“JWCC requires highly skilled services to support office operations, and the delivery of modern enterprise cloud services and related technologies. These services must include technical expertise in cloud engineering, cybersecurity, financial management, program execution support, and technical writing through direct support of system owners and technical experts regarding various challenges with migration to the cloud and leveraging commercial cloud technologies,” officials wrote. 

The Department of Defense awarded its highly-anticipated enterprise cloud contract to Google, Oracle, Amazon Web Services and Microsoft in late 2022. 

JWCC marks a key element in the DOD’s push for digital modernization, and the original contract has a ceiling of $9 billion. Officials have been somewhat tight-lipped about JWCC progress since the program’s inception — but as of August 2024, the Pentagon had awarded just under $1 billion in task orders to vendors competing for the enterprise cloud initiative.

This latest defense cloud-enabling information request was published by DISA’s Hosting and Compute Directorate, which is responsible for managing the JWCC contract vehicle.

“This is a SOURCES SOUGHT NOTICE to determine the availability and technical capability of 8(a) certified small businesses to provide the required products and/or services,” officials wrote.

Such companies have gone through and been verified by a federal government-run federal contracting and training program designed for experienced small business owners who are considered socially and economically disadvantaged. 

In Thursday’s notice, DISA officials list and define associated in-demand capabilities across three categories: Cloud Infrastructure and Engineering; Cybersecurity and Risk Management; and Infrastructure and Software Engineering.

The work is envisioned to be performed at DISA facilities inside and outside of the continental U.S. The anticipated period of performance is a 1-month transition period, an 11-month base period, and four 12-month option periods.

Businesses that aim to respond must submit information including a brief capabilities statement to an email included in the notice, by July 31.

Earlier this year, DISA unveiled plans to roll out a follow-on to the current enterprise cloud vehicle — named JWCC Next — likely in 2026. A DISA spokesperson declined to answer questions Thursday regarding the motivation behind this new sources sought notice, or how it fits into the agency’s vision for JWCC Next.

“As standard practice, DISA cannot discuss open solicitations posted on SAM.gov or other sites, as it could violate established procurement regulations and policies. Therefore, we have nothing to add at this time,” the spokesperson told DefenseScoop.

The post DISA pursues new engineering and IT partners to enable the Joint Warfighting Cloud Capability appeared first on DefenseScoop.

The DOD CIO published a request for information Wednesday on Sam.gov calling for industry’s input on emerging technologies, solutions and business practices that can support the department’s attempt to revamp the Risk Management Framework (RMF). The initiative largely seeks to replace the legacy framework with a multi-phased construct that will be demanding for cyber and acquisition professionals. Officials are hoping to speed up capability delivery to warfighters.

“Although RMF enhances security through continuous monitoring and risk-based decision-making, it’s often seen as slow and cumbersome,” the RFI stated. “To meet the urgent demands of modern cyber threats and accelerate innovation, the DoD is working to streamline the RMF process — aiming for greater efficiency without compromising on security.”

While the framework has guided the Defense Department’s acquisition process for its military networks, weapon systems and other critical IT infrastructure for decades, the RMF has come under scrutiny in recent months by senior leadership. Since returning to the department in March to perform the duties of Pentagon CIO, Katie Arrington has repeatedly stated in public forums that she is “blowing up the RMF” and other bureaucratic processes known to stifle innovation.

“The RMF is archaic, it’s a bunch of paperwork,” Arrington said in April at the UiPath on Tour Public Sector event. Along with the RMF Revamp, she recently initiated a related effort called the Software Fast Track (SWFT) program that aims to streamline acquisition of on-premises software capabilities.

The RMF was designed to let the department integrate controls throughout a system’s lifecycle, including cybersecurity, operational resilience and supply chain risk management. Ensuring a system is RMF compliant is a seven-step process that results in receiving an authorization to operate (ATO) on Pentagon networks.

However, the entire framework can take weeks to over a year to complete. Even then, a military system with an ATO is required to have it renewed every three years.

According to the request for information, the CIO is considering a new “Risk Management Construct” that outlines specific actions to take across five phases of a system’s development cycle — design; build, or initial operational capability; test, or full operational capability; onboarding; and operations. The first four phases also include recommendations on where to use automation, such as by integrating a continuous-integration/continuous-delivery pipeline in the build phase or automatic vulnerability remediation during onboarding.

The document also asks industry to answer a series of questions regarding technologies and best practices the Pentagon could employ to enhance the RMF process, limit redundant compliance efforts and improve reciprocity across the department.

“Key areas of interest include [artificial intelligence-driven] cybersecurity tools, security control inheritance, artifact reuse, continuous monitoring solutions, proactive cyber defense mechanisms, security testing frameworks, and risk assessment models that support rapid integration of automation, monitoring, and active threat mitigation within cybersecurity programs,” the RFI stated.

Responses — due by July 24 — will inform the CIO’s strategy moving forward.

The post DOD CIO solicits industry to inform revamp of ‘cumbersome’ cybersecurity risk framework appeared first on DefenseScoop.

