The DOD CIO published a request for information Wednesday on Sam.gov calling for industry’s input on emerging technologies, solutions and business practices that can support the department’s attempt to revamp the Risk Management Framework (RMF). The initiative largely seeks to replace the legacy framework with a multi-phased construct that will be demanding for cyber and acquisition professionals. Officials are hoping to speed up capability delivery to warfighters.

“Although RMF enhances security through continuous monitoring and risk-based decision-making, it’s often seen as slow and cumbersome,” the RFI stated. “To meet the urgent demands of modern cyber threats and accelerate innovation, the DoD is working to streamline the RMF process — aiming for greater efficiency without compromising on security.”

While the framework has guided the Defense Department’s acquisition process for its military networks, weapon systems and other critical IT infrastructure for decades, the RMF has come under scrutiny in recent months by senior leadership. Since returning to the department in March to perform the duties of Pentagon CIO, Katie Arrington has repeatedly stated in public forums that she is “blowing up the RMF” and other bureaucratic processes known to stifle innovation.

“The RMF is archaic, it’s a bunch of paperwork,” Arrington said in April at the UiPath on Tour Public Sector event. Along with the RMF Revamp, she recently initiated a related effort called the Software Fast Track (SWFT) program that aims to streamline acquisition of on-premises software capabilities.

The RMF was designed to let the department integrate controls throughout a system’s lifecycle, including cybersecurity, operational resilience and supply chain risk management. Ensuring a system is RMF compliant is a seven-step process that results in receiving an authorization to operate (ATO) on Pentagon networks.

However, the entire framework can take weeks to over a year to complete. Even then, a military system with an ATO is required to have it renewed every three years.

According to the request for information, the CIO is considering a new “Risk Management Construct” that outlines specific actions to take across five phases of a system’s development cycle — design; build, or initial operational capability; test, or full operational capability; onboarding; and operations. The first four phases also include recommendations on where to use automation, such as by integrating a continuous-integration/continuous-delivery pipeline in the build phase or automatic vulnerability remediation during onboarding.

The document also asks industry to answer a series of questions regarding technologies and best practices the Pentagon could employ to enhance the RMF process, limit redundant compliance efforts and improve reciprocity across the department.

“Key areas of interest include [artificial intelligence-driven] cybersecurity tools, security control inheritance, artifact reuse, continuous monitoring solutions, proactive cyber defense mechanisms, security testing frameworks, and risk assessment models that support rapid integration of automation, monitoring, and active threat mitigation within cybersecurity programs,” the RFI stated.

Responses — due by July 24 — will inform the CIO’s strategy moving forward.

The post DOD CIO solicits industry to inform revamp of ‘cumbersome’ cybersecurity risk framework appeared first on DefenseScoop.

The DOD currently maintains more than 2 million Microsoft 365 E5 licenses across two separate programs — the Defense Enterprise Office Solution (DEOS) and the Enterprise Software Initiative (DOD ESI). Through the established contracts, Pentagon components can purchase software licenses for commercial Microsoft products, including Office 365 applications and other collaboration tools.

But ongoing efforts spearheaded by the Department of Government Efficiency (DOGE) have prompted the Defense Department to review how many of those licenses it actually needs, Katie Arrington, who is performing the duties of Pentagon CIO, told DefenseScoop.

“Our Microsoft 365 contract [is a] very big contract here in the Department of Defense. Does every individual in the Department of Defense need an [E5] license? Absolutely not,” Arrington said June 6 in an exclusive interview.

With the department’s Deputy CIO for the Information Enterprise Bill Dunlap, Arrington has been working alongside her DOGE representative to review individual position descriptions and multi-level securities to determine what level of Microsoft 365 E5 license that person needs, she said. Other criteria being considered include user and mission requirements for office productivity software, as well as collaboration capabilities, a DOD CIO spokesperson told DefenseScoop.

CSRA, which is owned by General Dynamics IT, has served as the lead integrator for the DEOS contract since 2020, when the company received a 10-year blanket purchase agreement from the General Services Administration and Defense Department. The program allows Pentagon components to purchase individual licenses for cloud-based Microsoft 365 email and collaboration tools on a monthly basis.

