium. “We’ve done a lot of planning, we’ve tried to educate the force, we’ve gotten the plans all submitted. And now, we’ve got to move into execution.”

Hit the ground running

To help streamline zero trust adoption across the enterprise, the Pentagon established a zero trust portfolio management office led by Randy Resnick. During the remainder of fiscal 2024 and into fiscal 2025, the office plans to rapidly move out on developing zero trust proof of concept pilots, with at least 15 pilots already lined up, Resnick said Tuesday during the symposium.

Getting the pilots off the ground will hopefully mitigate any apprehension about the possibility of implementing zero trust by 2027 that Pentagon components may have, he noted.

“If we start generating potential solutions that have been independently assessed, and validated to hit target, then we’re showing that this assemblage of vendors or products put together in a certain configuration can actually deliver the results that we see coming out of zero trust,” Resnick said. “And so, it would be then up to the components that decide what they want to do next.”

While the goal is to adopt zero trust across the department, officials have emphasized that there is no one-size-fits-all approach to implementation. To that end, the zero trust strategy provided a capability execution roadmap with three courses of action (COAs) that agencies and components may take.

Resnick said the 15 pilots planned by the portfolio management office will focus on COA 1, which uses a brownfield approach by adding new technology to existing IT infrastructure.

In the future, the office wants to launch pilots for COAs 2 and 3 — which will leverage zero trust-compliant commercial cloud capabilities and government-owned clouds, respectively. McKeown said DOD is working with industry on those COAs, stressing to them the importance of having integrated solutions that meet target-level requirements.

The Pentagon CIO’s office will also continue work in facilitating assessments of vendor zero trust technology and integration, Resnick noted.

Companies are being asked to independently integrate and test their products to see if they reach target levels of zero trust. If those companies feel they have achieved the necessary requirements and the Defense Department agrees with the assessment, the vendors will be invited to participate in “purple team assessments” that test and analyze how both adversaries and cyber defenders act in the environment, Resnick explained.

If the integrated system meets target levels of zero trust or higher, then the Pentagon can officially give it the green light via adjudication, he said.

“It’s an important element of approval because that would give a signal to DOD and any other customer that this configuration with these hardware and software … delivered to us target-level [zero trust],” he added.

Conducting red, blue and combined purple team assessments of the environments is critical to delivering integrated zero-trust solutions, McKeown said.

“We have fielded lots of good cybersecurity tools throughout the [DOD Information Network] over the past decades. All of these tools served a purpose, but were not well integrated,” he said. “Integration is the key to making all of the tools work more synergistically together and improving the effectiveness of our cyber defenses.”

A need to go faster

As it continues to move forward with zero trust implementation, the DOD CIO’s office is incorporating mechanisms that aim to speed up the process and keep efforts on track for the 2027 deadline.

A key lesson came in recent months when the portfolio management office reviewed and approved the first zero trust implementation plans that each DOD agency and component submitted. The CIO’s office is requiring individual components to create and submit these implementation plans each year by October.

Resnick said his office approved all 39 of the submitted plans in January and then provided an update to Congress based on those reviews in March. It was an effort that required a lot of back-and-forth communication with each component and took 35 full-time employees three-and-a-half months to complete, he noted.

Now, the portfolio management office is looking at how it can automate the process for future years, Resnick said.

“It was a tremendous effort. We did it once, and the lessons learned here was that we really can’t repeat this process. It is untenable,” he said. “We need to automate the assessment process. We need to put it in electronic form where we could actually apply AI tools to actually ask questions and to achieve answers based on the submissions, and that’s where our head is going right now.”

In addition, DOD CIO John Sherman said that he is working to improve the authorization (ATO) and continuous authorization (cATO) processes that are used to minimize and manage cybersecurity risk responsibility for software systems.

Speaking Tuesday at the symposium, Sherman said it is likely that guidance on “reciprocity by default” will be released that will address the lengthy time and repetitive efforts associated with ATOs.

His office is also working on evaluation criteria for cATOs, with a draft already outlined and plans to talk with each of the services about their own cATO evaluation criteria underway, he said.

“It takes too long to get software deployed and other capabilities. And these are patriotic Americans working hard to do the right thing by implementing the [risk management framework], but we’ve got to do better on this,” Sherman said.

