As part of the new role, McKeown will stand up and lead the CIO’s Cybersecurity Center of Excellence, which will focus on tackling long-range and complex innovation challenges for cybersecurity modernization. He will be responsible for a range of programs and operations that will ensure the Pentagon is prepared to meet emerging cybersecurity threats, the DOD CIO noted in a statement posted on LinkedIn.

“Establishing this new office divorces the day-to-day activities such as zero trust implementation, defense industrial base cybersecurity programs and policy development from the requirement to look over the horizon and take on the following cybersecurity threat,” the statement said. “With the Special Advisor for Cybersecurity Innovation, we are building an office to create transformational breakthroughs and drive strategic invention in cybersecurity.”

McKeown most recently served as both the deputy CIO for cybersecurity and chief information security officer since 2020 — a dual-hatted position where he led the department’s wide-ranging cybersecurity modernization efforts and associated policies. His tenure has seen the introduction of cutting-edge technologies and robust protocols to fortify the Pentagon’s cyber defenses.

He has been at the forefront of implementing the DOD’s zero trust strategy while overseeing adoption of the new cybersecurity standards at organizations across the Pentagon. McKeown has also worked to strengthen cybersecurity within the defense industrial base and helped the department revamp the Cybersecurity Maturity Model Certification (CMMC) standards. 

McKeown has over three decades of experience working in the Defense Department, including 27 years serving in the Air Force and 8 years as a government civilian employee. His prior roles include working as an Air Force cyberspace operations officer; the director of enterprise information and mission assurance for the Army’s Information Technology Agency; and the cybersecurity center chief and enterprise services center chief for the Defense Information Systems Agency’s Joint Service Provider.

Prior to joining the DOD CIO, McKeown also led the Department of Justice’s Service Delivery Staff. Prior to that role, he ran enterprise services and cybersecurity for the DOD’s Joint Service Provider.

Gurpreet Bhatia will assume the duties of acting deputy CIO for cybersecurity and CISO. He previously served as the DOD’s principal director for cybersecurity and deputy chief information security officer.

The post DOD taps McKeown to serve as new special assistant for cybersecurity innovation  appeared first on DefenseScoop.

Among all of the cybersecurity modernization efforts underway at the Defense Department, cryptography has recently moved to the top of Deputy CIO for Cybersecurity David McKeown’s list of priorities. Speaking at AFCEA DC’s annual Tech Summit on Thursday, McKeown said the effort will likely be a big lift for the department given its timeline and scale.

“The hardware and software that we use for securing our nation’s secrets takes a long time to develop and test and field. It is scattered throughout many, many platforms and weapon systems,” he said. “We’ve got to think ahead as to what the adversary might be working on and develop algorithms that are there in time to meet the adversary’s ability to crack those algorithms.”

Cryptography is the process of developing and using coded algorithms to protect data so that only those with specific permissions are able to decrypt and read it. Cryptographic algorithms protect the Defense Department’s critical information from being hacked by adversaries like China, which has been looking to develop a quantum computer able to break military-grade encryptions.

The Defense Department currently uses decades-old cryptographic algorithms to secure both its non-classified and secret classification networks. The National Security Agency is the lead for the Pentagon’s cryptographic modernization efforts, and the department heavily relies on algorithms developed by the National Institute of Standards and Technology (NIST). 

In August, NIST released the final versions of three new post-quantum encryption algorithms and plans to release additional algorithms in the future. The organization is looking to migrate all high-priority systems to quantum-resistant cryptography by 2035 — a deadline that could be challenging for organizations as large as the Defense Department.

Once a new cryptographic algorithm is developed — a process that takes around a decade — the NSA conducts testing to certify both the hardware and software components, McKeown said. Then, the Pentagon will need to conduct operational tests and validation with each of the military services and components, he noted.

“Even then, [there is] the scope and scale of replacing this crypto — we’re talking hundreds of thousands of endpoints, perhaps millions in some cases — that have to be touched, and the algorithms updated and replaced,” McKeown said. “In some cases, we may have to use the old algorithms, un-encrypt data and then re-encrypt it with the new stuff that we just came out with. So you can see, it’s an extremely long timeline.”

McKeown emphasized that even when the Pentagon fields new cryptographic algorithms, it will have to continuously work to ensure both the hardware and software components are up-to-date.

