Navy CIO talks innovation, cybersecurity and CMMC

Navy CIO Aaron Weis said DOD's upcoming unified cyber standard will help close the innovation gap by adopting industry standards, but ultimately the onus is on the Defense Department to set the tempo.

cybersecurity (vs148/

Aaron Weis, the Navy's newly appointed CIO, expects the Defense Department's new unified cybersecurity certification to help bring government's tech standard closer to industry's.

"There's not a single silver bullet," Weis said during a panel talk at AFCEA DC's Navy luncheon Nov. 13. "But I think you can lead by well-placed examples. You can lean on the Tier 1 providers, lean on the Tier 2s, Tier 3s to look at things culturally. And there are a number of ways that [the Navy] can go out and really put a pin on where things need to change.

The DOD's planned Cybersecurity Maturity Model Certification (CMMC) program could help and has the "right perspective," Weis said.

"I'm a believer in that model. CMMC is basically saying that -- it's asking individual Tier 2 or Tier 3 suppliers to go accredit themselves and then get that accreditation validated by a third party. And that is exactly how it happens in other industries," he said.

That method more closely mirrors how commercial industries regulate themselves, such as automotive sector where plants must be certified before car manufacturers use them, Weis said drawing on his experience working for Honeywell and Sensata.

"They're not going to pay for you to get certified, you're going to do that on your own because you want to do that work. And that's kind of a ticket to entry," Weis said. "It's bringing that sort of industry-driven model to how we ask suppliers in the supply chain to accredit themselves."

CMMC is still in the draft phases and is open for public comment, but it has already raised concerns about how certification costs could disproportionately affect small businesses and startups.

Weis said CMMC would need to be used in conjunction with other efforts, including additional obligations for the larger Tier 1 suppliers, but ultimately the onus is on the Defense Department to set the stakes.

"I think the job starts with us. So we as the Department of Navy ought to expect that from the suppliers that we have relationships with. And then likewise, we need to set the expectation and maybe the obligation that they're going to expect the same from their suppliers."

DOD plans to roll out the final versions of CMMC next year with the requirements becoming part of requests for proposal by the fall of 2020.