Exclusive
Stacy Bostjanick, the chief of defense industrial base cybersecurity in the DoD’s CIO office, will transition to the private sector.
The leading force behind the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program for much of the last six years is retiring.
Federal News Network has learned Stacy Bostjanick, the chief of defense industrial base cybersecurity in the DoD’s Chief Information Officer’s office, is leaving federal service after 37 years on April 30.
Sources say Buddy Dees, the director of the program management office, is expected to take over as the new director of the DIB cybersecurity program on an interim basis.
Sources say Bostjanick is likely to move into a new job in the private sector.
An email to DoD’s CIO office seeking comment wasn’t immediately returned.
“Stacy is truly one of the nation’s greatest national assets. Her knowledge base of how government works and how to make it work for the right things is unparalleled. She will continue to be the heartbeat of the CMMC and ensuring that what is right is done for the right reasons,” said Katie Arrington, the former DoD CIO and now CIO at IonQ, in a statement to Federal News Network.
Bostjanick started her career in 1989 as a General Schedule-5 working as a secretary for the applied math branch at the Naval Surface Warfare Center White Oak division.
She transitioned into contracting and rose through the ranks, working at the Missile Defense Agency as a senior contracting office from 2011 to 2013 and then became the head of contracting for the Defense Intelligence Agency for 8 years starting in 2013.
Her acquisition background led her to work with Katie Arrington on the CMMC program in 2018 after working on the Protecting Critical Technology Task Force.
During her time leading CMMC, Bostjanick helped usher the program from initial idea through two iterations to current plans for implementation.
The Pentagon estimates that 80,000 defense contractors may be required to obtain a CMMC assessment. Officials plan to phase in the requirements over a three-year period.
Roughly 1,000 companies have voluntarily obtained a third-party CMMC certification or are in the process of getting assessed, according to numbers shared by the Cyber AB at its February meeting.
In addition to Bostjantick, the DoD CIO’s office also is losing Dave McKeown, the DoD chief information security officer and deputy chief information officer for cybersecurity, to retirement at the end of May. McKeown is retiring from government after more than 40 years.
DoD named Aaron Bishop as the DoD CISO and deputy CIO for cybersecurity on Feb. 27. Bishop came over to DoD after serving as the Air Force’s CISO for the past four-plus years.
“Mr. Bishop brings an extensive and unique blend of industry, federal and transformational experience that will be critical as the Department focuses on Secretary Hegseth’s charge for lethality, efficiency, and warfighter readiness,” wrote DoD CIO Kirsten Davies in a post on LinkedIn.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