Although the GDIT-led team, which also includes Dell Marketing and Minburn Technology Group, initially received the award in 2019, the department was forced to re-compete the contract following two bid protests by competitor Perspecta. The procurement battle resulted in the GSA and Pentagon giving the contract to GDIT at an estimated value of $4.4 billion — much lower than its originally projected $7.6 billion value.

The department can also purchase licenses for software products — including from Microsoft and other vendors, such as Oracle — using an Enterprise Software Agreement (ESA) contract vehicle, which is managed by the DOD ESI. Instead of buying individual licenses through DEOS, an ESA is used to purchase software via resellers in bulk and on an annual basis.

Arrington did not say how many Microsoft licenses are on the chopping block, but emphasized that the effort is geared toward “optimizing the licenses that we have.”

A reduction in E5 licenses would be yet another cut to the Pentagon’s IT enterprise prompted by the department’s work with DOGE. Along with reductions to its civilian workforce, the Defense Department has ordered several of its IT consulting contracts be cancelled and replaced by internally sourced services — an action also being taken by some of the military departments, as well as the DOD CIO.

“On an average day we would probably put out a contract for consulting on how to optimize or automate the RMF. We didn’t do that. We went internally. We did it ourselves, and we’re going to use our partners in the industry to help, because they would be the beneficiaries,” Arrington said, referring to her ongoing push to overhaul the Pentagon’s Risk Management Framework (RMF).

The office is also reviewing its contracts with systems integrators to ensure there are no duplicative efforts underway, as well as pushing for more use of commercial-off-the-shelf capabilities, she added.

Despite challenges that may come from DOGE-inspired cuts, Arrington said that she believes the work will help the Pentagon be on a “level playing field” moving forward.

“[The Defense Department] is as energized as I’ve ever seen it. But that doesn’t mean there’s no concern,” she said. “Change is hard, but it’s definitely needed.”

The post EXCLUSIVE: Pentagon CIO reviewing Microsoft 365 licenses as part of DOGE-related cuts appeared first on DefenseScoop.

“We’re using technology to help reduce the time, because that’s been the real problem with software,” Katie Arrington, the senior official performing the duties of Pentagon chief information officer, said Friday in an exclusive interview with DefenseScoop. “When we bring it into the building, we have to find a lab, we have to find a person, we have to get it resourced. And what we should be doing is accepting as much as possible and looking at it rapidly, because software is only as good as it is relevant.”

Since returning to the Pentagon in March to perform the duties of DOD CIO, Arrington has waged war on the legacy processes used by the department to buy software capabilities — namely the lengthy Risk Management Framework (RMF) and beleaguered authority to operate (ATO) approvals. 

“I’m blowing up the RMF. The RMF is archaic,” Arrington told a crowd of defense industry representatives at the UiPath on Tour Public Sector event in April. She later added that by next year, she hopes that ATOs are “something I never hear about again.”

Both the RMF and the ATO process have guided the Pentagon’s acquisition process for all of its systems for more than a decade. The RMF is a structured set of guidelines used to identify and manage cybersecurity risks on the Defense Department’s networks. After a system goes through the RMF process, it must receive an ATO that gives the final approval to operate on the network.

Many of the military departments have done some disparate work to automate the RMF process and embrace continuous ATOs, which use automated monitoring and security controls to approve software without need for reauthorization. But recently, Arrington initiated a Pentagon-wide effort to overhaul the RMF.

She told DefenseScoop that the “old school” processes are obsolete and no longer representative of the modern technologies the Pentagon needs.

“Why I say an old school ATO doesn’t really hold any validity anymore is because an ATO is granted at a very specific time in the network, the architecture of the network, the iteration of the software. Everything is like a snapshot in time, it’s a static moment,” she said. “But software is dynamic, it changes — every patch, every iteration, every version. So why wouldn’t we move to a continuous ATO and look at the RMF process as the building blocks?”

The RMF revamp will focus on how the process can be integrated with automation and continuous monitoring capabilities for an entire program’s lifecycle, a Pentagon spokesperson told DefenseScoop. They added that the framework will remain “a structured process which integrates security, resilience, zero-trust and related cybersecurity considerations to design, build and monitor DoD technology.”