Reaching target levels and beyond

Although the Defense Department believes it is on track to reach target-level zero trust by 2027, Sherman highlighted that it still has plenty of work to do ahead of the deadline.

For example, the Pentagon has long discussed implementing an enterprise solution for identity, credential and access management (ICAM) — considered a key component of zero trust. The CIO’s office is still evaluating options for a federated ICAM solution, Sherman said. 

Another ongoing effort is implementing zero trust practices in cloud environments, he added. The department is currently working with all four cloud services providers contracted under the Joint Warfighting Cloud Capability (JWCC) contract — Microsoft, Oracle, Amazon Web Services and Google — to conduct red-teaming assessments and understand zero trust in the cloud, he said.

The Pentagon is also continuing its investments in zero-trust capabilities and expanding the pool of vendors able to offer cyber protection, starting with endpoint security, Sherman noted. The department is already using Microsoft Defender for Endpoint — an enterprise endpoint security platform — for unclassified networks and plans to eventually use it for the secret level as well.

“There will be other opportunities for other cybersecurity service companies for other parts of the enterprise, for non-Microsoft endpoints,” Sherman said. “As we look at [operational technology] and elsewhere — as we expand zero trust out — we’re going to use other companies as well. We do not have a monoculture on one company here.”

As for what happens after the 2027 deadline, the Defense Department is already thinking about how it will implement what it refers to as “advanced levels” of zero trust cybersecurity — as well as other use cases for the architecture.

While target levels cover minimum data security requirements, advanced levels are defined as the achievement of the full set of capability outcomes. Along with the 91 activities that are needed to reach target zero trust, advanced levels will require an additional 61 activities, according to the DOD’s strategy.

“This is not a one and done. We’ve got the target-level zero trust and then the broader implementation of zero trust five years later,” Sherman said.

The Pentagon is also exploring how it will leverage zero trust beyond its information technology infrastructure, such as on weapon systems.

“It’s one thing to do this on networks, it’s another thing to do it on a weapons system or weapon platform, on operational technology, on [supervisory control and data acquisition systems] and so on,” he said. “It’s gonna be a bit of a lift there too. We’re gonna have to figure out how to do this as well because we know their threat vectors there.”

The post With 2027 deadline looming, DOD moves into implementation phase of zero trust transformation appeared first on DefenseScoop.

Broadly, zero trust refers to a cybersecurity concept and framework that requires non-stop monitoring and constant authentication to secure critical national security information — and assumes all networks are compromised from the get-go.

“We published a reference architecture, a strategy and an implementation plan. The strategy and implementation plan do clearly define what we mean by ‘zero trust’ in the Department of Defense. We have two different layers of achieving zero trust — one is targeted, and the other is advanced. We want to achieve targeted zero trust by 2027. We are an extremely large organization with many networks, and while 2027 may not seem that aggressive, it is super aggressive for us to try to get there by that date,” DOD’s dual-hatted Deputy Chief Information Officer and Cybersecurity and Senior Information Security Officer Dave McKeown said.

During his keynote session at the Zero Trust Summit presented by CyberScoop on Thursday, McKeown provided fresh updates on all that’s currently underway for his team in this pursuit, and he discussed how they aim to soon expand the focus beyond traditional networks and move toward implementation across other types of systems as well. 

“As you would probably agree, the construct of zero trust is important no matter what the network is and no matter what the platform is — medical systems, weapons systems, critical infrastructure — we want to be cognizant of that and finish towards that,” he explained.

DOD points to three methods for achieving zero trust, McKeown also noted. Those include: understanding and uplifting the current environment, leveraging cloud services, and using purpose-built on-premises solutions.

The department’s strategy for achieving zero trust for the target level by 2027 is built around 91 activities.

“What have we done since we implemented the strategy? Well, Congress wanted us and the services to brief them on our overarching plans, so we have been working on those,” McKeown said. 

In November, all Defense Department agencies and military services submitted roughly 40 different cybersecurity approach plans to his team for review.

“We were very, very helpful to them. We gave them the outline of what we wanted them to see back and asked questions in the outline, so that when they delivered their plans back to us all of the things that we needed to see were there. We followed up with them once we received those outlines, and they were very good. I will tell you — the maturity of the understanding of zero trust and what we’re trying to achieve is strong within the department,” McKeown said.