“We’re using technology to help reduce the time, because that’s been the real problem with software,” Katie Arrington, the senior official performing the duties of Pentagon chief information officer, said Friday in an exclusive interview with DefenseScoop. “When we bring it into the building, we have to find a lab, we have to find a person, we have to get it resourced. And what we should be doing is accepting as much as possible and looking at it rapidly, because software is only as good as it is relevant.”

Since returning to the Pentagon in March to perform the duties of DOD CIO, Arrington has waged war on the legacy processes used by the department to buy software capabilities — namely the lengthy Risk Management Framework (RMF) and beleaguered authority to operate (ATO) approvals. 

“I’m blowing up the RMF. The RMF is archaic,” Arrington told a crowd of defense industry representatives at the UiPath on Tour Public Sector event in April. She later added that by next year, she hopes that ATOs are “something I never hear about again.”

Both the RMF and the ATO process have guided the Pentagon’s acquisition process for all of its systems for more than a decade. The RMF is a structured set of guidelines used to identify and manage cybersecurity risks on the Defense Department’s networks. After a system goes through the RMF process, it must receive an ATO that gives the final approval to operate on the network.

Many of the military departments have done some disparate work to automate the RMF process and embrace continuous ATOs, which use automated monitoring and security controls to approve software without need for reauthorization. But recently, Arrington initiated a Pentagon-wide effort to overhaul the RMF.

She told DefenseScoop that the “old school” processes are obsolete and no longer representative of the modern technologies the Pentagon needs.

“Why I say an old school ATO doesn’t really hold any validity anymore is because an ATO is granted at a very specific time in the network, the architecture of the network, the iteration of the software. Everything is like a snapshot in time, it’s a static moment,” she said. “But software is dynamic, it changes — every patch, every iteration, every version. So why wouldn’t we move to a continuous ATO and look at the RMF process as the building blocks?”

The RMF revamp will focus on how the process can be integrated with automation and continuous monitoring capabilities for an entire program’s lifecycle, a Pentagon spokesperson told DefenseScoop. They added that the framework will remain “a structured process which integrates security, resilience, zero-trust and related cybersecurity considerations to design, build and monitor DoD technology.”

To help the department move away from cumbersome checklist-based authorizations, Arrington also created the Software Fast Track (SWFT) program that she said is designed to allow the Pentagon to integrate software capabilities much faster than currently possible. SWFT is separate to CIO’s effort to reform the RMF, but the program looks to optimize the RMF’s software assessment process and streamline capability delivery.”

SWFT will have companies receive a third-party assessment based on 12 risk factors outlined by the Pentagon, ranging from a company’s cybersecurity posture to its financial health. Vendors will also be required to submit their own software bill of materials (SBOM), as well as an SBOM from a third-party assessor to see if there are any differences in the evaluations, Arrington explained. 

“When that information comes into the department, we’re going to have AI and large language modeling on the backside so that we can detect anomalies,” she said. “If there’s a variant between one SBOM and another SBOM, we’re going to validate all of the data.”

And while replacing institutional processes like the RMF and ATO is an arduous task, the Office of the DOD CIO is moving as quickly as it can. After Arrington announced SWFT in an April memo, the program officially began on June 1. Concurrently, the office is conducting a 90-day sprint to develop a framework and implementation plan that defines specific requirements, security verification processes, information-sharing mechanisms and risk determinations “to expedite the cybersecurity authorizations for secure, rapid software adoption,” according to the Pentagon.

Meanwhile, the office is reviewing responses it received for a trio of SWFT requests for information published in May that asked for industry’s input on specific tools, external assessments, and automation and AI-enabled capabilities, respectively. The CIO received over 500 responses across all three RFIs, demonstrating that industry is onboard with SWFT and eager to get the ball rolling, Arrington noted.

“I’ve committed to reading through all of them to really understand what [are] the best practices in industry,” she said. “What does real continuous monitoring look like? Do we need commercial red teams? What are risk factors if you’re doing continuous monitoring or you have a disruption in software? What are the proper and right risk mitigation processes? All of this is wrapped into acquisition, how we’re really approaching this modernization effort.”

Arrington noted that SWFT’s implementation is being done strategically and in partnership with other key stakeholders across the Defense Department, including the service CIOs, chief information security officers, the acquisition and sustainment directorate and Pentagon directorates that support command, control, communications, computers and cyber.

Before the end of June, the DOD CIO plans to release another RFI to industry that outlines five tenets for how the Pentagon plans to execute SWFT, Arrington said. Some ideas her team is considering include a tiered approach for the roles and responsibilities of cybersecurity service providers and different aspects of continuous monitoring.

“Industry’s part of this is going to be over the summer, and then hopefully I can get those responses [and] we can come together and start with a fundamental, new approach in early August or early fall,” she said.

Moving fast on SWFT will be integral for other reasons, as well. Arrington will exit her CIO role once President Donald Trump’s nominee for the position is approved by Congress. In May, the administration tapped Kirsten Davies — an IT and cybersecurity professional from the private sector — to serve as DOD CIO, but her confirmation hearing has not yet been scheduled.