To help the department move away from cumbersome checklist-based authorizations, Arrington also created the Software Fast Track (SWFT) program that she said is designed to allow the Pentagon to integrate software capabilities much faster than currently possible. SWFT is separate to CIO’s effort to reform the RMF, but the program looks to optimize the RMF’s software assessment process and streamline capability delivery.”

SWFT will have companies receive a third-party assessment based on 12 risk factors outlined by the Pentagon, ranging from a company’s cybersecurity posture to its financial health. Vendors will also be required to submit their own software bill of materials (SBOM), as well as an SBOM from a third-party assessor to see if there are any differences in the evaluations, Arrington explained. 

“When that information comes into the department, we’re going to have AI and large language modeling on the backside so that we can detect anomalies,” she said. “If there’s a variant between one SBOM and another SBOM, we’re going to validate all of the data.”

And while replacing institutional processes like the RMF and ATO is an arduous task, the Office of the DOD CIO is moving as quickly as it can. After Arrington announced SWFT in an April memo, the program officially began on June 1. Concurrently, the office is conducting a 90-day sprint to develop a framework and implementation plan that defines specific requirements, security verification processes, information-sharing mechanisms and risk determinations “to expedite the cybersecurity authorizations for secure, rapid software adoption,” according to the Pentagon.

Meanwhile, the office is reviewing responses it received for a trio of SWFT requests for information published in May that asked for industry’s input on specific tools, external assessments, and automation and AI-enabled capabilities, respectively. The CIO received over 500 responses across all three RFIs, demonstrating that industry is onboard with SWFT and eager to get the ball rolling, Arrington noted.

“I’ve committed to reading through all of them to really understand what [are] the best practices in industry,” she said. “What does real continuous monitoring look like? Do we need commercial red teams? What are risk factors if you’re doing continuous monitoring or you have a disruption in software? What are the proper and right risk mitigation processes? All of this is wrapped into acquisition, how we’re really approaching this modernization effort.”

Arrington noted that SWFT’s implementation is being done strategically and in partnership with other key stakeholders across the Defense Department, including the service CIOs, chief information security officers, the acquisition and sustainment directorate and Pentagon directorates that support command, control, communications, computers and cyber.

Before the end of June, the DOD CIO plans to release another RFI to industry that outlines five tenets for how the Pentagon plans to execute SWFT, Arrington said. Some ideas her team is considering include a tiered approach for the roles and responsibilities of cybersecurity service providers and different aspects of continuous monitoring.

“Industry’s part of this is going to be over the summer, and then hopefully I can get those responses [and] we can come together and start with a fundamental, new approach in early August or early fall,” she said.

Moving fast on SWFT will be integral for other reasons, as well. Arrington will exit her CIO role once President Donald Trump’s nominee for the position is approved by Congress. In May, the administration tapped Kirsten Davies — an IT and cybersecurity professional from the private sector — to serve as DOD CIO, but her confirmation hearing has not yet been scheduled.

And although the program’s attempt to reform the Pentagon’s software acquisition process has been met with positive reception — while also being in line with broader efforts by Secretary of Defense Pete Hegseth aimed at increasing use of innovative procurement authorities — Arrington acknowledged that SWFT’s success will depend on how well the department can adapt to the cultural shift it requires.

“We’re so risk adverse that to be relevant, we have to assume a little bit of risk in moving forward. And I think that’s going to be the biggest challenge set for the department, is culturally learning how to operate within that little bit of risk factor. I’ll take a 90 percent solution and work on remediating the 10 percent while we’re developing it,” she said.

Updated on June 12, 2025, at 4:15 PM: This story has been updated to add comment from a Pentagon spokesperson and to clarify that SWFT is separate from the CIO’s effort to reform the RMF.

The post Inside the Pentagon CIO’s push to overhaul antiquated software acquisition practices appeared first on DefenseScoop.

The CIO’s recently released software modernization implementation plan for fiscal 2025 and 2026 marks another call from Pentagon leadership for the entire department to improve delivery of software-based capabilities. The document lists three key goals for the next two years — focusing on software factories, enterprise cloud and transforming processes — as well as specific tasks for each goal that aims to improve overall software modernization.

The goals and tasks in the document build upon the DOD CIO’s first software modernization implementation plan for fiscal 2023 and 2024. According to the new roadmap, the Pentagon completed 27 out of 41 of the tasks outlined in the previous plan, carried 12 tasks over to FY25 and FY26 and combined two tasks with others in the updated document.

