DoD CMMC leadership turnover
Stacy Bostjanick, a key DoD CMMC leader, is retiring after 37 years and DoD CISO Dave McKeown is also leaving soon—timing that coincides with plans to assess 80,000 contractors over three years and could affect continuity on CMMC enforcement. The departures increase uncertainty during a major compliance surge for the defense industrial base. (x.com)
DoD sources show Stacy Bostjanick’s departure is scheduled to be effective April 30, 2026, and program-management-office director Buddy Dees is expected to assume interim leadership of the Defense Industrial Base cybersecurity portfolio. (federalnewsnetwork.com) David McKeown is leaving government after more than four decades of federal service, according to Pentagon announcements, and will be succeeded in an acting capacity by James “Aaron” Bishop. (defenseone.com) Bishop officially assumed the duties of acting DCIO (CS)-CISO on Feb. 27, 2026, and his appointment was framed by DoD posts that cite prior roles at the Department of the Air Force, Microsoft’s national security group and SAIC. (executivegov.com) The CMMC acquisition rule became effective Nov. 10, 2025, and the department has signaled a phased implementation over three years with an estimated subset of roughly 80,000 contractors expected to require formal CMMC assessments. (governmentcontracts.foxrothschild.com) Buddy Dees has been running CMMC PMO workstreams since publication of the final rule and has publicly briefed on scaling assessment capacity and readiness for the three-year rollout, placing the PMO at the operational center of the upcoming assessment surge. (nationaldefensemagazine.org)