And although the program’s attempt to reform the Pentagon’s software acquisition process has been met with positive reception — while also being in line with broader efforts by Secretary of Defense Pete Hegseth aimed at increasing use of innovative procurement authorities — Arrington acknowledged that SWFT’s success will depend on how well the department can adapt to the cultural shift it requires.

“We’re so risk adverse that to be relevant, we have to assume a little bit of risk in moving forward. And I think that’s going to be the biggest challenge set for the department, is culturally learning how to operate within that little bit of risk factor. I’ll take a 90 percent solution and work on remediating the 10 percent while we’re developing it,” she said.

Updated on June 12, 2025, at 4:15 PM: This story has been updated to add comment from a Pentagon spokesperson and to clarify that SWFT is separate from the CIO’s effort to reform the RMF.

The post Inside the Pentagon CIO’s push to overhaul antiquated software acquisition practices appeared first on DefenseScoop.

This bombshell revelation came just as the Department of Defense floated a “soft” deadline of 2035 to achieve Zero Trust (ZT) cyber protections for the same operational technology in weapons systems. The Pentagon’s Zero Trust portfolio director, Randy Resnick, described the DOD’s challenge in alarming terms: “We are far away. I’m suggesting fiscal [year 20]35 and beyond. That might actually be a 10-year effort or more.” This admission is not deterrence, but an open invitation for adversaries to ignore the Geneva Conventions and coerce Americans with existential threats. We are in a hot cyber war today, not in 2035. Our adversaries are attacking our water and power systems now. So why is the Pentagon telling our adversaries they have 10 years to penetrate our OT, disrupt mission-critical assets, and prevent weapons from launching and hitting their targets?

The secretary of defense and combatant commanders are prioritizing urgent lethality to immediately deter an adversary. We don’t have the luxury of time where “soft” deadlines introduce more risk to our global missions, weakening the deterrent credibility of the entire U.S. military. With global strife raging, we need this leadership in all programs, including the cyber protection of OT. However, when Pentagon leaders assess “no easy feat” with estimated capabilities “far away,” the message to adversaries is clear: We’re unprepared and unwilling to act quickly to counter this specific cyber threat… and that must change.

Zero trust means zero excuses.

The CIO must ensure that the next Zero Trust Strategy for Operational Technologies provides clear implementation guidance and mandatory compliance requirements. This means all stakeholders, along with deadlines and measurable cyber-related Key Performance Indicators (KPIs) tied to readiness and warfighter capability. Moreover, command leadership must be held accountable for these outcomes. Our adversaries are planning to utilize cyberattack vectors to compel national capitulation by disabling weapon systems, denying critical defense assets, and jamming communication pipelines. We need a sense of urgency and accountability to mitigate this risk to Golden Dome (once it comes online) and our forward-deployed forces.

The new CIO must work with all levels of command to alter the calculus in adversary cyber decision-making. No more “soft” goals and “far-off” timelines. We need a wartime footing inside the Pentagon’s cyber leadership, which means an operational sprint in which:

• COCOMS must demand defensive cyber capabilities for their OT assets from U.S. Cyber Command.
• Military cyber defenses must be extended to defend critical infrastructure.
• OT vulnerabilities must be accounted for in the department’s Information Assurance Enterprise Vulnerability Management Program (VMP).
• DOD’s Cyber Operational Readiness Assessment (CORA) criteria must include OT.
• A program of record must be established with effects-based goals and substantial funding for the rapid deployment of proven security tools already in use by private industry.
• OT protections must be prioritized in acquisition and sustainment programs.
• OT cyber protections must be integrated directly into operational availability metrics.

Zero trust isn’t a compliance exercise, it’s a warfighting necessity.

It’s time to stop admiring the challenge of implementing ZT for OT and get serious about cyber protections and resilience required to project power globally. When the CCP embeds malware in weapons systems, telecom networks, fuel systems and ammunition plants, as well as port cranes, rail systems and other critical assets, it is preparing for conflict with sabotaging activities. The Chinese have confirmed their intent and don’t care about strategies, data calls, or fan charts. If we accept a decade-long timeline, they will hurt our ability to deploy and fight effectively. The Defense Department must respond with urgency now with near-term risk mitigations, or our warfighters will be switched off just when our country needs them the most.

Lucian Niemeyer is an Air Force veteran, former professional staff member on the U.S. Senate Armed Services Committee, and former assistant secretary of defense who also served in the White House Office of Management and Budget. He currently leads the non-profit organization, BuildingCyberSecurity.org.

Tatyana Bolton is the executive director of the Operational Technology Cybersecurity Coalition, a principal at Monument Advocacy, and former policy director of the Cyberspace Solarium Commission. She has also served at the Department of Defense (DoD), the Cybersecurity and Infrastructure Security Agency (CISA), and Google. She currently serves on the Advisory Board of Berkeley’s CLTC and the Cybersafe Foundation, and as a senior advisor to CSC 2.0.

The post The Pentagon’s cyber malaise: Zero trust deadlines translate to zero urgency appeared first on DefenseScoop.

The nomination was submitted to Congress on Tuesday and referred to the Senate Armed Services Committee for consideration, according to a notice posted on Congress.gov.