In addition, the department’s CIO has been trying to find innovative and efficient ways to do encryption — such as by using double-wrapping encryption techniques to add extra layers of security, McKeown said. There is also a lot of work yet to be done on enumerating the Pentagon’s algorithms that are vulnerable to quantum hacking so that they can be fixed, he noted.

“We need to look through our whole inventory and look at all the encryption that we’re using on everything, and then figure out what needs to be replaced there and then get to work with the vendors and our community to get the upgrades, and then field the upgrades so that new quantum-resistant cryptography is employed throughout the department,” McKeown said.

The post DOD braces for time, scale needed to modernize defenses against quantum hacking appeared first on DefenseScoop.

The program is a key element of the DOD’s push for digital modernization. It’s also considered critical to enabling the Combined Joint All-Domain Command and Control (CJADC2) warfighting concept, which aims to better connect the data streams of the U.S. military and key international allies and partners under a more unified network to boost the effectiveness and efficiency of operations.

JWCC replaced the aborted Joint Enterprise Defense Infrastructure (JEDI) initiative. In December 2022, Google, Oracle, Amazon Web Services and Microsoft were awarded contract spots on the $9 billion JWCC program and are competing for task orders.

The contract vehicle provides the department “the opportunity to acquire commercial cloud capabilities and services directly from the commercial Cloud Service Providers,” defense officials noted in an innovation fact sheet distributed on Wednesday.

To date, the Pentagon has executed more than $969 million on JWCC and “has 75 other packages in the process for award,” per the fact sheet.

That dollar value is about 50 percent higher than it was just a few months ago. In May at the DefenseTalks conference presented by DefenseScoop, David McKeown, DOD’s deputy chief information officer for cybersecurity and senior information security officer, said the department had given 84 task orders at that point, totaling $628 million.

The fact sheet released Wednesday didn’t provide a breakdown of how many task orders each of the vendors has won.

Pentagon officials have been encouraging DOD components to embrace the contract vehicle.

“We had a memo put out that said all of the services [and] agencies need to rationalize their contracts for consuming cloud and move to JWCC at first opportunity,” McKeown noted.

Jeff Marshall, acting director of the Defense Information Systems Agency’s Hosting and Compute Center, said earlier this week that the initiative is “doing well.”

“It’s a contract vehicle that basically allows mission partners to come to us and be able to get into the cloud without having to do a lot of their own heavy lift to get that set up,” he said during an event Tuesday hosted by Defense One.

“The JWCC allows them to basically get that acquisition vehicle fairly quickly, and then they have something in their hands to work with,” Marshall added. “When I came in, what I saw is that is the push that DISA and DOD was taking everyone into the direction of. And it makes sense. It’s a cloud-first mentality. It definitely is where we should go for elasticity, for scalability and for metering systems, so that people can basically get their workloads and get them where they need them and do them correctly in a cloud environment without having to deal with the infrastructure and those costs and the things that are not part of their core.”

However, DISA is also looking to retool its Stratus cloud offering so that mission partners have better options when it makes more sense for them to use a private cloud instead of a public cloud, he noted.

Meanwhile, Pentagon officials are looking ahead to the next phase of the Joint Warfighting Cloud Capability program, dubbed JWCC 2.0.

Before retiring recently, then DOD Chief Information Officer John Sherman directed the CIO’s team to conduct a review of the entire effort. 

“While I’m a huge fan of it, I know it’s not perfect. Because … we’re kind of figuring out how to walk and chew gum in a multi-vendor environment,” Sherman said during an exit interview in June with DefenseScoop. “What can we do better for JWCC 2.0? Are there things we can put into place to make [software-as-a-service] offerings easier to manage?”

The post Pentagon awards nearly $1B in JWCC task orders appeared first on DefenseScoop.

Under the zero-trust concept, managers are supposed to assume that networks are already compromised by adversaries, meaning they must constantly monitor and authenticate users and their devices as they move through a network.

A Department of Defense strategy signed out in 2022 outlines “target levels” of zero trust, which are a minimum set of 91 capability outcomes that DOD agencies and components must meet to secure and protect networks. The Pentagon’s goal was to achieve those target levels no later than Sept. 30, 2027.

