Stacy Bostjanick

Stacy Bostjanick profile image
Profile status
Last updated

December 2025

Current role

Chief, Defense Industrial Base Cybersecurity & Deputy CIO for Cybersecurity

Organization

DoW Office of the Chief Information Officer

Tenure

Long-term government career spanning decades

Overview

Stacy Bostjanick serves as Chief for Defense Industrial Base Cybersecurity and Deputy Chief Information Officer for Cybersecurity within the DoD Office of the Chief Information Officer. As a Senior Executive Service leader, she is the primary authority responsible for leading and executing the Cybersecurity Maturity

Model Certification (CMMC) program across the Defense Industrial Base, ensuring consistent implementation and strengthening the cybersecurity posture of DoD partners handling sensitive information

Career highlights

The architect behind CMMC

Stacy Bostjanick played a pivotal role in creating the Cybersecurity Maturity Model Certification (CMMC)program from the ground up. After DoD IG and Navy Cyber Readiness assessments in 2018 revealed widespread noncompliance with cybersecurity requirements among defense contractors, she worked directly with Katie Arrington to address the crisis. Her work with experts at Carnegie Mellon University’s Software Engineering Institute and Johns Hopkins Applied Physics Laboratory helped establish the foundational framework that became CMMC.

That’s how we ended up coming up with the paradigm of CMMC.
Work history

Stacy Bostjanick’s government career spans decades across multiple defense and intelligence organizations, beginning with administrative roles and evolving into senior contracting and cybersecurity leadership positions.

  • Early career: Started as a secretary in the Applied Mathematics Branch at Naval Surface Warfare Center (NSWC) White Oak, later transitioning into contracting roles
  • NSWC period: Career at White Oak ended after a major explosive powder detonation incident led to the base’sclosure under BRAC
  • NIST: Moved to the National Institute of Standards and Technology following NSWC closure
  • Naval Air Systems Command: Spent 13 years as Contract Specialist and Contracting Officer, building deep acquisition expertise
  • Intelligence Community roles: Served at the Office of the Director of National Intelligence (ODNI), completed Joint Duty Assignment at FBI laboratory in Quantico
  • Missile Defense Agency: Continued senior contracting leadership
  • Defense Intelligence Agency: Served as Head of Contracting before mandatory rotation for senior executives
  • Pentagon/PICTI: Joined the Protecting Critical Technologies Task Force, where she met Katie Arrington and began early CMMC development
  • Current role: Leads DoD’s Defense Industrial Base cybersecurity efforts and CMMC program implementation
At one point, I left the PICTI and began working directly with Katie to get on top of this issue.
Education
Educational Background

Details available upon request

Security Clearance

Appropriate for senior DoW role

Leadership & modernization

Under Stacy Bostjanick’s leadership, the DoD has transformed from NIST 800-171 rev 2 to CMMC 2.0, simplifying compliance requirements from five levels to three. She introduced processes such as Plans of Action and Milestones (PoAMs) and conditional award statuses, successfully advocating for risk-based waivers when contractors face technological or resource constraints. Her approach balances security needs with program feasibility while maintaining stringent protection standards.

As a citizen and someone who has worked in the DoD and the Intelligence Community my entire career, I understand the threats faced by the men and women we send into harm’s way.
Small business support & innovation

Stacy Bostjanick has been instrumental in developing creative solutions to help small businesses meet CMMC requirements without overwhelming their limited resources. Her leadership has driven multiple innovative approaches to cybersecurity compliance, including partnerships with cloud service providers and managed security providers.

Key initiatives:

Modernization programs: Leading DoD’s efforts to provide low-cost cybersecurity solutions and cloud-basedplatforms that enable small and medium businesses to participate in defense programs securely

Risk-based approach: Advocating for tailored cybersecurity requirements that assess program-specific vulnerabilities rather than applying one-size-fits-all solutions

Industry collaboration: Working extensively with cloud service providers to create scalable solutions that help contractors achieve compliance while maintaining operational efficiency

We’re trying to find any means possible to help alleviate some of the pain and struggle for our small businesses.
She advocates for modernization initiatives that enable small and medium businesses to participate in defense programs securely, such as cloud-based solutions and low-cost certification pilots.
At a glance
Attribute
Details

Portfolio scope

Oversight of 220,000-300,000 companies in Defense Industrial Base

CMMC Level 2

~880,000 companies handling Controlled Unclassified Information

CMMC Level 3

~300,000 companies managing higher-sensitivity CUI

Key programs

F-35, F-22, Standard Missile 3, missile defense programs

Geographic reach

United States plus international allies (UK, Norway, France, Japan, Israel, Australia)

Career focus

Contracting, cybersecurity, supply chain risk management

Contractor intelligence

For contractors working with DoD or pursuing defense opportunities:

Stacy Bostjanick’s leadership signals major procurement shifts toward cybersecurity-first contracting. Her emphasis on CMMC compliance creates opportunities for cybersecurity service providers, cloud platforms, and managed security providers. The transition from five CMMC levels to three streamlines certification paths, while Plans of Action and Milestones (PoAMs) offer flexible compliance timelines for contractors.

Key contracting areas to watch:

  • CMMC assessment and certification services
  • Cloud-based cybersecurity solutions for small businesses
  • Managed security provider (MSP) services
  • Supply chain cybersecurity monitoring tools
  • CUI protection and data management platforms
  • Training and compliance consulting services

Her risk-based waiver approach suggests DoD values practical cybersecurity solutions over rigid compliance frameworks. Contractors demonstrating innovative approaches to protecting sensitive defense data while maintaining program feasibility will find favor under her leadership.

Connect
LinkedIn
View profile

New releases: Read in less than 10 mins

Edwin Olson, May Mobility's CEO

Shared AVs on the Road – May Mobility Is Changing the Way We Move

Fox Wade, CEO of Black Fox

From $35 in His Pocket to $82M in Government Contracts: Fox Wade’s Bold Leap

Dr. Wes Fisher, CEO of The Contracting Blueprint

Dr. Wes Fisher Says the Skills You Need for Government Contracts Are Simpler Than You Think

GM's CEOs over the years

GM’s Journey: From American Icon to Bankruptcy and Beyond

Curtis Wilson

From Inside Knowledge to $1.5M Wins: Curtis Wilson’s Government Contracting Success

Soldier's repairing task

The Warfighter’s Pipeline: Fixing Defense Tech’s Biggest Bottleneck

Tines founder

How One Manager’s Frustration with Endless Repetition Built Tines

Medical Training

When Every Second Counts: Military Medical Training That Saves Lives

consulting giants and AI

When AI Becomes the Consultant: What This Means for Traditional Firms