The Defense Department CIO “is the principal staff assistant and senior advisor to the Secretary of Defense and Deputy Secretary of Defense for information technology (IT) (including national security systems and defense business systems), information resources management (IRM), and efficiencies. This means that DoD CIO is responsible for all matters relating to the DoD information enterprise, such as cybersecurity, communications, information systems, and more,” according to a Pentagon description of the role.

Davies has served in IT and cybersecurity roles at major firms in the private sector.

Previously, she was chief information security officer for Unilever; senior vice president and chief information security officer at the Estee Lauder Companies; managing director and group chief security officer at Barclays Africa (now known as Absa); vice president of enterprise security strategy and transformation solution at Hewlett-Packard; global deputy CISO at Siemens; and senior associate at Booz Allen Hamilton, according to her LinkedIn profile.

She is cofounder and CEO of the Institute for Cyber, which is a “non-profit organization with a mission to advance the safety, security, privacy, and digital integrity of experiences citizens have while using technology, AI, and digital data in their everyday lives,” according to the organization’s website.

Davies has also been a member of the National Security Institute’s Cyber and Tech Security Council. NSI is part of George Mason University’s Antonin Scalia Law School.

Katie Arrington is currently the acting DOD CIO and recently launched a new Software Fast Track (SWIFT) program that aims to overhaul cumbersome bureaucratic mechanisms and streamline the Pentagon’s ability to rapidly approve new software capabilities for warfighters.

Leslie Beavers was acting CIO before Arrington was appointed to that role.

John Sherman served as Pentagon CIO during most of the Biden administration and was the last to be Senate-confirmed in the role.

The post Trump nominates Kirsten Davies to be next DOD CIO appeared first on DefenseScoop.

Under the Software Fast Track (SWIFT) program, the Pentagon will use artificial intelligence to replace legacy authority to operate (ATO) and Risk Management Framework (RMF) processes when buying new software. Acting DOD CIO Katie Arrington signed a memo authorizing the new effort, and it will officially launch May 1, she said.

“We need to change our thought process, because having software in an ATO that is a static environment doesn’t help the warfighter,” Arrington said Tuesday during a keynote at the UiPath on Tour Public Sector event, produced by FedScoop. “What changes every single day is the network, the software [and] the environment. Why are we so structured to stay in a static position when our adversaries are always dynamic?”

As the Pentagon becomes more dependent on software-based capabilities, leaders have looked to pivot away from traditional ATO frameworks encumbered by lengthy administrative processes and manual paperwork that can stifle modernization. Some organizations have begun exploring continuous authority to operate (cATO) methods, which use automated monitoring and security controls to approve software without need for reauthorization.

Instead, SWIFT will do a third-party assessment of companies’ cybersecurity postures based on 12 risk characteristics. Vendors will also be required to provide a software bill of materials (SBOM) “from production and sandbox” that is certified by a third party, Arrington said. 

“I have AI on the backside — large language modeling — that will determine if there are any anomalies, if there’s something in your source code that’s bad. If not, you get a provisional ATO,” she said.

Arrington added that SWIFT will allow the department to pivot away from the current RMF, a structured set of guidelines used to identify and manage potential cybersecurity risks on networks. For more than a decade, the framework has guided the Pentagon’s acquisition process for all of its systems — from development to sustainment.

“I’m blowing up the RMF. The RMF is archaic, it’s a bunch of paperwork,” Arrington said. She added that in the next year, she hopes that ATOs are “something I never hear about again.”

SWIFT comes as Secretary of Defense Pete Hegseth is pushing the entire department to speed up procurement and delivery of digital and software-based capabilities. In March, Hegseth issued a memo that calls on Pentagon leaders to use innovative acquisition authorities — from the Software Acquisition Policy to commercial solutions openings — to rapidly buy software.

“We need more innovation. The [secretary of defense] has told us, bring software, bring [commercial-off-the-shelf] into the building faster, at a more rapid rate,” Arrington said. “And our job is to ensure that we are doing the best to ensure that we have lethality, that we’re ready and that we’re efficient.”

When the program launches, Arrington said she plans to bring together all of the department’s CIOs, chief information security officers, the acquisition and sustainment directorate and other stakeholders at the Pentagon. In the near future, the department plans to release a request for information (RFI) to gather industry input.

The post New Pentagon program to speed up software acquisition set to launch May 1 appeared first on DefenseScoop.

Today, America’s federal cyber establishment faces a similar crisis of fragmentation. Born of disjointed legislation, overlapping executive orders, and competing congressional mandates, our cyber defense infrastructure has evolved into a convoluted maze where organizational boundaries matter more than mission success.

A fragmented cyber battlefield

The U.S. cyber domain’s evolution has occurred with little strategic coordination, creating unclear jurisdictions and mission overlap. The Department of Defense (DOD) and U.S. Cyber Command (USCYBERCOM) oversee military cyber operations, yet their efforts often compete with the National Security Agency’s (NSA) intelligence-driven priorities. The Cybersecurity and Infrastructure Security Agency (CISA) defends civilian networks but lacks sufficient authorities to compel action across the private sector. The Federal Bureau of Investigation (FBI) handles cybercrime investigations, while the Office of the National Cyber Director (ONCD) attempts to provide strategic oversight — all while adversaries exploit the strategic, operational, and jurisdictional seams between these various civilian and military organizations governed by different statutes.

