Defense Secretary Pete Hegseth is directing the Department of Defense (DoD) chief information officer (CIO) to ensure the DoD’s IT capabilities are protected from supply chain attacks by adversaries such as China and Russia.
In a memo signed on July 18 but made public on Tuesday, Hegseth tasks the DoD CIO to work with the under secretaries of defense for acquisition and sustainment, intelligence and security, and research and engineering on the effort.
“The DoD will not procure any hardware or software susceptible to adversarial foreign influence that presents risk to mission accomplishment and must prevent such adversaries from introducing malicious capabilities into the products and services that are utilized by the Department,” Hegseth wrote.
“To that end, the Department will fortify existing programs and processes utilized within the Defense Industrial Base (DIB) to ensure that adversarial foreign influence is appropriately eliminated or mitigated and determine what, if any, additional actions may be required to address these risks,” he added.
Specifically, Hegseth said that the DoD CIO will leverage efforts such as the department’s Cybersecurity Maturity Model Certification, the newly announced Software Fast Track Program, the Authority to Operate process, the Federal Risk and Authorization Management Program, and the Secure Software Development Framework.
Additionally, Hegseth said the under secretary of defense for intelligence and security “will review and validate personnel security practices and insider threat programs of the DIB and cloud service providers to the maximum extent possible.”
While the memo does not contain specific details, Hegseth is directing the DoD CIO to issue additional implementing guidance within 15 days.
The memo comes as the DoD launched a two-week review to investigate and eliminate the possible use of China-based engineers by vendors in any DoD systems contracts.
“This is obviously unacceptable in today’s digital threat environment,” Defense Secretary Pete Hegseth said in a video posted to X on July 18. “We have to ensure that our systems here at DoD are iron-clad and impenetrable […] China will no longer have any involvement whatsoever in our cloud services, effective immediately.”
The review was prompted by a ProPublica investigation revealing that Microsoft used China-based engineers to assist with patching DoD systems.
Although the engineers had no direct access to the systems, they worked through “digital escorts” – U.S. citizens with security clearances who manually input commands on their behalf. The report raised concerns that these escorts often lacked the technical skills to detect malicious activity, despite meeting security requirements.