DOD CIO Nominee Aims to Lessen CMMC Burden for Small, Medium-Sized Businesses

John Sherman, President Joe Biden’s pick for the role of Department of Defense chief information officer, said at his confirmation hearing that he intends to make the Cybersecurity Maturity Model Certification requirements less burdensome for small and medium-sized businesses.

Small businesses have been clamoring for a more lenient CMMC audit and have sought to be excused from complying with higher levels of the CMMC program to avoid incurring significant costs.

The DOD has committed to addressing their concerns, saying small companies will likely only have to abide by CMMC Level 1 requirements.

In addition to making tweaks to the CMMC program, Sherman, if confirmed, would want to establish a “cybersecurity-as-a-service” model to guide businesses on how to manage sensitive data, FCW reported. He plans on working with the National Security Agency and U.S. Cyber Command to carry out his vision.

The DOD tech chief nominee also proposed to reduce information costs and expand the Fourth Estate Network Optimization effort, which is aimed at consolidating the various commodity or common IT networks used by fourth estate agencies across the DOD.

Biden announced Sherman as his pick for the CIO post in mid-September.

Sherman previously served as DOD’s principal deputy CIO in 2020. He has been the department’s interim tech chief since January. Under his leadership, the DOD implemented major enterprise initiatives amid the telework setup and canceled the embattled Joint Enterprise Defense Infrastructure cloud contract.