“As the cybersecurity chief for the department this is my number one project — implementing zero trust by 2027,” David McKeown, DOD’s deputy chief information officer for cybersecurity and senior information security officer, said Wednesday at DefenseTalks, presented by DefenseScoop.

Officials have said they’re on track to meet that deadline.

However, now the department is trying to move the schedule to the left, McKeown noted.

“We’ve been asked to see how we can accelerate that. We’re going to try to accelerate that by a year through a variety of means,” he said.

The military services and agencies within the DOD were tasked to come up with plans for how they’re going to implement zero trust. Those plans have been delivered, Congress has been briefed and the components are moving out on implementation.

“We had three different ways in which you could implement it. The first one was to uplift your current environment by adding all the necessary tools and capabilities and integrating them. Secondly, was to adopt commercial cloud solutions that already have the capabilities built in. And then lastly, purpose-built on prem clouds that also were proven to meet zero-trust capabilities. We see that most organizations, because of the diversity of their [network] terrain, are doing a hybrid of all of those things to achieve zero trust,” McKeown said.

“I’ve been preaching for a while, we need integrated products to do this. The products by themselves don’t work well together. We need to fully integrate them to achieve that zero-trust effect. So we’ve been working with a lot of vendors out there on [courses of action] one through three on how we can best deliver integrated products to the folks working on zero trust there. And we continue to look to vendors to interface with us on emerging technology and those integrated solutions for implementing zero trust,” he added.

The post DOD aiming to accelerate zero trust adoption schedule appeared first on DefenseScoop.

JWCC is the Pentagon’s high-priority enterprise cloud effort that replaced the aborted Joint Enterprise Defense Infrastructure (JEDI) initiative. Google, Oracle, Amazon Web Services and Microsoft were all awarded under the $9 billion JWCC program in December 2022 and are competing for task orders.

The initiative is a key element of the department’s push for digital modernization. It’s also considered critical to enabling the department’s Combined Joint All-Domain Command and Control (CJADC2) warfighting concept, which aims to better connect the platforms, sensors and data streams of the U.S. military and key international allies and partners under a more unified network to enable better and faster decision-making and more effective and efficient operations.

“We are trying to continue on our journey for cloud. We awarded the JWCC contract. We had a memo put out that said all of the services [and] agencies need to rationalize their contracts for consuming cloud and move to JWCC at first opportunity. So that’s been going well. We’ve had 84 [task order] awards to date, and totaling $628 million,” David McKeown, DOD’s deputy chief information officer for cybersecurity and senior information security officer, said Wednesday at DefenseTalks, presented by DefenseScoop.

McKeown did not provide a breakdown of the task order awards by company.

“We’re also working a lot on edge computing. We’ve got a couple of joint operational edge nodes in [Indo-Pacific Command] that we’re doing a lot of tests on. And then of course, DISA has got their own on prem cloud that they offer for the DOD called Stratus. So lots of cloud work there [that’s] continuing to evolve and mature. And it’s very important for the department,” he added.

The post Pentagon surpasses $600M in JWCC task order awards appeared first on DefenseScoop.

The Defense Industrial Base Cybersecurity Strategy, released Thursday, is intended to steer the department and industry’s response to threats. Signed by Deputy Secretary Kathleen Hicks, it aims to strengthen companies doing business with the Pentagon — including small businesses and subcontractors — against adversaries seeking access to sensitive data, proprietary information and intellectual property of weapon systems and production nodes.

As part of that effort, the Pentagon will work with the defense industrial base (DIB) to enhance their network posture while also providing more cohesive strategic guidance for companies, according to David McKeown, deputy chief information officer for cybersecurity.

“Over the last several years the DIB has made great strides in improving cyber resiliency, security, compliance and understanding the threat landscape,” McKeown told reporters Thursday ahead of the document’s release. “Together through the DIB cybersecurity strategy, we will further advance our goals and improve DIB cybersecurity.”

The document outlines four main goals as well as corresponding objectives that cover activities from fiscal 2024 to 2027. It notes that while many of the efforts listed have either already begun or are part of the Pentagon’s broader approach to industrial base cybersecurity, the strategy will “sharpen the focus, collaboration and integration” of those objectives.

