DOD issues directive to define CIO role

The Defense Department on April 22 issued a new directive outlining the roles and responsibilities of the Pentagon's chief information officer, updating nearly decade-old governance to include some of DOD's most pressing concerns.

Perhaps most notable in DOD directive 5044.2 is the specific injection of cybersecurity, a phrase that does not appear in the directive's previous iteration, issued in 2005. In the interim there have been some updates – in particular, the disestablishment of the position of assistant secretary of defense (networks and information integration). The powers of ASD (NII) were officially transferred to the DOD CIO job under a January 2012 memo from Ashton Carter, deputy secretary of defense.

A DOD spokesman said the directive is just part of routine housekeeping, but the newly issued governance and its emphasis on cybersecurity, including collaboration and information-sharing, seems to represent an update in the priorities of the defense secretary's top adviser for all things IT.

The CIO "directs, manages and provides policy guidance and oversight of the DOD cybersecurity program, which includes responsibility for the Defense Information Assurance Program...and information security," the directive states.

The governance directs coordination on cybersecurity in a number of different ways, including participation in oversight groups dealing with cybersecurity, as well as specific orders to work with the commander of U.S. Cyber Command "on all matters under the commander’s purview related to the authorities, responsibilities, and functions assigned in this directive, including...requirements and capabilities for cyber operations, information network defense and monitoring, and cyberspace threats and domain requirements."

The evolution in coordination between DOD components – as well as roles and responsibilities that are similarly changing with the times – is something the DOD CIO herself, Teri Takai, addressed April 23 at an industry event in Arlington, Va.

"As we change the architecture, who in fact does cybersecurity, who does defense, who is able to see into networks – that is going to be evolving, and that has to do with what we're doing with CyberCom, how CyberCom operates with [the Defense Information Systems Agency], and how both of those organizations operate with the services and combatant commands," Takai said. "I say it's evolving because it's not something that we can set in stone today, because it's very much based on what infrastructure we have to operate in." Other new-era provisions in the directive include a measure to tackle the much-discussed shortage in cybersecurity professionals, an issue that was not mentioned in the 2005 directive.

Under the new directive, the DOD CIO "provides guidance and oversight with regard to the recruiting, retention, training and professional development of the DOD IT and cybersecurity workforce," the text notes. "The DOD CIO will assess the requirements for agency personnel regarding [information resources management] knowledge and skill and conduct formal training programs to educate agency program and management officials about IRM."

The directive also defines the government officials and other parties with which the CIO does and does not directly interface, another provision that did not appear in the 2005 measure.

According to the directive, the CIO is to "communicate with other executive branch officials, state and local officials, representatives of non-governmental organizations, members of the public and representatives of foreign governments, as appropriate, in carrying out assigned responsibilities and functions."

And while 2005's guidance described the CIO role as a DOD representative to the legislative branch, the new directive prescribes that "communications with representatives of the legislative branch must be conducted through the Assistant Secretary of Defense for Legislative Affairs or the [DOD comptroller], as appropriate, and be consistent with the DOD legislative program."