Rob Vietmeyer, chief software officer for the deputy CIO for information enterprise, said that while working through the goals in the first implementation plan, the office realized that some of the associated tasks weren’t mature enough to fully execute on.

“For a small portion, we learned that we didn’t know enough about a couple of those activities, so we dropped them. And then some of them, we were maybe over aggressive or they evolved,” he said Wednesday during a panel discussion at AFCEA’s TechNet Cyber conference. “I’ll say, from an agile perspective, we didn’t have the user score exactly right, so some of these stories have continued into the implementation plan two.”

The first goal outlined in the new plan is to accelerate and scale the Pentagon’s enterprise cloud environment. Along with its multi-cloud, multi-vendor contract known as the Joint Warfighting Cloud Capability (JWCC), the department also has a number of other efforts aimed at providing cloud infrastructure overseas and at the tactical edge. 

Vietmeyer said that even though JWCC has been a relative success — noting that the department has awarded at least $2.7 billion worth of task orders under the program — the contract vehicle was “suboptimal” for large acquisitions. The CIO is currently planning for what it calls JWCC 2.0, a follow-on phase that adds more vendors and different contracting mechanisms to the program.

Beyond JWCC, the implementation plan calls for the establishment of additional contract options for cloud innovation — specifically geared towards small business and “niche providers” — that can be awarded before the end of fiscal 2026.

“In the implementation plan, we’re trying to build that next-generation cloud infrastructure and extend it. Not just looking at JWCC, but we’re also looking at how we extend for small business cloud providers,” Vietmeyer said. 

The document also offers guidance for Pentagon efforts to expand cloud access to the edge, such as through Stratus or the Joint Operational Edge (JOE) environments. In the next two years, the department will develop a reference design for an “underlying cloud mesh” that facilitates data transport, software development and information-sharing across different infrastructures overseas, according to the plan.

The mesh architecture would allow warfighters from one military service to access a cloud node operated by a different service, or one owned by the Defense Information Systems Agency, Vietmeyer explained.

“We’ve seen that one of the challenges is moving to a mesh type of architecture, so we can identify where computing infrastructure exists and allow the warfighters to take advantage [of it],” he said. “How do we start to build the ability for applications and data to scale across that infrastructure in a highly resilient way?”

Along with enterprise cloud, another goal within the updated implementation plan focuses on creating a Pentagon-wide software factory ecosystem that fully leverages a DevSecOps approach. The CIO intends to take successful practices from the various software factories in DOD and replicate them across the department, according to the plan.

“DoD must continue to scale success and bridge the right disciplines together … to ensure end-to-end enablement and realization of the software modernization vision and adoption of software platforms and factories organized by domain,” the document stated.

The CIO will also work to remove existing processes and red tape that prevents software developers from accessing critical tools and capabilities; increase the number of platforms with continuous authorization to operate (cATO) approvals; and create a DevSecOps reference design for artificial intelligence and software-based automation deployment.

Lastly, the implementation plan outlines multiple tasks geared towards evolving the Pentagon’s policies, regulations and standards to better support software development and delivery — including creating secure software standards, improving software deployment in weapons platforms and growing its workforce.

Although work to accelerate the Pentagon’s software modernization has been happening for years, leaders at the department have begun pushing for more focused efforts to remove bureaucratic red tape through new guidance — such as Secretary of Defense Pete Hegseth’s Modern Software Acquisition memo released in March, and the CIO’s new Software Fast Track (SWIFT) program.

“For modern practices to become the routine way of developing and delivering software, policy, regulations, and standards must be reviewed and updated,” the implementation plan stated. “DoD must work with DoD Components to update policy and guidance to reduce the barriers to adopting new practices and to accelerate software delivery and cybersecurity approvals to enable adoption of the latest tools and services.”

The post Pentagon sets out two-year plan to scale enterprise cloud offerings, software factories appeared first on DefenseScoop.

As part of the new role, McKeown will stand up and lead the CIO’s Cybersecurity Center of Excellence, which will focus on tackling long-range and complex innovation challenges for cybersecurity modernization. He will be responsible for a range of programs and operations that will ensure the Pentagon is prepared to meet emerging cybersecurity threats, the DOD CIO noted in a statement posted on LinkedIn.