This disjointed approach has led to catastrophic security failures. During the 2020 SolarWinds breach, Russian intelligence services infiltrated government and private networks while exploiting the gaps between our defensive organizations. The sophisticated cyber-espionage operation went undetected for months, with agencies like CISA, NSA, and FBI struggling to coordinate responses within their respective lanes. When the breach was finally discovered, our fragmented cyber ecosystem couldn’t assemble a complete picture of the attack, with each agency holding only pieces of the puzzle.

The 2021 Colonial Pipeline ransomware attack paralyzed fuel distribution across the East Coast, exposing critical weaknesses in public-private cyber collaboration. As federal agencies debated jurisdictional boundaries and response authorities, Americans faced gas shortages and price spikes. The FBI, CISA, Department of Energy, and multiple other agencies worked parallel tracks with limited coordination, demonstrating how our fractured response system fails during crises that cross public-private boundaries.

More recently, China’s SALT TYPHOON and VOLT TYPHOON campaigns methodically targeted our telecommunications infrastructure, maritime ports, and power grid systems. These persistent, sophisticated intrusions established footholds in critical infrastructure while our agencies struggled to share information effectively. Intelligence agencies detected the threats but faced bureaucratic hurdles in disseminating actionable information to defensive agencies and private sector targets.

In each case, multiple agencies responded with competing priorities: some focused on intelligence collection, others on attribution, and still others on defensive measures — often without real-time coordination or information sharing. Our adversaries deliberately target these organizational seams, knowing that our fragmented response system will delay effective countermeasures.

Geopolitical adversaries exploit our fragmentation

America’s cyber vulnerabilities are not hypothetical — they are actively and daily exploited by our adversaries. China’s persistent cyber-espionage campaigns target U.S. defense contractors and critical infrastructure through operations like VOLT TYPHOON. Russian state-backed hackers conduct disinformation and cyber disruption operations, seeking to undermine public trust. North Korean hackers fund their regime through cryptocurrency theft, while Iran grows increasingly aggressive in targeting American executives and government officials.

These nation-states deliberately exploit the seams between our agencies’ jurisdictions. When an attack crosses from intelligence gathering to destructive effects, from foreign to domestic networks, or from government to private infrastructure, our response fractures along organizational boundaries. Each agency follows its own playbook, often with limited visibility into parallel efforts.

Moreover, in the age of artificial intelligence, the scale and sophistication of cyber attacks will increase dramatically, with potential for unprecedented physical damage and even loss of life beyond purely digital impacts. Our adversaries have already unified their cyber operations under centralized command structures that blend military, intelligence, and criminal capabilities, while we remain divided.

The Cyber Council of Nicaea: A unifying solution

A Cyber Council of Nicaea would serve as a permanent, high-level forum backed by executive order and congressional authorization for resolving cyber policy disputes, coordinating national strategy, and setting enforceable standards. Unlike current ad-hoc coordination mechanisms that lack decisive authority, the Council would have the mandate to make and enforce binding decisions. Its core objectives would be:

Doctrinal unity — Establish a national cyber doctrine clearly defining roles, responsibilities, authorities, and response protocols.

Operational deconfliction — Synchronize military, intelligence, law enforcement, and civilian cyber operations.

Information sharing — Establish efficient and secure pathways for information sharing across agencies and with private sector partners.

Crisis response coordination — Develop binding frameworks for responding to attacks on critical infrastructure, including specific playbooks for common scenarios.

Public-private integration — Foster structured engagement with industry leaders through meaningful incentives and mutual benefit arrangements.

Readiness exercise planning — Develop and execute regular cross-sector cyber exercises modeled after nuclear response readiness drills.

Geopolitical cyber strategy — Align cyber operations with broader national security goals.

The Council’s structure would mirror successful national security decision-making bodies while avoiding excessive bureaucracy:

Chair: National Cyber Director with enhanced authorities via executive order, ensuring overarching strategic coherence and direct presidential reporting.

Core members: Leaders from DOD (to include National Guard), Coast Guard, NSA, CISA, FBI, USCYBERCOM, NSC, and the Office of the Director of National Intelligence (ODNI).

Advisory panel: Private sector cybersecurity executives and critical infrastructure representatives with defined incentives for participation, including enhanced threat intelligence access and priority incident response support.

Standing working groups: Composed of subject-matter experts from member agencies and private sector, focused on doctrine development, interagency coordination, and international cyber norms.

Unlike existing coordinating bodies, the Council would have the authority to make binding decisions about roles, responsibilities, authorities, and resources during both steady-state operations and crisis response. Reporting directly to both the Executive Branch and relevant congressional committees would ensure accountability and oversight. The Council would convene regularly for strategic planning and activate immediately during cyber emergencies, with clear lines of authority established in advance.