There was a bit more back and forth after that and all the updates that were recommended were eventually made, and then those final plans rolled in at the end of January.

“And we’re now we’re going to create an integrated master schedule — my team is, the Zero Trust Portfolio Management Office that’s led by Randy Resnick — based on all those inputs that we came up with, with Congress, we’re gonna move from the planning phase and educating phase into the implementation phase over the next three years,” the deputy CIO noted.

Once those officials have that completely set integrated master schedule, they’ll focus on enabling appropriate zero-trust training across the department.

“We partnered with the Defense Acquisition University to develop training modules. And they go around conducting live-training events to educate people on what zero trust is. This is a huge effort to shift the whole entire department to a new paradigm for cybersecurity, so the training is totally vital,” McKeown said.

The post Deputy CIO gives updates on Pentagon’s ‘aggressive’ plan for achieving zero trust by 2027 appeared first on DefenseScoop.

Speaking at the UiPath Together Public Sector summit, produced by FedScoop, DOD CISO Dave McKeown said that “there are lots of areas where automation can come into play — I think we’re going to fail if we don’t automate as we implement zero trust.”

Numerous government agencies are working to deploy zero-trust architectures, and the Pentagon has set itself a deadline of fully implementing the framework by 2027. Unlike traditional cybersecurity standards that grant users and data in a network implicit trust, a zero-trust framework requires all users and data to be continuously authenticated and authorized as they move throughout the network.

In its 2022 zero-trust strategy, the Pentagon outlined seven pillars to guide the department’s efforts — one of which is “automation and orchestration,” which calls on the Pentagon to automate manual security and other processes across the enterprise.

“We have to log everything that’s going on on the network, and that becomes very voluminous. We have to then go through those logs and look for anomalous behavior,” McKeown said. “These are things that we kind of do now. We don’t do them real well, but we need to scale that up and do that very, very well.”

McKeown noted that automation could play a crucial role in labeling large amounts of data coming in from the Pentagon’s systems, as well as data stored in its repositories.

Automated account provisioning is also being built into the identity, credential and access management (ICAM) solution being implemented across the department, he said. 

“We have 10,000 information systems, at any time we may have had to have 10,000 different accounts created. We want to be able to go into a central place, create accounts, create accounts for any one of those systems, many of those systems and have it done in a reliable fashion where it isn’t the same and all of the lockdowns or permissions are correct,” McKeown said. “Automation can play a huge role there as we move forward with that automated account provisioning.”

Access control functions will also need to largely be automated in order to leverage large amounts of data points and make decisions on whether or not an account can access which sets of data, he said.

“We want to restrict access from places in the world which are dangerous. We want to grant access when all of your tickets are right,” McKeown said. “Your computer that has been scanned shows that it is secure and we’re going to allow you and you’re going to be able to see the data that you want to look at.”

McKeown also noted that automation-powered zero trust could prevent future insider leaks of classified documents — such as those allegedly distributed online by Air National Guardsman Jack Teixeira in April.

He said the Pentagon wants to get involved with automated user activity monitoring to look for anomalous behavior, flag it and even take direct actions to stop it before excessive damage is done.

“Anytime you see anomalous behavior, like after-hours activities, people going to areas of the internet, people going to areas of the network where they’re not supposed to be — you can totally automate the reporting of that and the response to that if you wanted to,” McKeown said.

The post Pentagon’s CISO warns that zero trust will ‘fail’ without automation appeared first on DefenseScoop.

Beavers will take over the role May 8 after Kelly Fletcher vacated it last October to become CIO of the State Department. Since then, DOD Chief Information Security Officer Dave McKeown has filled the role in an acting capacity.

Beavers comes to DOD’s Office of the CIO after serving in the Office of the Undersecretary of Defense for Intelligence & Security as director of enterprise capabilities. She has also spent time as the mobilization assistant to the vice commander of 16th Air Force.

“I’d like to welcome Leslie to the DoD CIO! Her most recent experience in OUSD(I&S) as the Director of Intelligence Surveillance and Reconnaissance Enterprise Capabilities leading the Defense Intelligence Digital Transformation Campaign Plan will enable her to hit the ground running on initiatives such as Zero Trust, JWCC, Software Modernization, and EMSO. I’d also like to thank Dave McKeown for the terrific work he has done filling in as the acting Principal Deputy for the last six months. Dave’s experience, leadership, and drive have been invaluable as we rolled out Zero Trust and awarded JWCC,” DOD CIO John Sherman said in a statement posted on LinkedIn.