A key aim for the Pentagon will be working with the DIB to enhance companies’ protection against advanced threats. To do so, the department will continue to routinely evaluate contractor compliance with its cybersecurity requirements — largely through the Cybersecurity Maturity Model Certification (CMMC) program.

However, “[the] increasing number of threats resulting from the evolution and expansion of the digital ecosystem drives the need for enhanced requirements for a subset of critical programs or high value assets,” the strategy states. Therefore, the department will engage in future rulemaking that will expand on current requirements for the industrial base and introduce supplemental guidelines for those handling controlled unclassified information, it noted.

Compliance efforts like CMMC have come under scrutiny in the past, especially among small businesses and non-traditional defense contractors that believe the regulations will be expensive and arduous to keep up with.

McKeown emphasized that the new strategy takes contractors of all size into consideration, and that the department is committed to helping small firms strengthen their cybersecurity posture through a number of free resources.

In addition, McKeown’s office has been working with the Office of Small Business on a pilot to develop a secure, cloud-based environment for smaller companies to use and conduct work in, he said. Officials want to have around 50 to 75 companies involved in the program and begin work this year.

The goal will be to “prove out whether or not we can leverage the cloud to ensure that the data is secure in this cloud environment for the small businesses,” McKeown said. “And then we’ll have to look at how we scale that up and offer that to more and more small businesses over time, or how we get a price point which they can afford and just start leveraging themselves.”

The department also wants to create a new framework for sharing threat information with the industrial base; conduct analysis on potential cyber vulnerabilities in contractors’ IT ecosystems; improve how firms recover from malicious cyber activities to minimize loss of information; and measure the overall effectiveness of the DOD’s cybersecurity requirements. 

Other goals detailed in the strategy include strengthening the Pentagon’s internal governance structure for DIB cybersecurity, preserving the cyber resiliency of the defense supply chain, and boosting overall collaboration among government agencies and contractors on cybersecurity matters.

Stacy Bostjanick, chief of defense industrial base cybersecurity in the CIO’s office, emphasized that the Pentagon is dedicated to working with contractors, as well as an array of stakeholders across government, to execute the strategy.

“Our mission is to protect sensitive information, operational capabilities and product integrity by ensuring the generation, liability and preservation of U.S. warfighting capabilities,” Bostjanick told reporters. “Our vision is simple: a secure, resilient, technologically superior DIB.”

The post New DOD strategy aims to improve contractors’ cybersecurity, resiliency appeared first on DefenseScoop.

Moving to the cloud is a top IT modernization priority for the Pentagon as a global organization. But, vulnerabilities exist and the DOD is trying to mitigate them.

“We have found several instances on the unclass [unclassified networks] where errors in the hypervisor management side of different vendors have led to IP addresses being exposed to the public for a period of time,” Dave McKeown, chief information security officer and deputy chief information officer for cybersecurity at DOD, said at the Billington Cybersecurity Summit on Tuesday. “Of course, the bad guys don’t wait. They are constantly scanning networks, looking for a door that they can go in and rummage around. We lost some data as a result of that.”

The Joint Warfighting Cloud Capability (JWCC) was awarded in December, and is the Pentagon’s highly anticipated $9 billion enterprise cloud effort that replaced the maligned Joint Enterprise Defense Infrastructure (JEDI) program. Google, Oracle, Amazon Web Services and Microsoft were all awarded under the contract and will each compete for task orders.

McKeown didn’t offer specifics regarding security incidents. However, one recent example involved emails containing sensitive personnel data that were exposed publicly.

McKeown noted that the DOD is looking at some creative ways to work with these vendors to secure their offerings, which, while purpose built for the Pentagon and not exactly the same as commercial offerings, are still vulnerable to malicious actors on the internet.

The department had to look at the governance process and work with the providers on improving security, he added.

“How can we help you defend your cloud that you built for us? In all cases, those JWCC clouds are custom-built gov clouds, so they’re not the traditional commercial clouds. But still, they’re visible from the internet, they’re attackable from the internet. So, we partnered with them to understand better how we can help defend,” he said. “One of the things that we looked at initially was maybe we can use our tools to scan that IP space where your management network, your hypervisor resides. We got agreement, we’re starting to do that.”