Learning from successful models

The Goldwater-Nichols Act of 1986 revolutionized the U.S. military by mandating joint operations and forcing inter-service cooperation after failures in Grenada and elsewhere demonstrated the costs of fragmentation. While imperfect, it fundamentally transformed military effectiveness by compelling unity across service boundaries. Nuclear response and readiness provides another successful model, with comprehensive exercises that coordinate military and government agencies, private sector partners, and even international allies.

A Cyber Council of Nicaea could achieve similar transformative effects for the cyber domain, compelling unity where fragmentation currently reigns, while avoiding the pitfalls of excessive centralization that could stifle innovation or create new bureaucratic obstacles.

Addressing the counterarguments

Skeptics may argue that adding another layer of coordination risks bureaucratic inefficiency. However, the status quo — where cyber responsibilities are split across multiple agencies without a unifying authority — has already proven inefficient and dangerous. The Council would not add bureaucracy but rather streamline existing processes by establishing clear decision paths and eliminating duplicative efforts. Recent examples like SolarWinds and Colonial Pipeline demonstrate how our current approach costs precious time during crises when every minute counts.

Concerns over interagency rivalry are valid but not insurmountable. By establishing clear lines of authority for specific scenarios in advance and building regular coordination exercises into agency operations, the Council would reduce friction during crises. The current nominated ONCD leadership may lack the gravitas of the original Council of Nicaea’s Emperor, but enhanced authority through executive order and congressional mandate would provide the necessary power to drive meaningful coordination.

Regarding private sector involvement, the Council would ensure that response measures balance national security with business continuity and civil liberties through meaningful industry participation. Rather than imposing one-way requirements, this approach would provide tangible benefits to participating companies through enhanced intelligence sharing, technical assistance, and coordinated incident response support.

The alternative — allowing China, Russia, and other adversaries to continue exploiting our divisions — is simply unacceptable.

A call to action

Cyberspace is unquestionably the battlefield of the 21st century, yet we continue to defend it with organizational structures designed for the industrial age. The National Security Council and Congress should immediately authorize and convene the first Cyber Council of Nicaea, bringing together key stakeholders to define America’s cyber future.

Implementation will require amendments to existing authorities and potentially new legislation, but the fundamental architecture already exists in the form of existing coordination bodies. What’s missing is decisive leadership with real authority and accountability — gaps the Council would fill.

The recent Executive Order shifting resilience responsibilities to states makes this Council even more critical, as it must establish the frameworks and standards that will guide state-level cyber defense efforts, preventing further fragmentation at the state and local levels.

Without decisive action, we risk continued fragmentation, persistent vulnerabilities, and a strategic disadvantage against adversaries who operate with singular focus. The Cyber Council of Nicaea isn’t just an administrative reform, it’s an urgent national security imperative that must be established before the next major attack forces reactive, chaotic policymaking in its aftermath.

The choice is clear: unify now or remain divided until disaster forces our hand.

Authors’ note: Brad Levine; John Dobrydney, DSc; Hala Nelson, Ph.D., and Ken Kurz were kind enough to lend their knowledge, expertise, and constructive feedback in the development of this Op-Ed.

Daniel Van Wagenen is a retired Army combat infantryman and defensive cyber operator. He is also the co-founder of the Association of the U.S. Cyber Forces (AUSCF), the first dedicated nonprofit to being a voice for the cyber warfighter, and co-founder and COO of Minerva Cyber Technologies, a full-spectrum cyber operations services and products firm.

Kim Irving is a senior cyber executive focused on supporting the warfighter and the national security mission. Co-founder and CEO of Minerva Cyber Technologies, she has 20+ years of experience serving on executive leadership teams and boards. Her experience includes full-spectrum cyber services and capability development for U.S. Cyber Command, Army Cyber Command, Air Force Cyber Command, Navy Fleet Cyber Command, and Marine Corps Forces Cyberspace Command.

The post The Cyber Council of Nicaea: Unifying America’s fragmented digital defense appeared first on DefenseScoop.

The achievement is a major milestone for DISA’s Thunderdome initiative, which offers a suite of IT and cybersecurity technologies that various agencies across the Defense Department can use as their zero-trust solution. DISA’s validation of Thunderdome comes more than two years ahead of the Pentagon’s deadline to implement target levels of zero trust by the end of fiscal 2027.

“It is a stellar machine system and environment, and there’s a lot of DOD field activities and agencies that are depending on that solution as its [zero-trust] solution,” Resnick said Wednesday during the Defense Acquisition University’s annual Zero Trust Symposium.

Zero trust is a cybersecurity framework that assumes networks are already compromised by adversaries, as opposed to the perimeter-based standards traditionally employed by the DOD. Rather than establishing a protective cybersecurity boundary over its networks, zero trust requires the Pentagon to integrate new capabilities that can constantly monitor and authenticate its networks and users as they move through them.

The DOD’s 2022 Zero Trust Strategy outlined a minimum set of 91 capability outcomes that agencies and components must meet to achieve “target levels” of zero trust no later than Sept. 30, 2027. The strategy also provided an additional 61 activities that are required to meet what the Pentagon considers “advanced levels.”