As principal deputy CIO, she will be tasked with working with Sherman to advise the secretary of defense and deputy secretary of defense on IT and IT-related matters. She will also work with defense agencies’ and field activities’ CIOs to drive strategic management of resources.

A member of the Air Force Reserves for more than three decades, Beavers earned the rank of brigadier general in 2019.

In 2020, she also joined Academy Securities — a veteran-owned and operated investment bank — as an adviser.

The post Pentagon names new principal deputy CIO appeared first on DefenseScoop.

For the most part, the meetings with the four commercial cloud companies — Amazon, Google, Microsoft and Oracle — were opportunities for the CIOs of the DOD, Air Force, Army and Navy, as well as the head of the Defense Information Systems Agency, to touch base and congratulate them on the JWCC partnership and hear about what they were working on.

But it also provided an opportunity to plot out the work they hope to do together and identify any gaps that might exist, McKeown told DefenseScoop in an interview.

“We just recently awarded the JWCC contract, so it was an opportunity for us to meet in person with all of those vendors, congratulate them on being on the contract, talk about where they’re going to take their offering, look at any new and innovative things that they’re planning that we should be sort of taking a look at early, sharing our requirements, things that we’re trying to do,” he said.

Importantly, McKeown explained, it was also “a way for us to understand their pain points in dealing with the federal government and the DOD, as they look to get certified to be a cloud service provider” and the hefty security requirements involved in that.

McKeown acknowledged that communicating security requirements to vendors and helping them navigate them is a large challenge for the department. “I think we probably need to figure out how to express our processes better,” he said.

“To the outside world, I think that’s half of the problem, not knowing what the next steps are and how to get through those steps,” McKeown said. “Like, if you could stand up a concierge service to kind of guide each one of them through the wickets, I think we could cut the time in half to get them through all the checks and balances in order to get their products approved. But a lot of times, it’s sort of discovery learning on their part — they gotta download documents and figure out: ‘Oh, this is where I gotta go next for this next piece.'”

DOD is also open to feedback from those vendors on how the department could do things differently “that would be better, more streamlined, just as secure … instead of the, you know, one-size-fits-all rigidity that we have right now,” McKeown said, while also admitting that “we’ve got to be faster.”

Despite the desire to move faster, recent events involving DOD’s cloud security may have the opposite effect.

Around the same time as the CIOs’ trip to the West Coast, reports surfaced that large numbers of U.S. military emails containing sensitive personnel data were exposed publicly online via a server hosted on Microsoft’s Azure government cloud. As DefenseScoop reported in the wake of that, the exposure has led to DOD CIO John Sherman reviewing the incident and potentially issuing “direct changes in CSP security measures as required based on any findings and recommendations.”

The Pentagon inspector general also in February issued the results of an audit that found military authorizing officials were not thorough enough in reviewing authority to operate documentation, potentially leaving the services “unaware of vulnerabilities and cybersecurity risks associated with operating their systems or storing their data in the authorized commercial [cloud vendors],” the report concluded.

Talking about balancing the benefits of the commercial cloud with the rigid security requirements needed for DOD data, McKeown said: “I don’t think it’s perfect right now as the recent incidents have shown.”

“We’ve got some work to do there on how to shore that up,” he said. “Certainly, we don’t want to get in the business of defending the vendor side of the equation. And one of the reasons why we chose to outsource this was so that they would do all the wrench turning, build the environment, maintain the environment, secure the environment from their side. Anytime we build anything on our side of their platform, we would defend that. But we may need more visibility into their side than we initially thought just so that we can help them do the job of defending the whole entire hypervisor and their management plane behind the cloud service offering.”

But largely, McKeown said, the takeaway from the visit was that the cloud providers were “mostly aware of what our requirements were already and already diligently working on things.”

“Many of them gave us briefings on zero trust, what they’re gonna do there. That tactical edge requirement that we have, you know, they’re already briefing on solutions they’re working there,” he said. “So just knowing that the messaging that we’re putting out as far as our requirements are being clearly heard out there and that they’re acting on it was a really big takeaway.”