The Pentagon’s main organization responsible for defending the network — Joint Force Headquarters-DOD Information Network — will get a full report on the open ports and protocols that are vulnerable and work directly with the providers to fix them, according to McKeown.

The post DOD working with cloud service providers to improve security appeared first on DefenseScoop.

“With JWCC coming on board, it’s not just an infrastructure as a service contract vehicle. All of the SaaS offerings that these major vendors have, they’re going to bring them to the table as they build these custom-built clouds for us. The AI that Google has is going to be there. Others are delving into it. Oracle, AWS, Microsoft. Expect that it will be there,” David McKeown, acting principal deputy chief information officer and senior information security officer at the Pentagon, said Wednesday at the AFCEA TechNet Cyber conference.

JWCC, awarded in December of 2022, was the DOD’s highly anticipated enterprise cloud effort that replaced the maligned Joint Enterprise Defense Infrastructure (JEDI) program. Google, Oracle, Amazon Web Services and Microsoft were all awarded under the contract and will each compete for task orders.

Tech companies have been heavy investing in artificial intelligence capabilities. Google and Microsoft have unveiled chatbots using generative AI, which can provide users with texts, images and even carry on conversations based on prompts.

McKeown warned that data must be made available in all four vendors’ environments to facilitate the employment of AI analytics.

“As we move forward with our Joint Warfighting Cloud Computing contracts and we established large data repositories in these different cloud vendors’ environments, we can’t afford to duplicate that data. We’ve got to figure out a way to make that data available to all four of those clouds and searchable to all four of those clouds so that we can run the AI analytics over that,” he said. “We’re working on that and I think there’s some evolving solutions there.”

After taking advantage of the artificial intelligence capabilities that organizations have to offer, the next step, McKeown said, is to determine what problems they want to “turbocharge” solutions for by applying AI to them.

“We’ve got to structure our efforts in the future on very well-defined problems that we want to solve and then bring AI to the fight to solve that problem,” he added.

While artificial intelligence can be a powerful tool for the DOD, on the flip side, McKeown warned of concerns of potential adversary uses of the technology.

“The adversary having this is a big concern. What are they going to do to use that to figure out how to penetrate our information systems and steal our data?” he said. “AI is pretty scary in the capabilities that it has. It can be very beneficial, as we’ve discussed, but we need to also take a vantage point of our adversaries and figure out how they’re going to use it against us and start to defend against that.”

Earlier at the conference, Lt. Gen. Robert Skinner, director of the Defense Information Systems Agency, warned of how revolutionary these capabilities can be in the wrong hands.

“Generative AI, I would offer, is probably one of the most disruptive technologies and initiatives in a very long, long time,” he said on Tuesday. “Those who harness that [and] that can understand how to best leverage it … are going to be the ones that have the high ground.”

The post Enterprise cloud contract could ‘turbocharge’ AI in Pentagon appeared first on DefenseScoop.

To track how the services and other Defense Department agencies are moving towards fully implementing zero trust by 2027, DOD leaders will be asking them to show how much they’re spending to get there.

“We will hold them accountable by asking them to build a plan, which … [the Zero Trust Portfolio Management Office] will coordinate with them on the realistic nature of their plan. As a part of that capability planning guidance that we talked about earlier they have to come back to us and show us in their budgets how much they’re spending on zero trust and what they’re getting for that,” David McKeown, acting principal deputy chief information officer, told reporters Tuesday when the strategy was unveiled.

The strategy was officially signed out in October but the public version wasn’t released until the completion of a review to sanitize it of classified components.

Zero trust is a concept and framework that assumes networks are already compromised and require constant monitoring and authentication to protect critical information.

Officials have maintained the old paradigm of perimeter defense is no longer sufficient to protect against modern day threats.

“Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users,” John Sherman, DOD chief information officer, wrote in the strategy’s foreword. “Defending DOD networks with high-powered and ever-more sophisticated perimeter defenses is no longer sufficient for achieving cyber resiliency and securing our information enterprise that spans geographic borders, interfaces with external partners, and support to millions of authorized users, many of which now require access to DOD networks outside traditional boundaries, such as work from home. To meet these challenges, the DOD requires an enhanced cybersecurity framework built upon Zero Trust principles that must be adopted across the Department, enterprise-wide, as quickly as possible as described within this document.”

