April 22, 2024 By Jennifer Gregory 2 min read

The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.

“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting Undersecretary of Defense for Policy Sasha Baker in a statement.

As part of the Fiscal 2023 National Defense Authorization Act, Congress instructed the Pentagon to increase the focus on cybersecurity in the Office of the Secretary of Defense by creating a new office. The NDAA increased the number of Assistant Secretaries of Defense to 18 and the number of Deputy Assistant Secretaries of Defense to 60.

The role was created due to concerns about the lack of focus in the Pentagon on a civilian-facing cyber effort. With the new role, the DoD now has more resources dedicated to improving cyber resiliency through policy.

ASD cyber position was delayed a year

However, the actions came a year later than officials and taxpayers expected. The delay happened because the Pentagon commissioned a study to determine the roles and responsibilities of the assistant secretary of defense for cyber policy (ASD CP), specifically regarding whether electronic and information warfare would be included.

When asked about the delay, John Plumb, principal cyber advisor to the secretary of defense and assistant secretary of defense for space policy, responded that they were moving forward but wanted to do it right. He explained that they were working to create the ASD cyber role deliberately to ensure the most positive results. The committee used the template for the ASD for Space and then added specifics relevant to cyber policy.

Learn more on AI cybersecurity

Supervising policy for cyber operations

With the establishment of the office, the DoD released the official responsibilities of the ASD CP. The new position will handle:

  • Developing, coordinating, assessing and overseeing the deployment of DoD cyberspace policy and strategy and ensuring these efforts align with national security objectives
  • Overseeing and certifying the department’s Cyberspace Operations Budget and providing fiscal and budgetary oversight to USCYBERCOMs $3 billion annual execution with their “Enhanced Budget Control” (Budget Authority, as recently approved by the FY24 DoD Appropriations Act)
  • Monitoring programs and activities associated with the implementation of cyberspace workforce development, recruitment and retention
  • Overseeing integration of cyberspace operations and capabilities into operations and contingency plans
  • Developing DoD cyberspace policy guidance on private sector outreach, engagement and agreements
  • Leading the DoD implementation of national-level cyberspace policies
  • Leading the development, implementation and oversight of cyberspace-related activities for security cooperation
  • Exercising authority, direction and control over the official designated as Deputy Principal Cyber Advisor with respect to that official’s Deputy PCA duties

Sulmeyer served in various roles in the Office of Secretary of Defense

In his current role as principal cyber advisor to the secretary of the army, Sulmeyer serves as the advisor for issues related to cyber and the Army, including readiness, capabilities and strategy. He previously worked as the director of the cybersecurity project at the Harvard Kennedy School’s Belfer Center for Science and International Affairs along with roles in the Office of the Secretary of Defense, in the National Security Council and at U.S. Cyber Command.

Currently, Sulmeyer is waiting for confirmation of the position. Ashley Manning is performing the duties of the office until Sulmeyer is confirmed by the Senate.

More from News

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today