Resnick said DISA’s Thunderdome achieved a “perfect 152 out of 152,” meaning the solution is the second to hit all of the department’s ZT capability outcomes. The Navy’s cloud-based Microsoft Office 365 platform — known as Flank Speed — was the first zero-trust solution to achieve advanced levels, and met all 152 requirements earlier this year.

“Thunderdome is the Defense Information Systems Agency’s (DISA) comprehensive ZT solution,” Chris Pymm, Thunderdome portfolio manager at DISA, told DefenseScoop in a statement. “Recently, the Department of Defense DOD CIO purple team has validated that Thunderdome provides advanced level ZT across all 152 activities in DOD’s ZT model. What’s more, organizations can leverage DISA’s Thunderdome procurement vehicle to meet their integration ZT needs.”

According to the agency, the Thunderdome solution leverages enterprise identity credential and access management (ICAM); commercial secure access service edge capabilities; and software-defined wide area networking and security tools.

In 2022, DISA awarded Booz Allen Hamilton a $6.8 million other transaction agreement to prototype Thunderdome, which was later extended to include the Pentagon’s classified Secure Internet Protocol Router Network (SIPRNet). Following 18 months of development, the company received a follow-on production contract in 2023 to transition the solution into full deployment. 

The award is structured as an indefinite delivery/indefinite quantity (IDIQ)-like award to allow for other Pentagon agencies and departments to leverage the OTA over a five-year period. The contract has a total ceiling of $1.86 billion.

Pymm said that Thunderdome “will complete the DISA terrain in June of this year.” The effort’s zero-trust capabilities will be scaled to defense agencies and field activities via the broader migration of users to its new modernized network, known as DODNet, he added.

In fiscal 2025, Thunderdome will be fielded to the Defense Contract Management Agency, Defense Contract Audit Agency, Defense Logistics Agencies, Defense Media Activity, Defense Finance Accounting Service and the Defense Microelectronics Activity.

Moving forward, DISA plans to deploy the capability to the following agencies and organizations in fiscal 2026: Defense Threat Reduction Agency, Joint Staff’s J-6 directorate, Defense Advanced Research Projects Agency, Missile Defense Agency and Defense Manpower Data Center.

Updated on April 2, 2025, at 5:25 PM: This story has been updated to include more information from DISA about plans for Thunderdome and statements from Chris Pymm, Thunderdome portfolio manager.

The post DISA’s Thunderdome achieves advanced zero-trust goals appeared first on DefenseScoop.

The final rule for the revamped CMMC 2.0 program went into effect in December, which means that defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must meet one of three levels of CMMC compliance, depending on the sensitivity of the information they handle, to be eligible to win DOD contracts. After years of high-profile scoping and rulemaking efforts, the Pentagon plans to implement the new requirements by the middle of this year.

Contractors and defense industry observers have previously expressed concerns about the burdens that CMMC regulations would impose, particularly for smaller firms that have fewer resources to ensure compliance.

An industry report by Redspin published earlier this year found that over half of respondents did not feel prepared for CMMC’s requirements.

Another report published this week by Kiteworks and co-sponsored by Coalfire found shortfalls in gap analysis and advanced controls. Budgetary and resource constraints, technical complexity of implementing controls, scope complexity and definition challenges, and understanding requirements and documentation were cited as some of the biggest challenges related to CMMC.

“It is my understanding that the cyber capabilities of the companies in the DIB vary greatly. If confirmed, I look forward to reviewing the current state of DoD cybersecurity requirements for our industry partners and working to ensure we balance a need for security with the burdens of excessive regulation,” Duffey wrote in his responses to advance policy questions from lawmakers ahead of his confirmation hearing Thursday with the Senate Armed Services Committee.

He noted that cyberattacks on defense industrial base information systems threaten the Pentagon’s mission execution and warfighting capabilities, and put at risk U.S. technological superiority, intellectual property and national security information.

“Bolstering cybersecurity across the DIB without placing undue burdens on small and medium-sized businesses is critical. These businesses are often more vulnerable to cyberattacks due to resource constraints, yet they play a vital role in our nation’s defense,” Duffey wrote. “I recognize the critical importance of ensuring that contractual requirements for protecting DoD information are met by defense contractors. If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices.”

Additionally, he told lawmakers that he would review current and potential mechanisms to assess CMMC compliance — including third-party assessment organizations — and accreditation procedures “to ensure our requirements keep pace with the threat and manage the burden on the industrial base.”

Duffey also noted that access to secure compartmented information facilities (SCIFs) can be costly for smaller companies. If confirmed, he said he will “actively explore” the feasibility of multi-use SCIFs and other shared resource models to reduce that burden for small firms and facilitate their access to classified information.

The CMMC program previously fell under the responsibility of the undersecretary of defense for acquisition and sustainment, but was transferred to the DOD Office of the Chief Information Officer in 2022. Katie Arrington, who was viewed as a key architect of the original iteration of CMMC within A&S during the first Trump administration, recently returned to the Pentagon and was quickly appointed as the acting CIO.

Duffey also has prior government experience, including at the Pentagon. He served as associate director of national security programs in the Office of Management and Budget during the first Trump administration. He’s also served as deputy chief of staff to the secretary of defense and chief of staff to the undersecretary of defense for research and engineering, among other roles.

