Defense Department CIO Sets New Requirements for Internal Data Security

John Sherman, the Department of Defense’s chief information officer, wants his counterparts across the organization to attest that systems and networks adhere to the least privilege principle, which aims to limit user access to only the files necessary to accomplish their jobs. In a memorandum issued on Monday, he set a May 26 deadline for such authorities to certify that their respective organizations have implemented sufficient security controls and optimized user activity monitoring.

A 2023 Wash100 awardee and confirmed speaker at the upcoming Fourth Annual CIO Summit, Sherman noted that data repository owners should reduce classified data access to a need-to-know basis and not rely on clearance levels. He also ordered them to review existing software execution privileges and remove unneeded accounts.

Such owners are also required to ensure audit capabilities on systems handling classified information and install unified access management functions “on classified endpoints.”

According to Sherman, the undersecretary of defense for intelligence and security and the Office of the Director of National Intelligence’s CIO will work with him on designing guidance for systems that house sensitive compartmented information, DefenseScoop reported.