Hegseth calls on DOD CIO to protect tech supply chain from influence of China
Secretary of Defense Pete Hegseth issued a directive late last week ordering the Pentagon’s chief information officer to take additional measures to ensure the department’s technology is protected from the influence of top adversaries.
The secretary’s order, signed Friday but first made public Tuesday, came after an eye-opening investigation by ProPublica revealed Microsoft had been relying on China-based engineers to support DOD cloud computing systems.
Short on specific details, Hegseth’s order enlists the CIO — with the support of the department’s heads of acquisition and sustainment, intelligence and security, and research and engineering — to “take immediate actions to ensure to the maximum extent possible that all information technology capabilities, including cloud services, developed and procured for DoD are reviewed and validated as secure against supply chain attacks by adversaries such as China and Russia.”
Hegseth first referenced his order in a video posted to X on Friday, in which he said, “some tech companies have been using cheap Chinese labor to assist with DoD cloud services,” calling for a “two-week review” to make sure that isn’t happening anywhere else in the department’s tech supply chains.
The secretary, in both his video and the new memo, stopped short of calling out Microsoft specifically. However, a spokesperson for the company has since stated publicly that it has made changes to “assure that no China-based engineering teams are providing technical assistance for DoD Government cloud and related services.”
“This is obviously unacceptable, especially in today’s digital threat environment,” Hegseth said in the Friday video, claiming that the system at the center of the incident is “a legacy system created over a decade ago during the Obama administration.”
He added: “We have to ensure the digital systems that we use here at the Defense Department are ironclad and impenetrable, and that’s why today I’m announcing that China will no longer have any involvement whatsoever in our cloud services.”
The memo itself calls on the department to “fortify existing programs and processes utilized within the Defense Industrial Base (DIB) to ensure that adversarial foreign influence is appropriately eliminated or mitigated and determine what, if any, additional actions may be required to address these risks.” Specifically, it cites the Cybersecurity Maturity Model Certification (CMMC) — the final rule for which, as of Wednesday, is undergoing regulatory review with the Office of Management and Budget — acting CIO Katie Arrington’s new Software Fast Track program, and the FedRAMP process as existing efforts the Pentagon CIO should rely on to ensure the department’s tech is secure.
Within 15 days of the order’s signing, DOD’s Office of the CIO must issue additional implementing guidance on the matter, led by department CISO Dave McKeown.
On top of that, it taps the undersecretary of defense for intelligence and security to “review and validate personnel security practices and insider threat programs of the DIB and cloud service providers to the maximum extent possible.”