The post Trump’s Pentagon acquisition chief nominee vows to review controversial CMMC program appeared first on DefenseScoop.

The U.S. military maintains an extensive global footprint, with 800 installations spanning more than 70 countries and territories. Public and private utilities own and operate the power lines, water pipes, and fiber optic cables that supply these bases. Yet once those systems cross the fence line onto military facilities, the U.S. military is responsible for ensuring their safe and reliable operation and restoration during an attack.

The problem is many of the professionals tasked with maintaining these critical systems might not recognize a cyberattack for what it is because they’ve received no specified training. They often see an operational disruption, assume it is just a system malfunction, and move quickly to restore systems, potentially wiping out the forensics data that cyber professionals need to discern how an attacker got in and disrupted the system.

Without a dedicated forensic investigation, engineers who respond to the symptoms of an attack may simply revert the system back to the same vulnerable state that the attacker exploited in the first place. Crucial intelligence clues about the attack’s provenance and intent will be lost.

At Fort Leonard Wood (FTLW), Missouri, the Army and the U.S. Army Corps of Engineers (USACE) provide world-class training for the professionals who maintain both our civilian and military critical infrastructure. However, in the vast majority of these programs, there is no basic cybersecurity curriculum.

This critical omission leaves America vulnerable and the professionals who respond ill-equipped to confront malicious state-backed actors who seek to compromise the operational integrity of control systems. This is not merely a cybersecurity problem but a national security problem. Today’s battlefield extends to the contested virtual domain. The advantages of two large oceans that have provided standoff and a defensible homeland do not prevent the battlefield from extending to our military bases. Our adversaries aim to deny or destroy the technological supremacy that underpins our military’s ability to project power. Our military engineers must be trained to respond to the advances of modern warfare.

Other federal agencies acknowledge the importance of cybersecurity training for their engineers. The Department of Energy released a national strategy on cyber-informed engineering three years ago, placing cybersecurity at the foundation of engineering for energy systems. Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) has spent the last two years working with technology and device manufacturers and evangelizing the importance of building security into systems from the outset. Even the Department of Commerce’s National Institute of Standards and Technology has issued “cyber resilient engineering” guidelines for industrial control systems.

Despite these efforts, silos still exist between DOD cyber incident response and remediation teams and the engineers responsible for maintaining critical systems. The DOD has not trained military engineers to collaborate with network defenders to secure the industrial control systems against cyber threats.

As recent headlines have affirmed, military bases are high-value targets for nation-state hackers. Their power grids, HVAC and airfield lighting, access security, fuel systems, and water utilities were initially designed for reliability, not security. But these systems cannot be reliable if they are not secure, and America’s adversaries know that undermining system reliability degrades miliary readiness and our ability to project power.

The knowledge gap of our engineers — and the resulting dangerous national security risk — need not persist. FTLW houses the multi-service Maneuver Support Center of Excellence for engineering, military police, biological, chemical, radiological, and nuclear training. This training heritage positions its Prime Power School to expand its multi-service curriculum to include cybersecurity-driven engineering for all Army Combat Engineers and Navy Seabees. The Air Force’s Red Horse Units and public works personnel should also learn to identify and respond to cyber threats.

Prioritizing a comprehensive cybersecurity curriculum will prepare these engineers to maintain military readiness, respond to emerging threats, and win against all hazards, including cyber malfeasance. Once trained and deployed, these engineers will actively ensure the military’s critical assets necessary for executing military operations at home and abroad.

Establishing a joint-service schoolhouse, co-located with the USACE’s Prime Power School at FTLW, will create a hub of expertise and a pipeline for an organic DOD workforce. This initiative will amplify the resilience of home-based and forward-deployed forces, especially in the Indo-Pacific, where China is actively working to undermine our military’s ability to achieve national security objectives, which start here in the homeland.

From the Battle of Iwo Jima to today, engineers have played a critical role in protecting our forces and defeating enemy counterefforts. The U.S. military’s engineers don’t just build infrastructure; their expertise shapes the battlefield itself, ensuring victory through innovation. Now, as wars extend into the cyber domain, the same expertise must evolve. Establishing an all-service training curriculum at FTLW focused on detecting, responding to, attributing, analyzing, remediating, and sharing information about malicious cyber behavior would ensure their legacy of paving the way to victory continues in the digital age.

Alison King is vice president of government affairs at Forescout and a senior fellow at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. Before joining Forescout, Alison spent over a decade in the federal civil service, working for the Department of the Navy and the Cybersecurity Infrastructure Security Agency.

Annie Fixler is the director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies and facilitates the Department of Energy’s Operational Technology Defender Fellowship.

Rear Adm. (Ret.) Mark Montgomery is CCTI’s senior director and served as executive director of the congressionally mandated Cyberspace Solarium Commission. He served for 32 years in the U.S. Navy as a nuclear-trained surface warfare officer, retiring as a rear admiral in 2017.

The post US must prioritize cybersecurity training for the military’s engineers appeared first on DefenseScoop.