It also gave the CIOs a glimpse into the state of the art for technologies like satellite communications, artificial intelligence, zero-trust security and others that the industry leaders are developing.

“I think we’re in a golden era of SATCOM,” McKeown said. “It seemed like a lot of organizations are focusing on that. And how SATCOM can bring us greater bandwidth and resiliency worldwide, which is something, of course, we’re obviously wanting.”

Conversations about ChatGPT and the explosion of AI were also front and center during the meetings. “The really big takeaway there was just how you can use AI to turbocharge just about anything you want to do,” McKeown said.

And on the zero-trust front, the CIOs emphasized to the providers how the cloud can be an accelerant for the department’s adoption of a zero-trust architecture.

“The goal would be a 100% consumable service in their clouds so that there’s little integration work that needs to be done on our side. This is the part of the problem historically: We go out and buy one-off security products, and then it’s our job to integrate them with other solutions to try to achieve a cybersecurity effect,” McKeown said, comparing it to building an F-35 fighter jet. “There’s probably tens of thousands of parts there. We wouldn’t buy each of those parts individually from a vendor and then we the government put them all together to try to make sure that they work, right? We hire an integrator, they build it for us … and then we buy it as a unit. So I think for zero trust, it would be best if we could buy it as a unit and not have people out there on our side trying to be the integrator and miss something.”

He added: “This option holds a great deal of promise for us if all we have to do is kind of move neighborhoods, bring your data, bring your services into this already zero-trusted environment and plug it in. It can be a game changer for us.”

The post Lessons learned from the defense CIOs’ recent West Coast visit to meet with JWCC cloud providers appeared first on DefenseScoop.

As the DOD looks to transition to a zero-trust security architecture over the next five years, the department is engaging the cloud partners awarded spots under its Joint Warfighting Cloud Capability (JWCC) multi-cloud acquisition vehicle to see if they can provide zero-trust capabilities via the cloud, Dave McKeown, the department’s chief information security officer, said Thursday at DefenseScoop’s DefenseTalks conference.

“We’re engaging with all of the vendors that are part of JWCC and having them kind of run through their service offerings and compare against our activities to see where they sit so that we could perhaps just consume zero trust in their clouds,” McKeown said.

Doing this would likely be a much easier approach for DOD organizations than trying to bolt-on zero-trust principles and tools to their own existing environments. McKeown described this as “a very difficult proposition to add in the tools, use your existing tools, make them all integrate, and develop the orchestration and automation and response that you need.”

The vendors that earned spots on the JWCC contract are Amazon Web Services, Google Cloud, Microsoft and Oracle.

For more special circumstances, the DOD is also developing a purpose-built cloud to host things on-premise when, for security reasons, it’s not possible to move things into a commercial cloud environment, he noted.

McKeown said the focus on cloud services to support zero trust will be part of a forthcoming zero-trust strategy and implementation plan his team has developed and that is “being finalized.” Under that strategy, the DOD aims to transition to this architecture by 2027, John Sherman announced last month.

“The strategy contains 152 different capabilities to achieve complete, robust zero trust,” he said. “And we also have a smaller subset of controls in there. There’s 90 of them. If you implement that, you’ll get targeted zero trust.”

Likewise, as the DOD works to secure contractors in the defense industrial base, it’s asking cloud providers to help secure some of the smaller contractors that might not have the resources themselves to meet the requirements imposed by the forthcoming shift to CMMC compliance.

Under the CMMC 2.0 rules, expected to go into effect next year, contractors that handle the department’s controlled unclassified information will have to be certified in meeting one of three tiers of cyber requirements. And some contractors worry that the costs to get to that point could run them out of business.

But McKeown said the defense industrial base cybersecurity team that was recently moved under his leadership is working to support those concerned contractors.

“We’re still hearing cries from industry small, medium-sized businesses that maybe it’s too onerous to uplift your environment,” he said. “We have a plethora of cybersecurity tools and services that we can offer to DIB partners, as well as we are again teaming with cloud providers to see what sort of secure environments they can provide that industry can just consume in order to protect DOD Information.”

The post DOD looking to cloud vendors to accelerate zero trust and CMMC adoption appeared first on DefenseScoop.