“If confirmed I would move out on a new strategy to look at our cyber and digital talent,” Sherman said during his Senate confirmation hearing Thursday. “This is a whole of nation effort and we must come at it much differently.”
Sherman, who served as acting CIO before his nomination, appears to have a clear path to confirmation as key members of the Senate Armed Services Committee from both sides of the aisle expressed their support Thursday. He would manage the largest IT budget in the federal government and serve as the top official overseeing security and acquisition for some of the world’s largest networks, many of which are classified.
In talking about his talent strategy, Sherman said one of the different approaches he wants to take is allowing easier movement between the government and private sector for tech and cybersecurity workers. He said the strategy of recruiting new talent for a 30-year career with the government is no longer viable.
“While cybersecurity is certainly about technology, I feel so strongly that the people factor is what makes it go,” Sherman said.
Implementing zero trust
Sherman’s pursuit of a deeper talent cyber talent pool ties closely to his priority of implementing zero-trust security across the DOD.
Zero trust assumes adversaries are already in a network and that no user should be given broad access to data. Sherman said that while elements of the new architecture are in place, it needs broader scaling to protect DOD from adversary attacks.
“Cybersecurity is a paramount concern,” he said, adding that while “elements of zero trust are being implemented … we need to scale it out much larger.”
Sherman said that expanding zero trust was a top priority of his while acting CIO.
Sherman also committed to working in support of the new DOD’s contractor cyber compliance regime, the Cybersecurity Maturity Model Certification (CMMC).
However, Sherman hedged on whether he supports reciprocity between DOD’s CMMC program and the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP), the authorization process federal contractors must complete to provide cloud services to civilian agencies.
CMMC would require contractors to pay for a third-party test of their networks, an added cost that could hurt small businesses working with DOD. Many trade groups have asked for reciprocity between the two testing regimes to be established to avoid redundant costs and time.
“If confirmed I would always try to seek symmetry,” he said, but added that DOD’s security requirements will always be higher than the civilian government’s.
CMMC remains under the oversight of DOD’s acquisition and sustainment group, but there have been attempts to transfer part of the program to the CIO’s shop.