The Chief Information Security Office at the Office of the Undersecretary of Defense for Acquisition and Sustainment no longer exists.
That CISO position and its office now reports to the DOD Office of the Chief Information Officer, according to a Feb. 2 memo from Deputy Secretary Kathleen Hicks.
Katie Arrington, who held the office’s CISO position since Jan. 2019, was put on leave in June 2021 pending an internal investigation about her alleged disclosure of classified information.
The fate of the Cybersecurity Maturity Model Certification (CMMC) program, which requires federal contractors to meet certain cybersecurity standards and metrics before doing business with the federal government, has remained uncertain until now.
Many in the industry expressed concerns about the cost of certification, especially for small businesses. Late last year, the agency overhauled the program so fewer companies would need to comply. A final rule has yet to be released.
“As we realign responsibility for the program, it's important to note that we will continue to work closely with A&S on this program. The CMMC team, led by Stacy Bostjanick, will be aligned under the Deputy CIO for Cybersecurity to increase the program’s integration with other Defense Industrial Base Cybersecurity programs,” said DOD CIO John Sherman in a prepared statement. “We are moving out in the coming weeks on the rulemaking process and look forward to continuing critical collaboration with industry stakeholders."
In addition to the CMMC program, the OUSD (A&S) Supply Chain Risk Management program’s telecommunications infrastructure component will also transfer to the DOD OCIO, according to the memo.