“Establishing this new office divorces the day-to-day activities such as zero trust implementation, defense industrial base cybersecurity programs and policy development from the requirement to look over the horizon and take on the following cybersecurity threat,” the statement said. “With the Special Advisor for Cybersecurity Innovation, we are building an office to create transformational breakthroughs and drive strategic invention in cybersecurity.”

McKeown most recently served as both the deputy CIO for cybersecurity and chief information security officer since 2020 — a dual-hatted position where he led the department’s wide-ranging cybersecurity modernization efforts and associated policies. His tenure has seen the introduction of cutting-edge technologies and robust protocols to fortify the Pentagon’s cyber defenses.

He has been at the forefront of implementing the DOD’s zero trust strategy while overseeing adoption of the new cybersecurity standards at organizations across the Pentagon. McKeown has also worked to strengthen cybersecurity within the defense industrial base and helped the department revamp the Cybersecurity Maturity Model Certification (CMMC) standards. 

McKeown has over three decades of experience working in the Defense Department, including 27 years serving in the Air Force and 8 years as a government civilian employee. His prior roles include working as an Air Force cyberspace operations officer; the director of enterprise information and mission assurance for the Army’s Information Technology Agency; and the cybersecurity center chief and enterprise services center chief for the Defense Information Systems Agency’s Joint Service Provider.

Prior to joining the DOD CIO, McKeown also led the Department of Justice’s Service Delivery Staff. Prior to that role, he ran enterprise services and cybersecurity for the DOD’s Joint Service Provider.

Gurpreet Bhatia will assume the duties of acting deputy CIO for cybersecurity and CISO. He previously served as the DOD’s principal director for cybersecurity and deputy chief information security officer.

The post DOD taps McKeown to serve as new special assistant for cybersecurity innovation  appeared first on DefenseScoop.

Under the contract, Hughes will install 5G O-RAN equipment at the base that will operate a temporary network for preliminary evaluation, according to a press release. The network will eventually transition to the company’s commercial network in order to support both Pentagon and commercial customers in and around the military installation.

The project will be a joint effort between the Army, the Pentagon’s Chief Information Officer (CIO) and the Office of the Under Secretary of Defense for Research and Engineering, the release noted.

“The Open RAN project at Fort Bliss is a valuable opportunity for the DoD to explore the enhanced command and control capabilities that near-real time control of the RAN offers DoD,” Anthony Smith, acting DOD CIO for command, control and communications, said in a statement. “The DoD CIO will continue to prioritize the deployment of Open RAN architectures and 5G across the Department, leveraging these information communications technologies for strategic warfighter advantage.”

Advancing 5G communications capabilities for military applications has been a key priority for the Pentagon’s FutureG office in recent years, specifically via O-RAN technology. While current radio access networks use standalone hardware and software platforms, O-RAN is a multi-vendor solution that separates the software and hardware and allows for different vendors to simultaneously operate on the same network.

The capability would offer “increased functionality and scalability of 5G wireless networks, incorporation of artificial intelligence/machine learning (AI/ML) into DoD systems, and greater flexibility in acquiring or replacing the software and hardware used in military equipment,” a department press release stated.

The project at Fort Bliss will serve as the testing ground for development of a RAN Intelligent Controller (RIC) — a software component that optimizes the radio access network. The effort is expected to lay foundations for O-RAN installation at other military locations, while also establishing a training site for staff.

“The primary use case that the Fort Bliss prototype will test through the RIC is the ability to rapidly change spectrum at the 5G control node, a capability that has real world relevance to resilient communications for a mobile command post,” per the release.

The new prototype effort follows a number of O-RAN technology pilots kickstarted by the Pentagon’s FutureG office in 2023, which allowed the department to work with companies and understand how open networks and software approaches can improve communication capabilities for warfighters.

Hughes has previously worked with the Defense Department in advancing wireless technology for service members. The company received a contract in 2022 to deploy a standalone 5G network at the Naval Air Station Whidbey Island in Washington, which established the first 5G O-RAN network at a U.S. military base, according to Hughes. In 2024, Hughes received a follow-on extension contract to continue 5G deployment at Joint Base Pearl Harbor-Hickam in Hawaii.

