Kirsten Davies, nominee for Pentagon CIO, advocates for ‘great change’ at the department
Kirsten Davies, President Donald Trump’s pick to be the next Department of Defense chief information officer, told lawmakers that she plans to shake up the Pentagon’s IT enterprise, if her nomination is confirmed.
The department faces major challenges as it looks to acquire new capabilities and address growing threats, Davies noted Thursday during her opening remarks at her confirmation hearing with the Senate Armed Services Committee.
“America’s warfighter readiness and lethality depend upon secure, resilient, modernized systems and innovative technical and cyber capabilities. The department has challenges to overcome. It is weighed down with legacy systems and un-optimized data. There are great people, but at today’s speed of change, skills must be constantly refreshed and future fit. New entrants with innovative tech solutions struggle with red tape and lack of access. Cyberattacks are pervasive, and America’s adversaries are motivated and capable to inflict massive impact, and there is little deterrence. Great change is needed in this time and in this hour,” she said.
If confirmed, Davies said her priorities will be to actively address “tech debt” at the department; “surgically” prioritize modernization initiatives that support readiness; work across the DOD to “embed the building blocks of AI supporting data supremacy and decision dominance” for U.S. military forces, partners and allies; forge a new generation of industry technology and cyber partnerships; work across the government to “catalyze” cyber deterrence; and “bring the voice of the warfighter into the very DNA” of the Pentagon CIO’s office.
In her written responses to advance policy questions ahead of Thursday’s hearing, she told lawmakers that, if confirmed, she would move to eliminate duplicate legacy contracts, consolidate “medium-risk contracts” into enterprise vehicles, and scale those that already align with the department’s software acquisition guidance.
“This could be done by implementing commercial best practices like adopting ‘review once, use many times’; mandating enterprise contract clauses requiring zero-trust compliance, SBOMs, etc.; leveraging category management by IT commodity, and engaging with mission owners early on to avoid resistance,” she wrote.
Davies has extensive experience in senior cybersecurity roles in the private sector, and her nomination for the DOD CIO role has received strong backing from industry experts.
She told lawmakers that, if confirmed, she would emphasize making commercial solutions “the presumptive first choice” when it comes to acquisition and adoption of capabilities for cybersecurity, IT and business systems. Government-unique solutions should only be developed and retained if commercial offerings can’t satisfy the department’s unique mission needs, according to Davies.
“Decision-making should be based on key criteria like mission criticality, security and supply-chain risk, technology pace, lifecycle costs, and interoperability and enterprise standards,” she wrote.
Promoting rapid software acquisition via commercial solutions openings and other means has been a focus area for Defense Secretary Pete Hegseth, who issued a directive in that regard earlier this year.
Davies also laid out some of the benefits of procuring IT-as a-service, noting that that approach could allow Defense Department personnel to focus on “core missions.”
“Information technology-as-a-service has the potential to provide greater security and resiliency partnered with faster access to innovation, scalability, flexibility, and predictable costs and allows components in the Department to focus on core missions. This can be seen in as-a-service use to support commodity and enterprise services (e.g., cloud hosting, identity management, collaboration, helpdesk, network transport),” she wrote in response to lawmakers’ policy questions.
Davies added that, if confirmed, she would work with the Pentagon’s undersecretary for acquisition and sustainment to update acquisition processes so that they “enforce security and interoperability standards and maintain in-house technical expertise so that outsourcing strengthens mission assurance.”
Pentagon officials are pushing for software vendors to provide software bills of materials (SBOMs) as they look to enhance cybersecurity.
Davies told lawmakers that SBOMs are important for managing supply chain risk, but they aren’t sufficient.
“If confirmed, I will ensure the Department not only collects SBOMs in contracts but also develops the people, processes, and tools needed to analyze them and act on the results. SBOMs should be integrated with other assurance practices, such as secure development, automated code scanning, and continuous monitoring so the Department can reduce risk and improve reliability in software-intensive systems,” she wrote.
Notably, Davies indicated that she wants to build on the Software Fast Track initiative that was recently launched by Katie Arrington — who is currently performing the duties of DOD CIO — by promoting automation, standardized templates, interoperability and continuous integration to accelerate authority-to-operate decisions.
Reusing security assessments across the department and streamlining procurement paths will help speed delivery of new software to warfighters, Davies told lawmakers.