Randy Resnick, who leads the Zero Trust Portfolio Management Office, told reporters that senior officials will hold directors of agencies and field offices accountable for implementation over a period of time.

Organizations can do this in three ways, officials said: institute zero-trust modernization improvements on the existing network, engage in zero-trust commercial clouds, or engage in a zero-trust privately designed cloud.

“We are not prescriptive. As you read this strategy, we are not defining exact components that people have to buy [or] specific software or anything like that,” McKeown said. “We are defining capabilities here and we’re leaving it up to the services for how they implement those and integrate them together in order to achieve the desired zero-trust level … It’s been like pushing on an open door to try to get people to go to this. They see the need for it. The perimeter defenses were not working. Zero trust is the new alternative to better monitor and respond quicker to intrusions.”

The strategy provides the “how” for getting to a zero-trust architecture, he added.

The strategy defines a target level and advanced level of zero trust. The target level is the minimum set of capability outcomes to secure and protect data. The strategy states the DOD must get to the target level as soon as possible. Once that is achieved, the DOD will monitor continued compliance to get to advanced zero trust, which the document defines as the achievement of the full set of capability outcomes.

The DOD plans to reach the target level in the next five years, by 2027.

Resnick explained there shouldn’t be any major technical items that are unachievable to get to the target level.

“It’s just a matter of leadership’s ability to execute,” he said. “We have the dollars and every single year, we’re doing a review of what’s required going into the next years in the [future years defense program] to make sure that this is well-funded.

The strategy lists seven pillars which provide the foundation areas for the model: user, devices, applications and workloads, data, network in the environment, visibility and analytics, and automation and orchestration.

The plan also includes four high-level strategic goals for how DOD will achieve its zero-trust vision. They include zero-trust cultural adoption, DOD information systems secured and defended, technology acceleration and zero-trust enablement.

The strategy notes there will met metrics to ensure progress toward achieving a zero-trust architecture within the aforementioned goals. A scorecard will be provided to the DOD cyber council to measure the plan’s progress and identify additional risks that need to be mitigated.

The post DOD will be checking agencies’ budgets to track implementation of new zero-trust strategy appeared first on DefenseScoop.

The Pentagon’s CMMC leadership, now housed in its Office of the CIO, is planning to meet soon to address potential requirements for managed service providers under the CMMC framework that could ease the burden for those contractors that do very little of their own IT.

“What we are looking for are ways to ease the burden on the [defense industrial base],” Stacy Bostjanick, chief of implementation and policy in the Office of the CIO, said Wednesday during a town hall event with NeoSystems. “And so cybersecurity-as-a-service is a logical place that we’re moving to,” she said, adding that the office is considering pilots to explore those kinds of arrangements.

Bostjanick said more and more defense contractors have moved to a managed service provider for IT, and that means “we’re going to have to make sure that we have a model and requirements that fit that paradigm to ensure that those providers are secure as well as the companies using them.”

In the next few weeks, she will meet with DOD Chief Information Security Officer David McKeown and others “where we’re proposing what kind of requirements we would ask managed service providers, cybersecurity-as-a-service people who use cloud capabilities … so companies can be secure in using them, so that they meet the requirements.”

The hope is the Pentagon will be able to finalize those to include in the updated interim rule under what’s being referred to as CMMC 2.0 — a more eased set of requirements for defense contractors introduced late last year. Bostjanick is eyeing March 2023 for the release of that rule, and then DOD would begin implementing CMMC in some contracts that May.

Once McKeown gives his approval to any different rules for managed service providers, the department will begin sharing those with industry for feedback.

As DOD looks ahead to issuing a CMMC rule next year, things continue to evolve for the program. For instance, last month Bostjanick detailed how the department is thinking now about the different types of controlled unclassified information that contractors handle, like prioritized and non-prioritized CUI.

Under CMMC 2.0, contractors that handle CUI will have to be certified in meeting one of three tiers of requirements.

But even the DOD has shown that meeting those requirements can be difficult. According to the Government Accountability Office, though the DOD is not legally required to meet CMMC standards itself, its components have only met 78% of the 110 requirements for systems that manage advanced levels of CUI.

The post DOD exploring requirements for managed service providers under CMMC appeared first on DefenseScoop.