The post Pentagon taps Hughes to develop 5G O-RAN prototype at Fort Bliss appeared first on DefenseScoop.

At the same time, leadership and personnel turnover at the DOD Chief Information Office prohibited officials from conducting annual reviews of the strategy’s implementation, the probe found.

Released in 2019, the Pentagon’s first-ever digital modernization strategy (DMS) looked to increase technological capabilities across the department and improve overall adoption of modern systems in response to emerging threats and new tools. The strategy included four strategic initiatives — innovation for advantage, optimization, resilient cybersecurity and cultivation of talent — with accompanying objectives and tasks, known as “strategy elements,” as well as a roadmap for implementation through fiscal 2023.

But an audit from the Pentagon Inspector General’s office, published July 9, found that 54 of the 131 strategy elements were not “specific, verifiable and measurable” in accordance with requirements from the Office of Management and Budget, therefore preventing the DOD CIO from effectively monitoring progress towards goals outlined in the strategy.

“Modernizing its digital environment is crucial for the DoD to ensure the Joint Force has a competitive advantage in the modern battlespace. The DMS should create a centralized and focused path to guide daily decision making to achieve DoD’s digital modernization goals,” the Inspector General’s report stated. “However, without specific, verifiable, and measurable strategy elements, the DoD cannot meaningfully track progress towards achievement of DMS goals.”

For example, the audit notes that the task to “modernize the global command and control system — Joint” does not provide any quantifiable measures or specified end results for the desired system, which also makes it difficult to measure progress on the task. In addition, the goal to “modernize” is not clear or precise enough in this context, according to the review. 

Of the 54 strategy elements flagged as being not specific, verifiable and measurable, the DOD CIO has reported that 17 of them have been completed — although the Inspector General’s audit could not confirm whether or not that was the case. 

Moving forward, the IG report recommends that the CIO “develop and implement standard operating procedures that include definitions for ‘specific,’ ‘verifiable,’ and ‘measurable.’” Since the recommendation, the CIO’s office has reported that the deputy chief experience officer has been tasked to develop and implement the suggested standards, and expects them to be completed by the end of August.

In addition, the audit found that the DOD did not conduct annual reviews of the digital modernization strategy in fiscal 2022 and 2023 — another requirement from the OMB. A former employee of the CIO reported that the office did not conduct reviews due to changes in the office’s leadership and discussions on whether to update the digital modernization strategy or develop a brand new one. 

The audit emphasized that “by not conducting annual DMS reviews in conjunction with DoD’s Annual Performance Plan reviews, the DoD missed opportunities to identify performance gaps or changes to mission needs, priorities, goals, objectives, or strategy elements that require updates.”

As for fiscal 2020 and 2021, CIO personnel “could not provide documentation supporting that the DMS was reviewed alongside the Annual Performance Plan or that OCIO personnel identified performance gaps in the DMS based on changes to DoD mission needs, priorities, or goals,” according to the IG report.

The Pentagon’s CIO did decide to release a new strategy, dubbed Fulcrum, in June that is structured around four lines of effort. Acting DOD CIO Leslie Beavers told DefenseScoop ahead of the new strategy’s release that it represented a more mature version of its predecessor.

“It’s taking into account the new technologies that have been developed and, kind of, the changing world situation and how we are just providing that kind of refreshed vision for how we need to move out in the department in the next five years,” Beavers said.

The post Audit finds flaws in Pentagon’s 2019 digital modernization strategy appeared first on DefenseScoop.

He will head off to Texas to serve as the next Dean of the Bush School of Government and Public Service at Texas A&M University, his alma mater, according to a post on LinkedIn.

Sherman has been the only Senate-confirmed CIO for the Pentagon during the Biden administration, having come to the role after a long career in the IT space for several national security organizations and most recently as the CIO of the intelligence community.

“Mr. Sherman has been a steadfast advisor and an innovative leader who has helped the Department adopt and utilize modern information technology to keep our country safe. His technical expertise has proven invaluable in tackling a variety of digital challenges. His focus on mission readiness has ensured that each of the Services is equipped with both the capabilities and the digital workforce necessary for modern warfighting,” Austin said in a statement Thursday. “Under his leadership during the past two and a half years, the Department has restructured its approach to cybersecurity. Today we are better positioned to take advantage of technological developments and respond to digital threats. And we’re working with our international partners to set the global rules and standards for responsible cyber practices for generations to come.”

Sherman’s initial tenure was marked by the significant shift of the DOD from the marred Joint Enterprise Defense Infrastructure (JEDI) cloud effort that sought a single vendor for the Pentagon’s first enterprise cloud capability. The department decided to move away from JEDI into a multi-vendor acquisition process under what is known as the Joint Warfighting Cloud Capability (JWCC).

Four vendors — Google, Oracle, Amazon Web Services and Microsoft — were awarded under that effort in late 2022. Over 80 task orders with a total value of more than $600 million have been awarded to date.

Sherman has also overseen the DOD’s efforts toward a “zero trust” framework to better protect networks and data from unauthorized disclosures, leaks and adversary activities to steal sensitive information. Zero trust is a cybersecurity concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

The Pentagon released its zero trust strategy in 2022 that sought to outline “target levels” of zero trust, a minimum set of 91 capability outcomes that agencies and components at the department must meet to secure and protect networks, and reach that no later than Sept. 30, 2027.

Most recently, Sherman unveiled a process across DOD to allow one organization’s authorization on the network to be honored by others, dubbed reciprocity.

The Pentagon announcement did not say who will be performing the duties of CIO after his departure. Leslie Beavers is currently serving as the principal deputy chief information officer.

The post DOD CIO John Sherman departing at the end of June appeared first on DefenseScoop.

Zero trust is a cybersecurity concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

The services and other DOD components are due to submit their proposals to the Pentagon’s zero-trust portfolio management office by Oct. 23, a congressionally mandated deadline that will come a year after the department released its zero-trust strategy.

Officials will “spend the next four to six weeks, probably six weeks, analyzing every one of those plans and measuring the success of those plans on whether or not they’re giving us the information so that we know every single component is going to be hitting target-level zero trust or higher by fiscal ’27 or earlier,” Randy Resnick, director of the zero trust portfolio management office within the DOD chief information office, said during a panel at the Cyber Beacon conference Thursday hosted by National Defense University.

“We’re going to get all this data. We’re going to be really busy, heads down. But at the end of the year, let’s say mid-December, we’ll have a really good picture of exactly where the department sits on that. We’re going to be briefing Congress in January, third week in January, about the results of it [and] how the DOD is going to approach zero trust,” he added.

Resnick said over the last year, there has been little ambiguity over what his office wants from the components, noting that it has held frequent meetings on a monthly and quarterly basis, including one-on-ones.

He added that 80 to 90% of DOD components will likely meet or exceed expectations but there might be some they have to assign some additional work to update sections or improve certain aspects. Those updates will need to be returned within a week given the portfolio office will be “under the gun” to get plans finalized by the end of the year and be prepared to brief Congress in January, Resnick said.

The post DOD to brief Congress early next year on zero-trust progress appeared first on DefenseScoop.

Last fall, DOD released its zero-trust strategy as well as its reference architecture. Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

The strategy laid out a target level and advanced level of zero trust. The target level is the minimum set of capability outcomes to secure and protect data. The strategy states the DOD must get to the target level as soon as possible. Once that is achieved, the Pentagon will monitor continued compliance to get to advanced zero trust, which the document defines as the achievement of the full set of capability outcomes.

The goal is for the department to achieve the target level by 2027.

The strategy provided a roadmap for how organization can achieve zero trust, but officials have been very clear from the start that there are multiple potential pathways. As a result, there will be several different approaches.

“I’ve used the term pick your own adventure on some of this … I suspect each of the components — matter of fact, I know they are — taking a little bit different path to get there,” John Sherman, DOD chief information officer, said at the Billington Cybersecurity Summit on Thursday.

These organizations will be submitting their plans to the zero-trust portfolio management office, led by Randy Resnick, next month, according to Sherman, who described it as a “very important milestone” to start the assessment.

“Between October and the holiday period, Randy and his team are going to be reviewing what these plans look like, consistent with what we’ve laid out with the capabilities, the 91 capabilities, that gets targeted zero trust by 2027,” he said.

The post DOD to review agencies’ zero-trust proposals over the next few months appeared first on DefenseScoop.